security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
497 Commits 1 Branch 0 Tags
b8116a5b7703555b40351a59c8bb72a23be87f16
Commit Graph

497 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Justin Ibarra b8116a5b77 Add GitHub PR rule loader (#670) 
* add load_gh_pr_rules function
* add dev package-stats command
* add dev search-rule-prs command, which extends the same functionality in rule-search to rules in PR
 2021-02-08 21:35:44 -09:00
Justin Ibarra 56dc4745b5 Add export-rules command (#639) 
* Add export-rule command to CLI
* add `export` method to packaging class
 2021-02-08 20:43:16 -09:00
David French e507898dbd [New Rule] Attempt to Disable Gatekeeper (#841) 2021-02-08 20:25:04 -07:00
Samirbous 519078c87c [New Rule] Authorization Plugin Modification (#856) 
* [New Rule] Authorization Plugin Modification

* Update credential_access_persistence_authorization_plugin_creation.toml

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* tactic

* filename

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:14:25 +01:00
Samirbous 2092c70f11 [New Rule] Finder Sync Plugin Enabled (#735) 
* [New Rule] Finder Sync Plugin Enabled

* ref url decoded

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* excluded some common finder plugins

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:08:49 +01:00
Samirbous 4d68377d1b [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819) 
* [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation

* replaced file.name with dll.name

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 23:04:02 +01:00
Samirbous fb32679921 [New Rule] Access to SystemKey via Hexdump (#815) 
* [New Rule] Access to SystemKey via Hexdump

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_systemkey_dumping.toml

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:02:02 +01:00
Samirbous 2e6b353f5e [New Rule] Potential Reverse Shell Activity via Terminal (#821) 
* [New Rule] Potential Reverse Shell Activity via Terminal

* extra reference

* adjusted process.args for coverage resilience

* Update execution_revershell_via_shell_cmd.toml

* Update rules/cross-platform/execution_revershell_via_shell_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/execution_revershell_via_shell_cmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* encoded ref url

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 22:57:55 +01:00
Samirbous 6e2d8830e1 [New Rule] Attempt to Install Root Certificate (#850) 
* [New Rule]  Attempt to Install Root Certificate

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:49:35 +01:00
Samirbous a08adbf10c [New Rule] Suspicious Launchd Hidden Child Process (#823) 
* [New Rule] Hidden Launcd Child Process

* adjusted name and added extra ref

* severity change

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 22:43:21 +01:00
Samirbous 55272cc49e [New Rule] EggShell Backdoor Execution (#845) 
* [New Rule] EgShell Backdoor Execution

* Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:37:15 +01:00
Samirbous 53db78fccc [New Rule] Lateral Movement via Kerberos using Bifrost Console (#843) 
* [New Rule] Lateral Movement via Kerberos using Bifrost Console

* adjusted kql for perf

* mitre techniques order

* added two args

* Update lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:34:54 +01:00
Samirbous 429a975d14 [New Rule] Keychain Password Retrieval via Commandline (#811) 
* [New Rule] Keychain Password Retrieval via Commandline

* added false positives note

* added internet-pwd option

* extra refurl

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* fixed technique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:31:16 +01:00
Samirbous 18a4e468ce [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807) 
* [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:22:16 +01:00
Brent Murphy 64366218c7 adjust risk score (#938) 2021-02-08 13:15:42 -05:00
Samirbous 6ca381763d [New Rule] Execution with Administrator Privileges via Apple Scripting (#777) 
* [New Rule] Execution with Administrator Privileges via Apple Scripting

* Update privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 17:39:22 +01:00
Samirbous ef01430ab0 [Rule Tuning] Compression of Keychain Credentials Directories (#787) 
* [Rule Tuning] Access to Keychain Credentials Directories

* linted

* renmaed rule filename

* added keychain filenames 

added filenames in case of exec from keychain working directory

* extra reference

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_credentials_keychains.toml

* 2021

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-02-08 17:31:04 +01:00
Samirbous 79b0a940c5 [New Rule] Attempt to Create a Hidden Local Account (#799) 
* [New Rule] Attempt to Create a Hidden Local Account

* adjusted query for perfmc

* Update persistence_account_creation_hide_at_logon.toml

* Update persistence_account_creation_hide_at_logon.toml

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:24:56 +01:00
Samirbous 55998ff02a [New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801) 
* [New Rule] Creation Attempt of a Hidden Login Item via Apple Script

