security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
451 Commits 1 Branch 0 Tags
ad514eaeabe2bec3ec95a64cea72d2ac2021bceb
Commit Graph

346 Commits

Author SHA1 Message Date
Samirbous ad514eaeab [New Rule] Attempt to Add an Account to the Admin Group (#803) 
* [New Rule] Attempt to Add an Account to the Admin Group

* adjusted query for perf

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-29 19:03:17 +01:00
Samirbous cd3f72cf15 [New Rule] Creation of a Hidden Launch Agent or Daemon (#797) 
* [New Rule] Creation of a Hidden Launch Agent or Daemon

* updated TID

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* sub-technique stuff

* relint

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 19:01:15 +01:00
Samirbous a5ded6513c [New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805) 
* [New Rule] Browser Hijack via Setting the Web Proxy to Localhost

* fixed dates

* adjusted query to include traffic redirection

* relinted

* added extra arg

* reduced severity

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 18:58:14 +01:00
Samirbous acff6a3a5d [New Rule] 2 Rules for Persistence via Emond (#832) 
* [New Rule] 2 Rules for Persistence via Emond

* removed auditbeat index

process.parent.name not captured

* Update persistence_emond_rules_process_execution.toml

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relint

* 2021

* Update persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 09:16:27 +01:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Brent Murphy 70ca87138f [New Rule] Execution of COM object via Xwizard (#896) 
* Create execution_com_object_xwizard.toml

* spacing and query update

* add logs-windows.*
 2021-01-28 16:58:19 -05:00
brokensound77 ec4c9e77a2 Update revoked technique 2021-01-28 11:03:17 -09:00
brokensound77 bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main 
# Conflicts:
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
 2021-01-28 10:41:39 -09:00
Samirbous 1d77932434 [New Rule] Suspicious MacOS MS Office Child Process (#779) 
* [New Rule] Suspicious MacOS MS Office Child Process

* extra bin and ref

* Update execution_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-28 19:55:31 +01:00
Samirbous c18c5a493a [New Rule] Dumping of Keychain Content via Security Command (#785) 
* [New Rule] Dumping of Keychain Content via Security Command

* converted to eql

* added sub-technique

* 2021

* Update rules/macos/credential_access_dumping_keychain_security.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-28 19:50:41 +01:00
Samirbous 3fc4aaec0f [New Rule] Modification of OpenSSH Binaries (#747) 
* [New Rule] Modification of SSH Binaries

* Update persistence_credential_access_modify_ssh_binaries.toml

* exclude unrelated auditbeat FP events

* updated TIDs and Tactics

* fix order of TIDs and Tactics

* relinted

* added libkeyutils.so used by Ebury Backdoor

loaded by all OpenSSH processes

* renamed

* conv to kql and added one FP

* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-28 19:46:30 +01:00
Brent Murphy d0ceb8cc4e [New Rule] SIP Provider Modification (#891) 
* Create defense_evasion_sip_provider_mod.toml

* add reference
 2021-01-28 09:18:19 -05:00
Samirbous 485c6214fa [New Rule] Environment Variable Modification using Launchctl (#865) 
* [New Rule] Environment Variable Modification using Launchctl

* excluding some FPs

* Update defense_evasion_modify_environment_launchctl.toml

* Update defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-01-26 21:41:30 +01:00
Samirbous 6029783721 [New Rule] Security Software Discovery using Grep (#743) 
* [New Rule] Security Software Discovery using Grep

* fixed index

* Update discovery_security_software_grep.toml

* Update discovery_security_software_grep.toml

* conv to kql and added few AVs

* added more AV procs

* Update rules/macos/discovery_security_software_grep.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* moved to cross-platform

* Update discovery_security_software_grep.toml

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 19:57:26 +01:00
Samirbous b4cb953aa4 [New Rule] Script Execution via Automator Workflows (#763) 
* [New Rule] Script Execution via Automator Workflows

* Update execution_script_via_automator_workflows.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/macos/execution_script_via_automator_workflows.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-26 09:07:39 +01:00
Samirbous 5d9c031c8b [New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775) 
* [New Rule] TCC Bypass via Mounted APFS Snapshot Access

