3d647feb8c
[Rule Tuning] Windows Misc Tunings ( #5740 )
...
* [Rule Tuning] Windows Misc Tunings
* ++
* Update defense_evasion_wsl_child_process.toml
* Update execution_powershell_susp_args_via_winscript.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2026-02-20 14:11:35 -03:00
d69ede2508
[Rule Tuning] Windows High Severity - 3 ( #5094 )
...
* [Rule Tuning] Windows High Severity - 3
* Update execution_pdf_written_file.toml
* Update execution_pdf_written_file.toml
* Update execution_pdf_written_file.toml
2025-09-15 08:34:43 -07:00
9c08869575
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 ( #5024 )
2025-08-28 12:15:25 -07:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
c0f12ddecf
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags ( #4464 )
...
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags
* Format & order
* Update pyproject.toml
* Update credential_access_cookies_chromium_browsers_debugging.toml
2025-02-19 12:54:31 -03:00
8f73b88884
[Tuning / New] Execution of a downloaded windows script ( #4434 )
...
* [New] Execution of a downloaded windows script
using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution
* Update defense_evasion_posh_assembly_load.toml
* Update execution_powershell_susp_args_via_winscript.toml
* Update guides
* Update defense_evasion_network_connection_from_windows_binary.toml
* Update execution_windows_script_from_internet.toml
* Update execution_windows_script_from_internet.toml
* Update rules/windows/execution_windows_script_from_internet.toml
* Update rules/windows/execution_powershell_susp_args_via_winscript.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/execution_windows_script_from_internet.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_windows_script_from_internet.toml
* Create command_and_control_tool_transfer_via_curl.toml
* Update command_and_control_tool_transfer_via_curl.toml
* Update command_and_control_tool_transfer_via_curl.toml
* Update execution_windows_script_from_internet.toml
* Create defense_evasion_indirect_exec_forfiles.toml
* Update execution_windows_script_from_internet.toml
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-02-03 14:33:59 +00:00
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
2c07e88c07
[Rule Tuning] Fix double bumps caused by Windows Integration Update ( #4156 )
2024-10-15 23:57:44 +05:30
7c78e4081f
[Rule Tuning] min_stack New Rules that use the S1 Integration ( #4079 )
...
* [Rule Tuning] min_stack New Rules that use the S1 Integration
* Update execution_windows_powershell_susp_args.toml
* Update execution_initial_access_foxmail_exploit.toml
2024-09-16 11:02:46 -03:00
56fc2beb46
[New] Suspicious PowerShell Execution via Windows Scripts ( #4060 )
...
* [New] Suspicious PowerShell Execution via Windows Scripts
this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.
* Update execution_powershell_susp_args_via_winscript.toml
* Create defense_evasion_script_via_html_app.toml
* ++
* Update defense_evasion_script_via_html_app.toml
* Update execution_powershell_susp_args_via_winscript.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 19:51:21 +01:00
Jonhnathan