security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
198 Commits 1 Branch 0 Tags
a679207413bed5ca2e0809fa2eb3e735a58fd4a5
Commit Graph

138 Commits

Author SHA1 Message Date
Samirbous a679207413 [New Rule] - Defense Evasion IIS HttpLogging Disabled (#142) 
* [New Rule] - Defense Evasion II HttpLogging Disabled

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Linted

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-29 11:39:04 +02:00
Samirbous 53484de986 [New Rule] - Creation of a new GPO Scheduled Task or Service (#126) 
* [New Rule] - Creation of a new GPO Scheduled Task or Service

* Update lateral_movement_gpo_schtask_service_creation.toml

* Update lateral_movement_gpo_schtask_service_creation.toml

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-29 10:54:24 +02:00
Samirbous 269925ae2e [New Rule] - MacOS Keychains compression (#136) 
* macOS Keychains compression

* Update exfiltration_compress_credentials_keychains.toml

* Update exfiltration_compress_credentials_keychains.toml

* Update exfiltration_compress_credentials_keychains.toml

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-29 10:23:43 +02:00
Samirbous 60adbbbb70 [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148) 
* [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* added ref and changed verb and replaced file.name with file.extension

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted and fixed tacttic to privesc

* Linted

* ref

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Lint rule

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-29 10:17:36 +02:00
Samirbous fc3dcdf133 [New Rule] Unusual CommandShell Parent Process (#202) 
* [New Rule] Suspicious CommandShell Parent Process

* toml linted

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 23:15:26 +02:00
Craig Chamberlain a7dee682cc Add Tags to Unusual Sudo Activity Rule (#340) 
* Update ml_linux_anomalous_sudo_activity.toml

added T1548

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml
 2020-09-28 16:07:41 -04:00
Brent Murphy 8a5e0dd441 [New Rule] AWS Management Console Attempted Root Login Brute Force (#88) 
* Create initial_access_root_console_failure_brute_force.toml

* bumping threshold value to 10

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* update with FP info

* update threshold field

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 13:37:22 -04:00
Craig Chamberlain 0affb48b07 [New Rule] Unusual User Calling the Metadata Service [Linux] (#327) 
* Create ml_linux_anomalous_metadata_user.toml

rule create

* Update rules/ml/ml_linux_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_metadata_user.toml

* Update ml_linux_anomalous_metadata_user.toml

* Update rules/ml/ml_linux_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-28 12:13:06 -04:00
Craig Chamberlain 746c175669 [New Rule] Unusual User Calling the Metadata Service [Windows] (#328) 
* Create ml_windows_anomalous_metadata_user.toml

* Update ml_windows_anomalous_metadata_user.toml

* Update rules/ml/ml_windows_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_windows_anomalous_metadata_user.toml

* Update rules/ml/ml_windows_anomalous_metadata_user.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-28 12:09:14 -04:00
Brent Murphy 7857787328 [New Rule] Azure Global Administrator Role Addition to PIM User (#336) 
* Create persistence_azure_pim_user_added_global_admin.toml

* tweak syntax for readability

* Update additional rule name to match others naming convention

* Delete defense_evasion_azure_diagnostic_settings_deletion.toml

* tweak rule name

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update description and lint

* small naming tweak for consistency

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 10:45:59 -04:00
Justin Ibarra 3c0d982d8f [Rule Tuning] Mknod Process Activity (#276) 2020-09-24 13:27:16 -08:00
Brent Murphy 652b2c5e44 [New Rule] GCP Logging Sink Deletion (#306) 
* Create gcp_logging_sink_deletion.toml

* update description

* update rule name
 2020-09-24 17:19:27 -04:00
Craig Chamberlain 4473f6d8f3 [New Rule] Unusual Sudo Activity (#263) 
* Create ml_linux_anomalous_sudo_activity.toml

rule to accompany the unusual sudo activity job

* Update ml_linux_anomalous_sudo_activity.toml

added fp field

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

linting

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

* Update rules/ml/ml_linux_anomalous_sudo_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_sudo_activity.toml

