dbd2874b4f
[Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files ( #1026 )
...
* [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files
* revise note with information from microsoft
* add Exchange Server to paths
* replaced process.parent.name with process.name and C drive with ?
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-14 20:24:44 -08:00
8f78afb8e5
[Rule Tuning] Windows Suspicious Script Object Execution ( #1081 )
...
* [Rule Tuning] Windows Suspicious Script Object Execution
* renamed rule in version.lock.json
* adjusted codesig check
* added 1 exclusion
* update date
* added cmd to exclusion as per EG telem
* removed changes to version.lock.json
* restored comment for code sig to support winlogbeat
* Revert "removed changes to version.lock.json"
This reverts commit 62794be02486b668ae5f25e5613f18b292342377.
* restored rule name in version.lock
* fixed typo
* removed winlogbeat index
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 23:54:39 +02:00
c1fd3b3374
[Rule Tuning] AWS Config Service Tampering ( #1108 )
...
* Update defense_evasion_config_service_rule_deletion.toml
2021-04-14 17:13:27 -04:00
4a46b2f03b
Create collection_microsoft_365_new_inbox_rule.toml ( #1068 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-14 17:06:39 -04:00
7408133f79
[New Rule] Potential Remote Desktop Shadowing Activity ( #1101 )
...
* [New Rule] Potential Remote Desktop Shadowing Activity
* added event.ingested
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 22:09:49 +02:00
66dff28498
[Rule Tuning] Public IP Reconnaissance Activity ( #1091 )
...
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml
* Updated ip lookup rule
* Modified index field
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 09:58:00 -05:00
c64e700c56
[Rule Tuning] Update Cloud Rule Syntax ( #1061 )
...
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 10:49:28 -04:00
00923dcde1
[Rule Tuning] Setuid / Setgid Bit Set via chmod ( #1032 )
...
* [Rule Tuning] Setuid / Setgid Bit Set via chmod
* update date
* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:41:37 +02:00
2926e98c5d
[Rule Tuning] Startup or Run Key Registry Modification ( #1086 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* update date
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:38:00 +02:00
1354d8059c
[New Rule] Network Logon Providers Registry Modification ( #1053 )
...
* [New Rule] Network Logon Providers Registry Modification
* fix mitre filename mapping error
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:31:46 +02:00
dc774517bf
[New Rule] Persistence via Scheduled Job Creation ( #1038 )
...
* [New Rule] Persistence via Scheduled Job Creation
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:15:54 +02:00
731d2b2a54
[Rule Tuning] Unusual Persistence via Services Registry ( #1077 )
...
* [Rule Tuning] Unusual Persistence via Services Registry
* update date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:09:46 +02:00
dd4bc3e57e
[Rule Tuning] Connection to Commonly Abused Web Services ( #1079 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* adjusted 1 exclusion
* update date
* added 3 dns.names as suggested by Daniel
* added requestbin.net used for DNS tunneling by APT34
2021-04-14 00:53:27 +02:00
0fe09aaed5
[New Rule] NullSessionPipe Registry Modification ( #1058 )
...
* [New Rule] NullSessionPipe Registry Modification
* Update lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
* Update rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 00:50:31 +02:00
0ba469dbe4
[Rule Tuning] Modification of Standard Authentication Module or Confi… ( #1056 )
...
* [Rule Tuning] Modification of Standard Authentication Module or Configuration
* update date
2021-04-14 00:36:38 +02:00
0669e9be00
[New Rule] Suspicious Startup Shell Folder Modification ( #1042 )
...
* [New Rule] Suspicious Startup Shell Folder Modification
* Update rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:33:54 +02:00
f2bc0c685d
[Rule Tuning] Suspicious Explorer Child Process ( #1035 )
...
* [Rule Tuning] Suspicious Explorer Child Process
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:10:29 +02:00
0cc0e3d31f
[New Rule] Persistence via BITS Job Notify Cmdline ( #1096 )
...
* [New Rule] Persistence via BITS Job Notify Cmdline
* changed severity and added 1 exclusion
* Update rules/windows/persistence_via_bits_job_notify_command.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-13 23:25:30 +02:00
af067797c2
Update defense_evasion_unusual_network_connection_via_rundll32.toml ( #1109 )
2021-04-13 16:58:30 -04:00
3876ef3a37
Adjust loopback for Cloudtrail ( #1103 )
...
* #1092 adjusting loopback for cloudtrail
* refactored time interval, adjusted updated_date
* reverting bucket interval back to 15m
2021-04-13 13:58:13 -04:00
a7bb15eaf7
[Rule Tuning] Enumeration of Users or Groups via Built-in Commands ( #1046 )
...
* Update discovery_users_domain_built_in_commands.toml
* tweak whitespace in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-13 11:31:47 -06:00
aa61283dfa
[Rule Tuning] Local Service Commands ( #1044 )
...
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-13 12:31:45 -04:00
31daa7b36a
[Rule Tuning] Keychain Password Retrieval via Command Line ( #992 )
...
* [Rule Tuning] Keychain Password Retrieval via Command Line
* removed duplicate tactic
* Update credential_access_keychain_pwd_retrieval_security_cmd.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-13 18:16:43 +02:00
414d320276
[Rule Tuning] Local Scheduled Task Commands ( #1043 )
...
* Update persistence_local_scheduled_task_commands.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-08 14:28:21 -04:00
0095a80014
Network rules for the 7.13 release ( #1087 )
...
