security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
375 Commits 1 Branch 0 Tags
94e8fa80bb852ec7cd653587588575331e9a6833
Commit Graph

375 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous 94e8fa80bb [Rule Tuning] Suspicious Endpoint Security Parent Process (#509) 
* [Rule Tuning] added FPs and converted to EQL for more flexibilty

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* adjusted process names in scope to security agents

* eql syntax

* ecs_version

* adjusted format

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 22:34:28 +01:00
Samirbous 538aa80bba [New Rule] Process Termination Followed by Deletion (#482) 
* [New Rule] Process Termination Followed by Deletion

* excluded SoftwareDistrib and WinSxS Folders

* added drive letter for better performance

* excluded signed PE

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* added few more extension as suggested by DanStep

* dropped winlogbeat due to pe.codesign

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 22:26:11 +01:00
Samirbous 97fa6c62cd [New Rule] Remote File Download via Powershell (#660) 
* [New Rule] Remote File Download via Powershell

* new line

* eql syntax

* ecs_version

* added google related FPs

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* relint

* ecs_version removed

* replaced path with name to avoid FPs for users temp folder

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-12-08 21:28:28 +01:00
Samirbous 9792d967d7 [Rule Tuning] Convert to EQL 5 existing rules (#414) 
* [Rule Tuning] 5 rules

* [Rule Tuning] Converted two IIS CredAccess rules to EQL

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/evasion_rundll32_no_arguments.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* deleted. rule looks incompatible with endpoint

* fixing units testing error

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* desc

* fixed tags duplicate

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_rundll32_no_arguments.toml

* adjusted process args count to 1

adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs).

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 21:07:26 +01:00
Samirbous afb00d7097 [New Rule] Encoded Executable Stored in the Registry (#636) 
* [New Rule] Encoded Executable Stored in the Registry

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 20:51:14 +01:00
Samirbous 19e0de3bed [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573) 
* [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I

* added Execution of Persistent Suspicious Program

reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts

* increased 1m the maxspan

to cover also slow startup

* fixed regsvr32 pe ofn

* adjust format

* fixed process.args

* added more suspicious COM hijack options

added also URL for reference

* fixed key.path and added ScriptletURL

* Update persistence_runtime_run_key_startup_susp_procs.toml

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* fixed error

* fixed error

* formating

* formating

* formatting

* replaced process name with path

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version and optimz and refurl

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_services_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* duplicated registry hive instead of leading wildcard

* duplicated registry hive instead of leading wildcard

* Update rules/windows/persistence_appcertdlls_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lowered maxspan to avoid FPs

* removed cmd to avoid FPs

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appcertdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 20:35:18 +01:00
Samirbous 16a49b3278 [New Rule] Windows Script Executing a Process via WMI (#643) 
* [New Rule] Windows Script Executing a Process via WMI

* Update execution_scripts_process_started_via_wmi.toml

* Update execution_scripts_process_started_via_wmi.toml

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* increased maxspan

* eql syntax

* deleted ecs_version

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 19:23:48 +01:00
Samirbous b98f5d4042 [New Rule] Launch Agent Creation or Modification followed by Loading (#696) 
* [New Rule] Launch Agent Creation or Modification

* replaced file event with a sequence for precision

* fixed nice error in query

* Update rules/macos/persistence_creation_change_launch_agents_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_change_launch_agents_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* replaced : with ==

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 19:08:16 +01:00
Samirbous 5483712805 [New Rule] Lolbas ImageLoad via Windows Update Client (#366) 
* [New Rule] Lolbas ImageLoad via Windows Update Client

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_lolbas_wuauclt.toml

* removed timeline_id

* new eql synthax

* Update defense_evasion_execution_lolbas_wuauclt.toml

* ecs_version

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* removed new lines

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-08 18:54:09 +01:00
Samirbous 1c2166b23f [New Rule] - Execution from Unusual Directory (#433) 
* [New Rule] - Execution from Unusual Directory

* adjusted lint

* Update execution_from_unusual_directory.toml

* small tune

* Update execution_from_unusual_directory.toml

* removed timeline_id

* adjusted executable path for better performance

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* update date

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* converted to eql for case insensitivity

* ecs_version

* fixed path

* added extra path

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 18:46:56 +01:00
Samirbous e7695f862f [New Rule] Potential Credential Access with LolBas (#620) 
* [New Rule] Potential Credential Access with LolBas

* typo

* added procdump and steam lolbins

* added cisco Jabber lobas

* eql syntax

* ecs_version

* Update rules/windows/credential_access_lolbas_dump_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_lolbas_dump_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* renamed rule and filename as suggested by DanStep

* adjust name and desc

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:56:25 +01:00
Samirbous 6bc4a6b9bb [New Rule] Linux System Log Files Deleted (#461) 
* [New Rule] Linux System Log Files Deleted

* Update defense_evasion_log_files_deleted.toml

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added linux to rule name as sug by JLB

* ecs_version

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adjusted format

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:34:33 +01:00
Samirbous c0c369181a [New Rule] New Port Forwarding Rule Added (#630) 
* [New Rule] New Port Forwarding Rule Added

* fiexed rule file name

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:32:08 +01:00
Samirbous 35ee818854 [Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502) 
* Converted suspicious execution via psexec to EQL

* adjusted procname

* eql syntax

* ecs_version
 2020-12-08 17:27:16 +01:00
Samirbous 63759a4bf4 [New Rule] Lsass Memory Dump Created (#618) 
* [New Rule] Lsass Memory Dump Created

* added Dumpert and AndrewSpecial HKTL default memory dump filenames

* added sqldumper default dmp filename

* added Out-Minidump PS default dump filename

* ecs_version

* crackmap default lsass memdmp

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:24:51 +01:00
Samirbous feb79c0304 [New Rule] Suspicious Execution via Scheduled Task (#584) 
* [New Rule] Suspicious Execution via Scheduled Task