* Update ml_linux_anomalous_sudo_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 14:55:33 -04:00
Brent Murphy 17e3d83b29 [New Rule] GCP Pub/Sub Subscription Deletion (#334) 
* Create gcp_pub_sub_subscription_deletion.toml

* update rule name with mitre tactic
 2020-09-24 13:21:28 -04:00
Brent Murphy 367d870654 [New Rule] GCP Logging Bucket Deletion (#308) 
* Create gcp_logging_bucket_deletion.toml

* update rule name with mitre tactic
 2020-09-24 13:14:18 -04:00
Brent Murphy 21d19863e2 [New Rule] GCP Pub/Sub Topic Deletion (#307) 
* Create gcp_pub_sub_topic_deletion.toml

* Update rules/gcp/gcp_pub_sub_topic_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linting

* update rule name with mitre tactic

* correct spelling error in rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-24 13:09:50 -04:00
Brent Murphy 95877f7879 [Rule Tuning] Update event.category for Azure rules (#335) 
* update event.category for azure rules

* update updated_date field

* update name to include Azure

* Update persistence_user_added_as_owner_for_azure_service_principal.toml
 2020-09-24 12:45:25 -04:00
Brent Murphy e34a969cd3 Create collection_gcp_pub_sub_subscription_creation.toml (#332) 2020-09-24 12:08:49 -04:00
David French bd2ec8a194 [New Rule] GCP Virtual Private Cloud Route Created (#326) 
* [New Rule] GCP Virtual Private Cloud Route Created

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:47:21 -06:00
David French df19db4f67 [New Rule] GCP Virtual Private Cloud Network Deleted (#325) 
* [New Rule] GCP Virtual Private Cloud Network Deleted

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:44:48 -06:00
David French de85f483a4 [New Rule] GCP Virtual Private Cloud Route Deleted (#324) 
* [New Rule] GCP Virtual Private Cloud Route Deleted

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:31:48 -06:00
David French de6f326c72 [New Rule] GCP Storage Bucket Configuration Modified (#322) 
* Create defense_evasion_gcp_storage_bucket_configuration_modified.toml

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:29:53 -06:00
David French 01c904f2dd [New Rule] GCP Firewall Rule Created (#312) 
* new-rule-gcp-firewall-rule-created

* Add FP info to rule

* Add ATT&CK metadata

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:27:41 -06:00
David French 6e61be64b2 Create impact_gcp_service_account_disabled.toml (#320) 2020-09-24 09:23:10 -06:00
David French 586cf69ec6 [New Rule] GCP Service Account Deleted (#319) 
* Create impact_gcp_service_account_deleted.toml

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:21:29 -06:00
David French 142ad038c2 [New Rule] GCP Service Account Created (#318) 
* new-rule-gcp-service-account-created

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:19:14 -06:00
David French be4b5bb1c1 [New Rule] GCP Storage Bucket Deleted (#315) 
* new-rule-gcp-storage-bucket-deleted

* Add FP info to rule

* Update rule name

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:17:52 -06:00
David French 2b4044081e [New Rule] GCP Key Created for Service Account (#314) 
* new-rule-gcp-key-created-for-service-account

* Add FP info to rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:16:18 -06:00
David French bda33a559b [New Rule] GCP Storage Bucket Permissions Modified (#313) 
* new-rule-gcp-storage-bucket-permissions-modified

* Add FP info to rule

* Update name to make Brent a happy chappy

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:14:13 -06:00
Brent Murphy e6326afd5d Create collection_gcp_pub_sub_topic_creation.toml (#331) 2020-09-24 11:12:59 -04:00
David French 93f57b22f7 [New Rule] GCP Firewall Rule Modified (#311) 
* new-rule-gcp-firewall-rule-modified

* Update rule maturity to production

* Add FP info to rule

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:06:19 -06:00
David French 369d4f4a85 [New Rule] GCP Firewall Rule Deleted (#310) 
* new-rule-gcp-firewall-rule-deleted

