security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,880 Commits 1 Branch 0 Tags
a04dfbd1ef8ecbd2b13d431b598b527045b6f253
Commit Graph

1880 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Groenewoud a04dfbd1ef [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml

(cherry picked from commit 089e6671aa)
 2024-02-20 14:43:36 +00:00
Ruben Groenewoud 3183bfea23 [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml

(selectively cherry picked from commit 3484cac7eb)
 2024-02-20 14:23:14 +00:00
Ruben Groenewoud bfe1fd6b20 [Tuning] Linux DR Tuning - Part 3 (#3454) 
(cherry picked from commit 5e6e4a359b)
 2024-02-20 13:55:44 +00:00
Ruben Groenewoud aefebccc06 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml

(cherry picked from commit 1dc7fd6a42)
 2024-02-20 13:43:33 +00:00
Ruben Groenewoud 24d4da7b5d [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

(cherry picked from commit 0e48747aa6)
 2024-02-20 13:22:16 +00:00
Ruben Groenewoud cfc0b41e20 [FR] NON_DATASET_PACKAGE list & Data Source tag for Auditd_manager (#3430) 
* [FR] Add Auditd_Manager to NON_DATASET_PACKAGE

* Changed alphabetical order

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit a637bcec38)
 2024-02-19 08:41:46 +00:00
Samirbous 1192e62006 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml

(cherry picked from commit 4809de6584)
 2024-02-15 19:19:02 +00:00
Jonhnathan e631f8d11d [Rule Tuning] Windows BBR Tuning - 3 (#3382) 
* [Rule Tuning] Windows BBR Tuning - 3

* Update defense_evasion_service_disabled_registry.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 5334601b6f)
 2024-02-14 18:05:32 +00:00
Jonhnathan e3aa44e5c4 [Rule Tuning] Windows BBR Tuning - 4 (#3384) 
* [Rule Tuning] Windows BBR Tuning - 4

* Update discovery_system_time_discovery.toml

(cherry picked from commit 1a8271db2f)
 2024-02-14 17:26:00 +00:00
Jonhnathan c0ef9cea69 [Rule Tuning] Windows BBR Tuning - 6 (#3386) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit f233909e7d)
 2024-02-14 15:54:15 +00:00
Jonhnathan 9577e2a4d8 [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 97e49795ab)
 2024-02-14 13:27:51 +00:00
Jonhnathan adcf721ae3 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit ae00f30574)
 2024-02-14 13:03:13 +00:00
Mika Ayenson f8c20cadbc [FR] Add New Kibana Schema Issue Template (#3441) 
(cherry picked from commit df6dd09db4)
 2024-02-13 22:40:41 +00:00
Mika Ayenson c36803d464 [FR] Add support for Threshold Alert Suppression (#3433) 
(cherry picked from commit c3ca01ebcc)
 2024-02-12 16:00:34 +00:00
Terrance DeJesus 90d069bb08 [Bug] Adjust build-release CLI and fix links when generating security docs (#3434) 
* removed historical argument; added setup string; fixed links

* fixing flake errors

* added types for command arguments

* adjusted get_release_diff to append strings for release tags

* set fetch-depth to 0 for integrations checkout in workflow

* changed the name of the workflow

* removed TODOs

* adjusted release docs workflow to remove prefix for release tags

* adjusted URL replacement only if pointed to docs site

* added elastic website to regex pattern

* add docstrings; adjusted regex; add note for stopgap

* added a note about the regex pattern for elastic URLs

(cherry picked from commit 06b97ec79b)
 2024-02-12 15:13:10 +00:00
Justin Ibarra b8fc07f052 Add the Zen of Security Rules to philosophy (#3437) 
(cherry picked from commit 298d1bce0d)
 2024-02-09 19:51:18 +00:00
Jonhnathan d8dfbeade4 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 21b559c97f)
 2024-02-08 09:31:50 +00:00
github-actions[bot] 98b7a409fc Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3431) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

* updated downloadable updates file to reconcile changes

* Removed spacing from downloadable updates file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 827dfa7327)
 2024-02-06 19:53:46 +00:00
Terrance DeJesus 5c0880e53a [Bug] Update Prebuilt Detection Rules Release Process (#3403) 
* release fleet workflow updates; build package integration reference changes

* updated commit hash extraction to output to env

* adjusted bump-pkg-versions to only include release if necessary

* fixed flake errors

* add historical argument for build-release set to yes by default

* Update detection_rules/devtools.py

* fixed fleet workflow; updated registry data references

* updated job names

* removed extract commit hash job and consolidated into fleet pr job

* added echo statement for current branch before checkout

* removed id from extract commit hash

(cherry picked from commit 7df7ab5101)
 2024-02-06 14:04:04 +00:00
Ruben Groenewoud fa29e4b2b1 [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d41855a2ac)
 2024-02-06 13:52:48 +00:00
Ruben Groenewoud 1db9de76b0 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now