* fixed TID

* Update persistence_creation_hidden_login_item_osascript.toml

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:22:01 +01:00
Samirbous b9a6452001 [New Rule] Attempt to Enable the Root Account (#792) 
* [New Rule] Attempt to Enable the Root Account

* Update rules/macos/persistence_enable_root_account.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:10:43 +01:00
Samirbous b73564b541 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783) 2021-02-08 16:54:39 +01:00
Samirbous 055c8ec4f7 [New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765) 
* [New Rule] Potential MacOS Privacy Controls Bypass

* added extra ref and arg if exec from TCC current directory

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* renamed

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* adjusted to catch rogue TCCDB PrivEsc Exploit

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* relinted

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 16:48:53 +01:00
Samirbous 8b8cbcf8dd [Rule Tuning] Prompt for Credentials with OSASCRIPT (#759) 
* [Rule Tuning] Prompt for Credentials with OSASCRIPT

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* update date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:42:23 +01:00
Samirbous 4cb28adece [New Rule] Sublime Plugin or Application Script Modification (#761) 
* [New Rule] Sublime Plugin or Application Script Modification

* excluded some noisy procs

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1554

* fixed tactic

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:34:44 +01:00
Samirbous 82fe227030 [New Rule] Sensitive Files Compression (#756) 
* [New Rule] Sensitive Files Compression

* conv to kql

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 16:31:00 +01:00
Samirbous 99a4aaff58 [New Rule] Modification of the Dynamic Linker Preload Shared Object (#921) 
* [New Rule] Modification of the Dynamic Linker Preload Shared Object

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:11:37 +01:00
Brent Murphy 02ee8195ab [New Rule] Creation or Modification of Root Certificate (#927) 
* Create defense_evasion_create_mod_root_certificate.toml

* update description

* Update defense_evasion_create_mod_root_certificate.toml

* spacing

* Update rules/windows/defense_evasion_create_mod_root_certificate.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* removing process names that could lead to fn

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 10:01:59 -05:00
Brent Murphy 0b568e5740 [New Rule] Suspicious JAR Child Process (#887) 
* Create execution_suspicious_jar_child_process.toml

* pr review feedback and moved to cross platform

* spacing

* Add FP section
 2021-02-08 09:48:48 -05:00
Samirbous 6a61caa84f [New Rule] Suspicious Browser Child Process (#767) 
* [New Rule] Suspicious Browser Child Process

* auditbeat removed

auditbeat process execution does not log the parent process name.

* added more suspicious childproc

* added perl and php

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* excluded noisy stuff

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 15:06:18 +01:00
Samirbous 732770e855 [New Rule] Potential OpenSSH Backdoor Logging Activity (#749) 
* [New Rule] Known SSH Backdoor Logging File

* updated query to common patterns

* updated rule name

* relinted

* added extra path

* renamed

* adjusted some filepaths

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added kobalos OpenSSH credential stealer

added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

* relinted

* adjusted MITRE technique

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-05 21:27:15 +01:00
Samirbous 3fde3930f7 [New Rule] Modification of Standard Authentication Module or Configuration (#745) 
* [New Rule] Modification of Unix Standard Authentication Module

* extra ref and added file creation event type

* extra ref url

* Update persistence_modify_authentication_module.toml

* added pam.d conf files changes too

* adjusted tactics and techniques

* Update persistence_modify_authentication_module.toml

* Update persistence_modify_authentication_module.toml

* changed from linux to cross platfm

* Update persistence_credential_access_modify_auth_module_or_config.toml

* adjusted query

* converted to kql and excluded FPs

* Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update persistence_credential_access_modify_auth_module_or_config.toml

* Update persistence_credential_access_modify_auth_module_or_config.toml

* Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-05 21:23:58 +01:00
Justin Ibarra e2c860693c Repaired merge from PR 876 - RTA docs (#935) 2021-02-04 08:34:54 -09:00
Samirbous 4900c9a018 [New Rule] Potential Office Sandbox Evasion via ZIP File (#834) 
* [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File

* adjusted query to account for other autostart paths

* adjusted query and description

* Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* 2021!

