sigma-rules

Author	SHA1	Message	Date
Samirbous	a679207413	[New Rule] - Defense Evasion IIS HttpLogging Disabled (#142 ) * [New Rule] - Defense Evasion II HttpLogging Disabled * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Linted * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 11:39:04 +02:00
Samirbous	53484de986	[New Rule] - Creation of a new GPO Scheduled Task or Service (#126 ) * [New Rule] - Creation of a new GPO Scheduled Task or Service * Update lateral_movement_gpo_schtask_service_creation.toml * Update lateral_movement_gpo_schtask_service_creation.toml * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 10:54:24 +02:00
Samirbous	60adbbbb70	[New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148 ) * [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created * Update privilege_escalation_printspooler_suspicious_spl_file.toml * added ref and changed verb and replaced file.name with file.extension * Update privilege_escalation_printspooler_suspicious_spl_file.toml * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted and fixed tacttic to privesc * Linted * ref * Update privilege_escalation_printspooler_suspicious_spl_file.toml * Lint rule * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-29 10:17:36 +02:00
Samirbous	fc3dcdf133	[New Rule] Unusual CommandShell Parent Process (#202 ) * [New Rule] Suspicious CommandShell Parent Process * toml linted * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-28 23:15:26 +02:00
Justin Ibarra	065bcd8018	Refresh ATT&CK data to v7.2 and expand threat validation (#330 ) * refresh to latest ATT&CK 7.2 * add new unit test to further validate threat mappings * updated threat mappings in rules to reflect changes * new func to download and refresh mitre data based on version	2020-09-23 22:03:29 -08:00
Samirbous	87e1c92011	[New Rule] Unusual System Virtual Process Child Program (#181 ) * [New Rule] Unusual System Virtual Process Child Program * Update defense_evasion_unusual_system_vp_child_program.toml * Update defense_evasion_unusual_system_vp_child_program.toml * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 22:45:50 +02:00
Samirbous	431dcc17a4	[New Rule] Remote File Download via Desktopimgdownldr Utility (#249 ) * [New Rule] Remote File Download via Desktopimgdownldr Utility * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Lint rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 22:41:26 +02:00
Samirbous	9d884b6452	[New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253 ) * [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_suspicious_explorer_winword.toml * Update defense_evasion_execution_suspicious_explorer_winword.toml * Added 2 more known vulnerable programs Dism.exe and w3wp.exe * Update defense_evasion_execution_suspicious_explorer_winword.toml * linted * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 22:39:35 +02:00
Samirbous	e2a0172d7d	[New Rule] Remote File Download via MpCmdRun (#247 ) * [New Rule] Remote File Download via MpCmdRun * added ref * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-22 14:44:48 +02:00
Samirbous	f750b89201	[New Rule] Remote File Copy via TeamViewer (#241 ) * [New Rule] Remote File Copy via TeamViewer * Update command_and_control_teamviewer_remote_file_copy.toml * Update command_and_control_teamviewer_remote_file_copy.toml * Update rules/windows/command_and_control_teamviewer_remote_file_copy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:43:32 +02:00
Samirbous	c2e95a35dc	[New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234 ) * [New Rule] Evasion via Renamed AutoIt Scripts Interpreter * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:39:04 +02:00
Samirbous	4948582d7c	[New Rule] Mimikatz Memssp Logs File Detected (#228 ) * [New Rule] Mimikatz Memssp Logs File Detected * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:37:40 +02:00
Samirbous	69b2f9f645	[New Rule] Code Injection - Suspicious Conhost Child Process (#226 ) * [New Rule] Code Injection - Suspicious Conhost Child Process * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:35:56 +02:00
Samirbous	d43f814c19	[New Rule] Suspicious Elastic Endpoint Parent Process (#214 ) * [New Rule] Suspicious Elastic Endpoint Parent Process * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:34:11 +02:00