(cherry picked from commit 90d64f0714)
 2024-02-06 09:54:24 +00:00
Ruben Groenewoud 103fa8d34a [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence

(cherry picked from commit 208b2e999c)
 2024-02-06 09:34:07 +00:00
Ruben Groenewoud 6276d635b8 [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab77e)
 2024-02-06 09:24:36 +00:00
Samirbous 3a3245f872 Update lateral_movement_remote_task_creation_winlog.toml (#3419) 
(cherry picked from commit 6906a27c3a)
 2024-02-05 18:41:20 +00:00
Jonhnathan 59bb8e5ce0 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 8274f9a816)
 2024-02-05 15:52:27 +00:00
Jonhnathan f58d793dca [Rule Tuning] Startup or Run Key Registry Modification (#3367) 
(cherry picked from commit edd3556b63)
 2024-02-05 15:33:05 +00:00
Samirbous 509ba1bf06 [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

(cherry picked from commit 5a68ccfd0d)
 2024-02-02 14:24:18 +00:00
Jonhnathan e626ee0a2b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 50df6f3e9b)
 2024-02-01 14:31:32 +00:00
Samirbous 5d3b231e14 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

(cherry picked from commit 4c74588c00)
 2024-01-31 16:59:42 +00:00
Samirbous 74182d5dfa [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml

(cherry picked from commit d7f4d7972e)
 2024-01-30 11:48:19 +00:00
Ruben Groenewoud ea7c83522b [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 381ccf43ed)
 2024-01-26 08:41:41 +00:00
terrancedejesus f31a1917dc changed the kibana version of packages.yml ref issue 3374 2024-01-25 17:35:09 -05:00
Ruben Groenewoud 0a658bafce [New BBR] Reverse Connection through Port Knocking (#3219) 
* [New BBR] Reverse Connection through Port Knocking

* Attempt to fix unit testing error

* Mitre list fix?

* Revert "Mitre list fix?"

This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a66394c550)
 2024-01-24 15:35:25 +00:00
github-actions[bot] 80be303533 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3402) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit d093336125)
 2024-01-23 21:41:46 +00:00
Jonhnathan d121e74a3e [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)
 2024-01-23 19:53:28 +00:00
Jonhnathan 9f18adfdb1 [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b2ef)
 2024-01-23 18:38:50 +00:00
Jonhnathan 4c9a6b1dcc [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml

(cherry picked from commit e0bdb59deb)
 2024-01-22 21:52:44 +00:00
Terrance DeJesus 5a317b9df8 removed query var; using is_sequence method; removed integration var (#3395) 
(cherry picked from commit 164b7d4028)
 2024-01-22 20:28:01 +00:00
Isai f0028e1457 [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)
 2024-01-22 17:53:12 +00:00
Ruben Groenewoud 1160a91bb9 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 48d8b650e5)
 2024-01-22 15:33:29 +00:00
Ruben Groenewoud 469ddddafd [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix

(cherry picked from commit ec5f4d596c)
 2024-01-22 08:22:54 +00:00
Ruben Groenewoud 9ea63f9381 [Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350) 
* [Security Content] Add IGs to Persistence - 2

* [Security Content] Add IGs to Persistence - 2

* fixes

* fix

* added ig note

(cherry picked from commit 26747aa8a4)
 2024-01-20 18:41:15 +00:00
Mika Ayenson e7fd90f2b1 [FR] Update Validate Integrations to Check Fields Across All Schema Variations (#3372) 
(cherry picked from commit a873abbb5b)
 2024-01-18 21:47:18 +00:00
Terrance DeJesus 869988c20f [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 1c10c37468)
 2024-01-17 19:19:45 +00:00
Jonhnathan 11c929f019 [Rule Tuning] Windows DR Tuning - 12 (#3364) 
(cherry picked from commit f6ba12a700)
 2024-01-17 16:24:02 +00:00
sbousseaden c6725b5642 [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 27262a585b)
 2024-01-17 13:54:51 +00:00
Jonhnathan 91ee5caf94 [Rule Tuning] Windows DR Tuning - 13 (#3369) 
(cherry picked from commit 71cec2a0e1)
 2024-01-17 12:58:32 +00:00
Jonhnathan b1c8876c53 [Rule Tuning] Windows DR Tuning - 10 (#3355) 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294627)
 2024-01-17 12:49:05 +00:00
Ruben Groenewoud bf71869f01 [New Rule] Network Connection via Sudo Binary (#3389) 
* [New Rule] Network Connection via Sudo Binary

* description grammar fix

(cherry picked from commit 4301dacfb8)
 2024-01-17 08:52:39 +00:00
Ruben Groenewoud ab977df20d [New Rule] Kernel Driver Load by non-root User (#3378) 
* [New Rule] Kernel Driver Load by non-root User

* setup note change

* removed unnecessary index

(cherry picked from commit a9285445cf)
 2024-01-17 08:40:55 +00:00