ac69faedbf
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:58:44 +00:00
e3adb3e089
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:28:55 +00:00
24ef481853
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:27:02 +00:00
c434a5dbb5
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:37:50 +00:00
cb85a35e7a
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:42:11 +00:00
791c8f9864
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:34:19 +00:00
2f3519d882
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit e99478db00
2021-11-17 07:46:35 +00:00
7d806b4d3c
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit c18c08a976
2021-11-17 07:37:33 +00:00
77ffac81e2
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
...
(cherry picked from commit 858d1cf12c
2021-11-16 06:20:37 +00:00
cb1a765524
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 81a62f5f68
2021-11-15 09:19:40 +00:00
25bfddb291
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
...
(cherry picked from commit 017d9a51b7
2021-11-15 02:02:16 +00:00
cd3cef5996
[Rule Tuning] Added Powershell_ise.exe to some rules. ( #1566 )
...
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_webshell_detection.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_system_shells_via_services.toml
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_system_shells_via_services.toml
* Update persistence_webshell_detection.toml
* Update rules/windows/persistence_local_scheduled_task_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit ef7548f04c
2021-10-26 15:17:37 +00:00
fa4bec7b9a
[New Rule] PowerShell MiniDump Script ( #1528 )
...
* PowerShell MiniDump Script Initial Rule
* Update credential_access_posh_minidump.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_posh_minidump.toml
* Update rules/windows/credential_access_posh_minidump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 239384497f
2021-10-26 15:10:20 +00:00
e81362e6ec
Add test for improper rule demotion (released production -> development) ( #1555 )
...
(cherry picked from commit 5a69ceb0c5
2021-10-20 05:48:26 +00:00
a28bb7961a
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
(cherry picked from commit 5bdf70e72c
2021-10-20 04:53:52 +00:00
27da0d6ed7
[New Rule] Suspicious Portable Executable Encoded in Powershell Script ( #1562 )
...
* Create execution_posh_portable_executable.toml
* Add wildcard
* Remove the wildcard
* Update rules/windows/execution_posh_portable_executable.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f50fb1d61b
2021-10-18 20:51:12 +00:00
b1e60b6c45
[New Rule] DNS-over-HTTPS Enabled by Registry ( #1379 )
...
* Create defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
(cherry picked from commit cf2b3ee753
2021-10-16 02:26:11 +00:00
fe36864c77
[New Rule] PowerShell Suspicious Discovery Related Windows API Functions ( #1548 )
...
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule
* Update severity
* Lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b7dcbbae72
2021-10-14 09:55:50 +00:00
8964e5d646
[Rule Tuning] Update network.direction ( #1547 )
...
* Update network.direction
* bump updated_date
(cherry picked from commit cc241c0b5e
2021-10-14 00:47:33 +00:00
9c9ef21878
Update defense_evasion_execution_windefend_unusual_path.toml ( #1492 )
...
* Update defense_evasion_execution_windefend_unusual_path.toml
Add Microsoft Security Client to exclusions.
* Update defense_evasion_execution_windefend_unusual_path.toml
Update updated_date
* Updated author
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 43f0d77033
2021-10-05 19:38:58 +00:00
89cba0af95
[Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin ( #1524 )
...
* Updated rule to include resizing
* lint
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d5a8f41864
2021-10-04 19:01:39 +00:00
3471522807
[New Rule] Backup Files Deletion ( #1516 )
...
* Add Backup Files Deletion Initial Rule
* Fix creation date
* Add updated_date
* Adjust description and query
* Update Description
* Update rules/windows/impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
* Update impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f2b58cc0ab
2021-10-04 18:56:48 +00:00
d0eaf3ed26
[New Rule] Volume Shadow Copy Deletion via PowerShell ( #1358 )
...
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Add trailing /
* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 6298f7b00a
2021-10-04 17:59:07 +00:00
ed57d46d15
[Rule Tuning] Small update on rule descriptions ( #1508 )
...
(cherry picked from commit 5e4a7e67df
2021-09-30 20:55:18 +00:00
6f30bf3f7f
[New Rule] Potential Lsass Memory Dump via MirrorDump ( #1504 )
...