Samirbous	42247efc3b	[New Rule] Suspicious WerFault Child Process (#212 ) * [New Rule] Suspicious WerFault Child Process * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * linted * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 14:32:04 +02:00
Samirbous	96992b3ae6	[New Rule] Potential Process Masquerading as WerFault (#210 ) * [New Rule] Potential Process Masquerading as WerFault * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:30:34 +02:00
Samirbous	52b6657d09	[New Rule] Suspicious .Net Compiler Parent Process (#208 ) * [New Rule] Suspicious dotNet Comilper Parent Process * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:28:41 +02:00
Samirbous	ae13adf0a9	[New Rule] Suspicious managed code hosting process (#204 ) * [New Rule] Suspicious managed code hosting process * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:27:03 +02:00
Samirbous	3890a90135	[Rule Tuning] Unusual Parent-Child Relationship (#185 ) * [Rule Tuning] Unusual Parent-Child Relationship * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml	2020-09-22 14:25:27 +02:00
Samirbous	601a5a1e5b	[New Rule] - Executable File Created by a System Critical Process (#183 ) * Unusual Executable File Creation by a System Critical Process * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml * Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:23:37 +02:00
Samirbous	2ce8c2833f	[New Rule] Microsoft IIS Service Account Password Dumped (#167 ) * [New Rule] Microsoft IIS Service Account Password Dumped * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:58:57 +02:00
Samirbous	ff097719af	[New Rule] UAC Bypass via DiskCleanup Task Hijack (#160 ) * [New Rule] UAC Bypass via DiskCleanup Task Hijack * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:57:37 +02:00
Samirbous	9926071b0d	[New Rule] - Execution via Hidden Shell (#154 ) * [New Rule] - Execution via Hidden Shell * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:56:19 +02:00
Samirbous	79e7f17130	[New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150 ) * [New Rule] - Persistence via TelemetryController Scheduled Task Hijack * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 13:54:51 +02:00
Samirbous	822453b32c	[New Rule] - Suspicious PsExec Execution (#134 ) * [New Rule] - Suspicious PsExec Execution * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:52:01 +02:00
Samirbous	9590bc3f68	[New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132 ) * [New Rule] Execution via xp_cmdshell MSSQL stored procedure * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_via_xp_cmdshell_mssql_stored_procedure.toml * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:48:54 +02:00
Samirbous	cdbd3c0640	[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123 ) * tunning of 3 existing rules added not to accessibility rule added whoami to system identity running discovery utility added regasm.exe to registration utility performing ntcon * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update persistence_priv_escalation_via_accessibility_features.toml * Update discovery_net_command_system_account.toml * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:47:22 +02:00
brokensound77	aec3ec31b9	Merge branch '7.9' into main	2020-08-27 15:54:44 -08:00
Justin Ibarra	79a0dfefbe	Add ECS 1.6.0 schema for validation testing (#220 ) * Add ecs 1.6.0 and refresh master ecs (2.0.0) * update rule metadata to use ecs_version 1.6.0	2020-08-27 11:54:49 -05:00
Justin Ibarra	be08536880	Increase lookback for endpoint rules (#200 )	2020-08-21 12:23:43 -05:00
Ross Wolf	a99b7c96fe	Merge branch '7.9' into main	2020-08-03 14:03:15 -06:00
Brent Murphy	7efe33e01d	[Rule Tuning] Update Index Pattern for Detection Engine Rules (#101 ) * [Rule Tuning] Update Index Pattern for Detection Engine Rules * update indices	2020-08-03 15:46:57 -04:00
Justin Ibarra	1bf60551ff	Update lateral_movement_dns_server_overflow.toml	2020-07-17 15:52:04 -05:00
Justin Ibarra	1cfb8f92bb	Windows DNS server vulnerability (CVE-2020-1350) rules (#69 )	2020-07-17 14:32:52 -05:00
Ben Skelker	680a04da8f	Fix terminology and doc links (#54 )	2020-07-13 12:47:42 -06:00
Justin Ibarra	95908c22a4	Improve ECS compatibility for endpoint rules	2020-07-07 15:41:23 -06:00
Ross Wolf	5fcece8416	Populate rules/ directory. Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com> Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com> Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-06-29 22:57:03 -06:00

37 Commits