* Update defense_evasion_tcc_bypass_mounted_apfs_access.toml

* conv to kql

* Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-26 08:50:28 +01:00
Samirbous ebf365693e [Rule Tuning] Deletion of Bash Command Line History (#752) 
* [Rule Tuning] Deletion of Bash Command Line History

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-01-26 08:48:06 +01:00
Samirbous 440a7fbdee [New Rule] SSH Authorized Keys File Modification (#754) 
* [New Rule] SSH Authorized Keys File Modification

* excluded some noisy procs

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update persistence_ssh_authorized_keys_modification.toml

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 08:45:38 +01:00
Samirbous dc53fc1f04 [New Rule] Persistence via Docker Shortcut Modification (#733) 
* [New Rule] Persistence via Docker Shortcut Modification

* ref url decoded

* added exclusions

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* exclude some noisy procs and conv to kql

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:38:38 +01:00
Samirbous 6883ea0aa6 [New Rule] Potential Persistence via Login Hook (#900) 
* [New Rule] Potential Persistence via Login Hook

* Update persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 08:35:16 +01:00
Samirbous dd2f655367 [New Rule] Potential Cookies Theft via Browser Debugging (#741) 
* [New Rule] Potential Cookies Theft via Browser Debugging

* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added auditbeat

* fixed error

* excluded a common FP

* added MSEdge

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:21:45 +01:00
Samirbous 1ae769a563 [New Rule] Creation of a Hidden Local User Account (#738) 
* [New Rule] Hidden User Local Account Creation

* renamed rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:15:50 +01:00
Brent Murphy 7fdb6b2e80 Create persistence_time_provider_mod.toml (#890) 2021-01-25 14:42:56 -05:00
Brent Murphy ecbb57814a Create credential_access_saved_creds_vaultcmd.toml (#884) 2021-01-25 14:25:35 -05:00
Brent Murphy 4639df022b [New Rule] Modification of WDigest Security Provider (#883) 
* Create credential_access_mod_wdigest_security_provider.toml

* syntax tweaks
 2021-01-25 13:54:36 -05:00
Brent Murphy 8c123785f0 [New Rule] Enumeration Command Spawned via WMIPrvSE (#882) 
* Create execution_enumeration_via_wmiprvse.toml

* alignment
 2021-01-25 13:46:26 -05:00
Brent Murphy 01c3c718f5 [New Rule] Executable File Creation with Multiple Extensions (#881) 
* Create defense_evasion_file_creation_mult_extension.toml

* spacing

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* update query

* alignment

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-01-25 13:40:25 -05:00
Brent Murphy aa409111b8 [New Rule] Azure Active Directory High Risk Sign-in (#790) 
* [New Rule] Azure Active Directory High Risk Sign-in

* Update initial_access_azure_active_directory_high_risk_signin.toml
 2021-01-25 13:27:06 -05:00
Anabella Cristaldi fb92c69797 [New Rule] Clearing Windows Security Logs (#529) 
* [New Rule] Clearing Windows Security Logs

* Fix Date Format Error

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Add Elastic tag

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update maturity

* Add Elastic to list of authors

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-11 17:17:20 -07:00
Ross Wolf a0ae05c78e Fix spelling of Continuous Monitoring (#795) 
* Fix spelling of Continuous Monitoring
* Update the updated_at date
* Happy new year
 2021-01-04 15:05:34 -07:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-18 12:23:12 -05:00
Andrew Pease 889828d473 [New Rule] SUNBURST Command and Control Activity Detected (#723) 
* bump package version to 7.12

* Auth to Kibana connector using an existing cookie (#711)

* initial commit

* simplified by any method not to solarwinds.com

* Updates from review

* updated desc and note

* query readability

* update to optimize query to pass unit tests

* optimized

* optimized

* Update command_and_control_sunburst_c2_activity_detected.toml

* Restore package version

* updated rule after rebase

* re-lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-15 14:41:54 -06:00
Samirbous 79a5ca9b78 [New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722) 
* bump package version to 7.12

* Auth to Kibana connector using an existing cookie (#711)