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* eql syntax

* ecs_version

* added two susp_paths as suggested by Devon

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:20:21 +01:00
Samirbous ccea74d9d8 [New Rule] Incoming Execution via PowerShell Remoting (#624) 
* [New Rule] Incoming Execution via PowerShell Remoting

* eql syntax

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:16:10 +01:00
Samirbous 0479a8f8a3 [New Rule] Image File Execution Options Injection (#550) 
* [New Rule] Image File Execution Options Injection

* Update persistence_evasion_registry_ifeo_injection.toml

* Update persistence_evasion_registry_ifeo_injection.toml

* added FPs section

* eql syntax

* ecs_version

* Update rules/windows/persistence_evasion_registry_ifeo_injection.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:13:00 +01:00
Samirbous 0e78638655 [New Rule] Program Files Directory Masquerading (#581) 
* [New Rule] Program Files Directory Masquerading

* adjusted rule description

* adj procargs to include dlls and other extensions

rundll.exe c:\program files\beacon.dll will be detected for example

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_masquerading_trusted_directory.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:04:31 +01:00
Samirbous 02e9c082df [New Rule] Potential SharpRdp Detected (#527) 
* [New Rule] Potential SharpRdp Detected

* Updated references

* added process execution to the sequence

added process execution to the sequence to capture the malicious process details that was executed

* Linted

* adjusted sequence

* linted

* adjusted process exec details to avoid procs termination

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:00:51 +01:00
Samirbous bd2006d70d [New Rule] WMI Incoming Lateral Movement (#532) 
* [New Rule] WMI Incoming Lateral Movement

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* cirdrmatch returned error on 7.10 replaced by  !=

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:57:41 +01:00
Samirbous 16551bbfe7 [New Rule] NTDS or SAM Database File Copied (#622) 
* [New Rule] NTDS or SAM Database File Copied

* fixed description

* eql syntax

* Update rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:55:35 +01:00
Samirbous e707b53a03 [New Rule] Scheduled Jobs AT Protocol Enabled (#609) 
* [New Rule] Scheduled Jobs AT Protocol Enlabled

* fixed typo

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* eql syntax

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:52:17 +01:00
Samirbous 637d06f6c9 [New Rule] Mounting Hidden or WebDav Remote Shares (#444) 
* [New Rule] Mounting Hidden or WebDav Remote Shares

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* removed timeline_id

* adjusted args to avoid leading wildcard

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:50:09 +01:00
Samirbous 0544461b45 [New Rule] Remote Scheduled Task Creation (#598) 
* Remote Scheduled Task Modification

* replaced file modification with registry

replaced file modification with registry to capture the task configured action instead of task name only which is not useful for drill down.

* eql syntax

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adj port number for ross :)

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:40:48 +01:00
Samirbous 7d7d010509 [New Rule] Persistence via Hidden Run Key ValName (#534) 
* [New Rule] Persistence via Hidden Run Key Detected

* added strings length condition

* added description

* Update persistence_via_hidden_run_key_valuename.toml

* Update rules/windows/persistence_via_hidden_run_key_valuename.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* commented length for stability

no logic impact

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:38:23 +01:00
Samirbous 929277486d [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* performance tuning of proc args

* replaced wildcard with in condition

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-12-08 16:34:36 +01:00
Samirbous efba50d670 [New Rule] Enable RDP Through Registry (#632) 
* [New Rule] Enable RDP Through Registry

* eql syntax

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:32:24 +01:00
Samirbous 6b96b99dc1 [New Rule] Execution from TSClient Mountpoint (#524) 
* [New Rule] Execution from TSClient Mountpoint

* Delete profiles_settings.xml

* Delete modules.xml

* Delete vcs.xml

* Delete windows.iml

* Delete workspace.xml

* eql syntax

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:30:10 +01:00
Samirbous 58174015bd [New Rule] Privilege Escalation via Windir Environment Variable (#638) 
* [New Rule] Privilege Escalation via Windir Environment Variable

* added equiv envar

* eql syntax

* Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:21:42 +01:00
Samirbous fbecc85593 [New Rule] Incoming DCOM Lateral Movement with MMC (#488) 
* [New Rule] Incoming DCOM Lateral Movement with MMC

* adjusted technique ID

subject to updates to all rules with new MITRE IDs

* added localhost filtering

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* port numb

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:19:26 +01:00
Samirbous e038b34344 [New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478) 
* [New Rule] Connection to Commonly Abused Free SSL Certificate Providers

* linted

* added explorer and notepad paths

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* adjusted desc

* eql syntax

* remove ecs_version

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:16:11 +01:00
Samirbous 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) 
* [New Rule] Execution from unusual directory - cmdline

* Update execution_from_unusual_path_cmdline.toml

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted and added note as sug by JLB

* note

* ecs_version

* fixed path

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:13:52 +01:00
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) 
* [New Rule] LaunchDaemon Creation or Modification followed by Loading

* fix technique

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 16:04:34 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) 
* [New Rule] Attempt to Remove File Quarantine Attribute

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:27:03 +01:00
Samirbous d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) 
* [New Rule] Apple Script Execution followed by Network Connection

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding LAN and loopback addresses

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:25:03 +01:00
Samirbous aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) 
* [New Rule] Persistence via Login and/or Logout Hooks

* fixed tags

* fixed tags

* added logouthook and extra refurl

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:09:36 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) 
* [New Rule] Execution with Explicit Credentials via Apple Scripting

* fixing tactic

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added ref

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:57:52 +01:00
Samirbous f756619478 [New Rule] Persistence via Folder Action Script (#685) 
* [New Rule] Persistence via Folder Action Script

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:51:52 +01:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00