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-04 16:47:58 +01:00
Samirbous a8931a927c [New Rule] Safari Settings Modification using Defaults Command (#861) 
* [New Rule] Safari Settings Modification using Defaults Command

* exclude some unsensitive changes

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-02-04 16:38:56 +01:00
Samirbous 6e59996fd0 [New Rule] Access to Browsers Credential Files (#789) 
* [New Rule] Access to Browsers Credential Files

* removed Thunderbird from list

out of browsers context, may go into a different rule with other mail clients

* adjusted Safari cookies path

to include for folder access, file access is covered by Cookies.binarycookies check

* excluded a noisy arg

* Update credential_access_access_to_browser_credentials_procargs.toml

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-04 16:34:49 +01:00
Samirbous bec5211814 [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod (#875) 
* [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod

* Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

* relinted
 2021-02-04 16:29:53 +01:00
Brent Murphy 236c630c90 [Rule Tuning] Update rules using case sensitive wildcard function (#904) 
* update rules using case sensitive wildcard function

* add appropriate spacing

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update ==

* Apply suggestions from code review

* remove info update index

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update persistence_evasion_hidden_local_account_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-04 10:23:32 -05:00
Samirbous 37ccdad0ee [New Rule] Virtual Private Network Connection Attempt (#912) 
* [New Rule] Virtual Private Network Connection Attempt

* fixed tactic_id

* Update lateral_movement_vpn_connection_attempt.toml

* Update rules/macos/lateral_movement_vpn_connection_attempt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:18:09 +01:00
Samirbous 8878104f54 [New Rule] Potential Persistence via Periodic Tasks (#898) 
* [New Rule] Potential Persistence via Periodic Tasks

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:15:25 +01:00
Samirbous d733971e99 [New Rule] SoftwareUpdate Preferences Modification (#869) 
* [New Rule] SoftwareUpdate Preferences Modification

* Update defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:12:37 +01:00
Samirbous 4a5085ee54 [Rule Tuning] Sudoers File Modification (#873) 
* [Rule Tuning] Sudoers File Modification

* 2021!

* Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 17:57:40 +01:00
Samirbous b1a8292462 [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830) 
* [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy

* rename rule

* exclude FPs

* Update defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

* Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 17:54:15 +01:00
Brent Murphy ffe8e5bfc5 [Rule Tuning] Update file.name to dll.name for Library events (#893) 
* [Rule Tuning] Update file.name to dll.name for Library events

* replace == with :

* updated_date

* removed spacing inconsistencies

* jibs likes spaces

* NOT again jibs
 2021-02-03 11:09:29 -05:00
Brent Murphy fdf9384e4d [Rule Tuning] Execution from Unusual Directory - Command Line (#837) 
* Update execution_from_unusual_path_cmdline.toml

* lint

* Update execution_from_unusual_path_cmdline.toml
 2021-02-03 10:54:19 -05:00
Brent Murphy fd05341e70 [New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901) 
* Create privilege_escalation_port_monitor_registration.toml

* add non SYSTEM user

* convert SYSTEM to SID - use SID to eliminate locale specific system names

* update name

* update to include print processor path

* add reference

* spacing

* add logs-windows.*

* update spacing
 2021-02-01 16:24:49 -05:00
Samirbous 326bebdebe [New Rule] Execution via Electron Child Process Node.js Module (#817) 
* [New Rule] Execution via Electron ChildProc Node.js Module

* relinted

* fixed TID and adjusted KQL for perf

* fixed kql

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-29 19:06:49 +01:00
Samirbous ad514eaeab [New Rule] Attempt to Add an Account to the Admin Group (#803) 
* [New Rule] Attempt to Add an Account to the Admin Group

* adjusted query for perf

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-29 19:03:17 +01:00
Samirbous cd3f72cf15 [New Rule] Creation of a Hidden Launch Agent or Daemon (#797) 
* [New Rule] Creation of a Hidden Launch Agent or Daemon

* updated TID

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* sub-technique stuff

* relint

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 19:01:15 +01:00
Samirbous a5ded6513c [New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805) 
* [New Rule] Browser Hijack via Setting the Web Proxy to Localhost

* fixed dates

* adjusted query to include traffic redirection

* relinted

* added extra arg

* reduced severity

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 18:58:14 +01:00
Samirbous acff6a3a5d [New Rule] 2 Rules for Persistence via Emond (#832) 
* [New Rule] 2 Rules for Persistence via Emond

* removed auditbeat index

process.parent.name not captured

* Update persistence_emond_rules_process_execution.toml

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relint

* 2021

* Update persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 09:16:27 +01:00