* Adding network rules for the 7.13 release
* Adding rule guids
* Update rules/ml/ml_high_count_network_denies.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_high_count_network_events.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_spike_in_traffic_to_a_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Minor changes
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-08 09:34:47 -07:00
cb5f9e6a2b
[New Rule] Persistence via WMI Standard Registry Provider ( #1040 )
...
* [New Rule] Persistence via WMI Standard Registry Provider
* Update persistence_via_wmi_stdregprov_run_services.toml
* Update persistence_via_wmi_stdregprov_run_services.toml
* fixing Mitre technique stuff
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added few regpaths
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-06 17:50:02 +02:00
0c70d56dcd
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1070 )
...
* [Rule Tuning] Potential Command and Control via Internet Explorer
* added FP note
* update date
* added *.office.com to exclusions
2021-04-06 11:17:19 +02:00
687c9feba3
[Rule Tuning] Persistence via Login or Logout Hook ( #1020 )
...
* [Rule Tuning] Persistence via Login or Logout Hook
* update date
* Update rules/macos/persistence_login_logout_hooks_defaults.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-19 10:32:51 +01:00
3e1169317f
[Rule Tuning] Timestomping using Touch Command ( #1006 )
...
* [Rule Tuning] Timestomping using Touch Command
* removed process_started from event.type
* update date
* Update defense_evasion_timestomp_touch.toml
* lint and resolve conflict
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-03-19 10:26:40 +01:00
9cff72bbcb
[Rule Tuning] Connection to Commonly Abused Web Services ( #1016 )
2021-03-19 10:23:12 +01:00
dd1214627a
[Rule Tuning] Modification of Environment Variable via Launchctl ( #1010 )
...
* [Rule Tuning] Modification of Environment Variable via Launchctl
* update date
2021-03-19 10:20:04 +01:00
04f3cd967d
[Rule Tuning] Execution from Unusual Directory - Command Line ( #1012 )
...
* [Rule Tuning] Execution from Unusual Directory - Command Line
* format change as per JLB sugg
2021-03-19 10:16:47 +01:00
511a74ef27
[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities ( #1028 )
...
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities
* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* restored Execution via Regsvcs/Regasm
* restored changes
* deprecated 1rule, deleted 1 and tuned 1
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 10:05:09 +01:00
be3c7eaf45
[Rule Tuning] WebProxy Settings Modification ( #1008 )
...
* [Rule Tuning] WebProxy Settings Modification
* kql optimz test
* update date
2021-03-19 10:00:50 +01:00
83dfe911bc
[Rule Tuning] Program Files Directory Masquerading ( #1018 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 09:55:08 +01:00
bcc8b6922c
[Rule Tuning] Suspicious macOS MS Office Child Process ( #1022 )
...
* [Rule Tuning] Suspicious macOS MS Office Child Process
* comment for exclusions
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-03-19 09:48:27 +01:00
8e139012f7
[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream ( #1014 )
...
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream
* Revert "[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream"
This reverts commit 2bf2c33002f08fec1d9cc64da9795bb189625e4d.
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream
* Update rules/windows/defense_evasion_unusual_dir_ads.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-03-19 09:45:57 +01:00
f800199cc5
[Rule Tuning] Access to Keychain Credentials Directories ( #999 )
...
* [Rule Tuning] Access to Keychain Credentials Directories
* Update rules/macos/credential_access_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 09:42:32 +01:00
04ea1a72c7
[Rule Tuning] Security Software Discovery via Grep ( #994 )
...
* [Rule Tuning] Security Software Discovery via Grep
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:46:26 +01:00
21290cc055
[Rule Tuning] Command Shell Activity Started via RunDLL32 ( #996 )
...
* [Rule Tuning] Command Shell Activity Started via RunDLL32
* relinted and added FP note
* update_date
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:14:22 +01:00
32714b8527
[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack ( #988 )
...
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack
* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:11:42 +01:00
bc74838c0b
[Rule Tuning] Suspicious WerFault Child Process ( #990 )
...
* [Rule Tuning] Suspicious WerFault Child Process
* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:08:44 +01:00
d4cc4432ce
Add tests to ensure rules are properly deprecated ( #1050 )
...
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
2021-03-16 21:31:33 -08:00
0b65678d8c
[Rule tuning] Correct tags with associated threat mappings ( #1003 )
2021-03-08 14:12:29 -09:00
309edf7f4a
Create initial_access_suspicious_ms_exchange_worker_child_process.toml ( #1001 )
2021-03-08 16:45:27 -05:00
0e0b2ea1a4
Update schema for threshold rule type for 7.12 ( #976 )
...
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
2021-03-05 14:35:50 -09:00
0ef7d87b34
[Rule Tuning] Fix inconsistent rule indexes ( #974 )
...
* [Rule Tuning] Fix inconsistent rule indexes
* cleaned up tests that load rules to leverage setUpClass
2021-03-05 11:16:02 -09:00
3b7eedcc31
wrap azure operation name ( #981 )
2021-03-04 17:50:19 -05:00
4d3ef43b01
[Rule Tuning] Update "Endpoint Security" to "Elastic Endgame" for the relevant Endgame promotion rules ( #978 )
...
* update Endpoint Security to Elastic Endgame for relevant rules
* Update elastic_endpoint_security.toml
* Update test_all_rules.py
2021-03-04 17:21:17 -05:00
4494b02e01
[New Rule] Microsoft Exchange Server’s Unified Messaging Spawning Vulnerability - CVE-2021-26857 ( #979 )
...
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-04 16:46:49 -05:00
Justin Ibarra