* [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules

* ruleID

* fixed process names to include both 32 and 64bits

* fixed process names to include both 32 and 64 bits

* deleted unnecessary condition

* adjusted rule to cover cmd and ps

* renamed rule and fixed tactic

* added rule to SW package - Exporting MailBox with Powershell

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added details to FP tag as sug by JLB

* added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* adjusted desc and FPs

* adjusted alert name as sug by DevK

* Update collection_email_powershell_exchange_mailbox.toml

* Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updated registry to include symlink

* Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added pwsh as sug by Dan

* added pwsh as sug by Dan

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725)

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* fixed - added pwsh to seq_netblock

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Restore packages file

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-15 21:33:00 +01:00
Samirbous 3042cbb5d6 [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) 
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* fixed - added pwsh to seq_netblock

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-15 13:20:28 -07:00
Brent Murphy c5cae5c437 [New Rule] Azure Active Directory PowerShell Sign-in (#718) 
* Create initial_access_azure_active_directory_powershell_signon.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update initial_access_azure_active_directory_powershell_signin.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-15 11:52:43 -05:00
Brent Murphy 6b31b96bf8 [New Rule] Azure Service Principal Addition (#717) 
* Create defense_evasion_azure_service_principal_addition.toml

* Update defense_evasion_azure_service_principal_addition.toml

* Update rules/azure/defense_evasion_azure_service_principal_addition.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_service_principal_addition.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-15 11:47:23 -05:00
Brent Murphy 84ab3db48c [New Rule] Azure Application Credential Modification (#716) 
* Create defense_evasion_azure_application_credential_modification.toml

* Update rules/azure/defense_evasion_azure_application_credential_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-15 11:41:26 -05:00
Justin Ibarra a6463b435c [Rule Tuning] Replace line comments with block comments (#710) 2020-12-12 17:11:17 -09:00
Andrew Pease a5cd35f498 AdFind Command Activity (#395) 
* initial commit

* added sub-techniques

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

* Update rules/windows/discovery_adfind_command_activity.toml

* update threat mapping with sub-techniques

* update technique url

* remove ecs_version

* convert rule to eql

* added sub-techniques

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-09 15:01:28 -06:00
Andrew Pease 66506139d9 [New Rule] Detects Mimikatz via Invoke-Mimikatz (#700) 
* initial commit

* lint

* note updates

* convert to eql and moved to dev

* convert to eql and moved to dev
 2020-12-09 14:51:45 -06:00
Andrew Pease 17cf79d076 [New Rule] Default Cobalt Strike Team Server Certificate (#358) 
* initial commit

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updated to include sub-techniques

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-09 14:49:31 -06:00
Samirbous d5eaf5db53 [New Rule] High Number of Process and/or Services Termination (#672) 
* [New Rule] High Number of Process and/or Services Termination

* removed url and fixed ruleid

* fixed tags

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-09 09:00:19 +01:00
Samirbous 14fe63bb1e [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676) 
* [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process

* replaced path with name for faster comparaison

* added few more cases and refurl

also organized items per anomaly category

* added extra refurl plus few excep

* Update execution_suspicious_ms_office_child_process.toml

* added parenthesis

* excluded an FP
 2020-12-09 08:55:58 +01:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
David French b8d2f6fc96 [Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575) 
* Update initial_access_consent_grant_attack_via_azure_registered_application.toml

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 17:20:30 -07:00
Justin Ibarra 24828ea9cb [New Rule] Conversions of some APT-29 Endgame rules (#702) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 14:13:34 -09:00
Brent Murphy 598e807a5c [New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657) 
* [New Rule] O365 Teams Custom Application Interaction Allowed

* rebrand to m365, still needed non ecs schema

* Update non-ecs-schema.json
 2020-12-08 17:36:47 -05:00
Brent Murphy 73e2690ec0 [New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665) 
* [New Rule] Potential Password Spraying of O365 User Accounts

* Update credential_access_o365_potential_password_spraying_attack.toml

* rebrand to m365

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 17:19:39 -05:00
Brent Murphy d74b41c1a0 [New Rule] Microsoft 365 Teams External Access Enabled (#661) 
* [New Rule] O365 Teams External Access Enabled

* rebrand to m365, still needed non ecs schema

* update description

* remove non ecs change
 2020-12-08 16:48:15 -05:00