* Update rule maturity to production

* Add FP info to rule

* Update rule maturity to production

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:03:55 -06:00
Brent Murphy 968a3b4406 Create impact_gcp_iam_role_deltion.toml (#329) 2020-09-24 10:51:10 -04:00
Brent Murphy 275433596d Create exfiltration_gcp_logging_sink_modification.toml (#317) 2020-09-24 10:32:10 -04:00
Brent Murphy eef4f54dba Create initial_access_gcp_iam_custom_role_creation.toml (#316) 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-24 10:19:40 -04:00
Brent Murphy 56fc99f152 [New Rule] GCP IAM Service Account Key Deletion (#309) 
* Create credential_access_gcp_iam_service_account_key_deletion.toml

* remove extra word in fp info

* linting
 2020-09-24 10:15:15 -04:00
Craig Chamberlain e39d857a11 [New Rule] Unusual Linux System Network Configuration Discovery (#265) 
* Create ml_linux_system_network_configuration_discovery.toml

ML rule to accompany the network configuration discovery job

* Update ml_linux_system_network_configuration_discovery.toml

added fp field

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

linting

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

* Update rules/ml/ml_linux_system_network_configuration_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:07:34 -04:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Craig Chamberlain 1e43896cf1 [New Rule] Unusual Process Calling the Metadata Service [Windows] (#323) 
* Create ml_windows_anomalous_metadata_process.toml

rule create

* Update rules/ml/ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_windows_anomalous_metadata_process.toml

* Update ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:50:43 -04:00
Craig Chamberlain dd65dad9dc [New Rule] Unusual Process Calling the Metadata Service [Linux] (#321) 
* Create ml_linux_anomalous_metadata_process.toml

rule creation

* Update rules/ml/ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:29:48 -04:00
Samirbous 87e1c92011 [New Rule] Unusual System Virtual Process Child Program (#181) 
* [New Rule] Unusual System Virtual Process Child Program

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:45:50 +02:00
Samirbous 431dcc17a4 [New Rule] Remote File Download via Desktopimgdownldr Utility (#249) 
* [New Rule] Remote File Download via Desktopimgdownldr Utility

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Lint rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:41:26 +02:00
Samirbous 9d884b6452 [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) 
* [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Added 2 more known vulnerable programs Dism.exe and w3wp.exe

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* linted

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:39:35 +02:00
Craig Chamberlain baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) 
* Create ml_linux_system_network_connection_discovery.toml

ML rule to accompany the unsual network connection discovery job

* Update ml_linux_system_network_connection_discovery.toml

set author

* Update ml_linux_system_network_connection_discovery.toml

added fasle positve field

* Update ml_linux_system_network_connection_discovery.toml

* Update ml_linux_system_network_connection_discovery.toml

linting

* Update rules/ml/ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 16:27:17 -04:00
Craig Chamberlain f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) 
* Create ml_linux_system_information_discovery.toml

rule to accompany the system information discovery job

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

added fp field

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

linting

* Update ml_linux_system_information_discovery.toml

* Update rules/ml/ml_linux_system_information_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:25:59 -04:00
Craig Chamberlain 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) 
* Create ml_linux_anomalous_compiler_activity.toml

rule to accompany the rare compiler activity job

* Update ml_linux_anomalous_compiler_activity.toml

added fp field

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml
 2020-09-22 16:24:32 -04:00
Craig Chamberlain 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) 
* Create ml_linux_system_user_discovery.toml

ML rule to accompany the unusual system owner / user discovery job

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_system_user_discovery.toml

added fp field

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

lint

* Update ml_linux_system_user_discovery.toml

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:22:41 -04:00
Craig Chamberlain 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) 
* Create ml_linux_rare_kernel_module_arguments.toml

* rare module rule

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:18:51 -04:00
Craig Chamberlain 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) 
* Create ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

added fp field

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update rules/ml/ml_linux_system_process_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linting

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-09-22 16:15:36 -04:00
David French cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237) 
* new-rule-azure-conditional-access-policy-modified

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

Update maturity to production

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to include result value

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to search both the Azure audit logs and activity logs

* Optimize formatting of query

* Tweak consent grant attack rule

Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs

* Tweak formatting of query to improve Brent's happiness level

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 09:28:32 -06:00