* [New Rule] Potential Lsass Memory Dump via MirrorDump
* added tactic
* switched to kql
* added sysmon process access non ecs types
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* rule.name as suggested by Justin and converted to EQL to add comments
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 521e4dc8f1
2021-09-30 08:17:42 +00:00
371247b0b2
[Rule Tuning] Add system index to Windows Event Logs Cleared ( #1502 )
...
(cherry picked from commit 63d6a54804
2021-09-24 17:06:02 +00:00
5b13666054
[Rule Tuning] Update threat mappings for Windows rules ( #1497 )
...
* Windows Rules Att&ck Mapping review
* Bump updated_date and fix reference URLs
* Fix subtechnique
* Fix test errors
(cherry picked from commit 61afb1c1c0
2021-09-23 17:09:43 +00:00
c1a0398c3f
Additional Att&ck Mappings for credential access Rules ( #1495 )
...
Updates MITRE Technique IDs for Credential Access DRs
(cherry picked from commit f6421d8c53
2021-09-21 16:05:25 +00:00
c864538606
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ff3873ee7
2021-09-16 01:08:23 +00:00
105a1fd023
[New Rule] Behavior Rule for CVE-2021-40444 Exploitation ( #1479 )
...
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation
* added a ref
* replaced \ with /
* removed unecessary wildcard
(cherry picked from commit 0875c1e4c4
2021-09-08 19:27:16 +00:00
88bfc67638
Adding control.exe ( #1477 )
...
(cherry picked from commit cb27c686e0
2021-09-08 18:31:51 +00:00
2a2bcbd870
[Rule tuning] Fix spacing in reference URLs ( #1455 )
...
(cherry picked from commit 655f7d91d0
2021-09-01 00:00:06 +00:00
689e690f8c
[New rule] Webshell Detection ( #1448 )
...
* [new-rule] Webshell Detection
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added FP note section
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 8ddffc298b
2021-08-24 20:19:32 +00:00
cc75f645b6
[Rule Tuning] Add technique T1005 to 2 rules ( #1405 )
...
(cherry picked from commit 8099e1c733
2021-08-20 08:20:32 +00:00
604fd2a18f
Fix typos discovered by codespell ( #1430 )
...
(cherry picked from commit ddec37b731
2021-08-15 04:30:11 +00:00
9e6c107de5
[New Rule] Whitespace Padding in Process Command Line ( #1392 )
...
* Create defense_evasion_whitespace_padding_in_command_line.toml
* add newline
* update description
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14493689b9
2021-08-11 16:16:05 +00:00
121431b40b
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
(cherry picked from commit d31ea6253e
2021-08-04 22:17:11 +00:00
742253c61d
[Rule tuning] Revise rule description and other text ( #1398 )
...
(cherry picked from commit f8f643041a
2021-08-03 21:08:48 +00:00
fcd2071ca9
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit d2365783fa
2021-08-03 20:29:19 +00:00
05d01bbfe0
[Rule Tuning] Rule description tweaks ( #1388 )
...
(cherry picked from commit b736d6e748
2021-07-29 18:57:11 +00:00
0ae93632fc
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
(cherry picked from commit 7b62fe296d
2021-07-22 17:56:25 +00:00
8deeab2c4d
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 4aab1278bf
2021-07-22 17:10:08 +00:00
6d9997435f
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
(cherry picked from commit 9f3d5328f4
2021-07-21 17:50:36 +00:00
cb3ceb93da
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit fbd4cf2117
2021-07-21 16:55:08 +00:00
bc82e214c7
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
(cherry picked from commit 95e6458c6e
2021-07-21 07:09:02 +00:00
55d2780a6e
[New Rule] Disable Windows Event and Security Logs ( #1181 )
...
(cherry picked from commit c82790f588
2021-07-21 06:45:33 +00:00
4d69ad4ae6
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
(cherry picked from commit 4a11ef9514
2021-07-21 06:27:37 +00:00
8916b7dd4b
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
(cherry picked from commit 920d973064
2021-07-21 05:48:34 +00:00
9b9bebbd27
[New Rule] Parent Process PID Spoofing ( #1338 )
...
* [New Rule] Parent Process PID Spoofing
* excluding sihost FPs
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* relinted and added 2 non ecs fields
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 81ab43898c
2021-07-15 20:56:39 +00:00
89420ae976
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-07-07 18:56:39 +02:00
LaZyDK