security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
154 Commits 1 Branch 0 Tags
baefaeeaffa23e942e4c1a3fa8c3f8d2f4f981ca
Commit Graph

95 Commits

Author SHA1 Message Date
Craig Chamberlain baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) 
* Create ml_linux_system_network_connection_discovery.toml

ML rule to accompany the unsual network connection discovery job

* Update ml_linux_system_network_connection_discovery.toml

set author

* Update ml_linux_system_network_connection_discovery.toml

added fasle positve field

* Update ml_linux_system_network_connection_discovery.toml

* Update ml_linux_system_network_connection_discovery.toml

linting

* Update rules/ml/ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 16:27:17 -04:00
Craig Chamberlain f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) 
* Create ml_linux_system_information_discovery.toml

rule to accompany the system information discovery job

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

added fp field

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

linting

* Update ml_linux_system_information_discovery.toml

* Update rules/ml/ml_linux_system_information_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:25:59 -04:00
Craig Chamberlain 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) 
* Create ml_linux_anomalous_compiler_activity.toml

rule to accompany the rare compiler activity job

* Update ml_linux_anomalous_compiler_activity.toml

added fp field

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml
 2020-09-22 16:24:32 -04:00
Craig Chamberlain 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) 
* Create ml_linux_system_user_discovery.toml

ML rule to accompany the unusual system owner / user discovery job

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_system_user_discovery.toml

added fp field

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

lint

* Update ml_linux_system_user_discovery.toml

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:22:41 -04:00
Craig Chamberlain 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) 
* Create ml_linux_rare_kernel_module_arguments.toml

* rare module rule

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:18:51 -04:00
Craig Chamberlain 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) 
* Create ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

added fp field

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update rules/ml/ml_linux_system_process_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linting

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-09-22 16:15:36 -04:00
David French cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237) 
* new-rule-azure-conditional-access-policy-modified

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

Update maturity to production

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to include result value

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to search both the Azure audit logs and activity logs

* Optimize formatting of query

* Tweak consent grant attack rule

Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs

* Tweak formatting of query to improve Brent's happiness level

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 09:28:32 -06:00
David French 11145ffb7f [New Rule] Possible Consent Grant Attack via Azure-Registered Application (#236) 
* new-rule-illicit-consent-grant-attack

* Update initial_access_consent_grant_attack_via_azure_registered_application.toml

Move detailed info and investigation notes to notes field

* Update query to include result field

* Update rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
 2020-09-22 08:30:34 -06:00
Samirbous e2a0172d7d [New Rule] Remote File Download via MpCmdRun (#247) 
* [New Rule] Remote File Download via MpCmdRun

* added ref

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-22 14:44:48 +02:00
Samirbous f750b89201 [New Rule] Remote File Copy via TeamViewer (#241) 
* [New Rule] Remote File Copy via TeamViewer

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update rules/windows/command_and_control_teamviewer_remote_file_copy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:43:32 +02:00
Samirbous c2e95a35dc [New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234) 
* [New Rule] Evasion via Renamed AutoIt Scripts Interpreter

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:39:04 +02:00
Samirbous 4948582d7c [New Rule] Mimikatz Memssp Logs File Detected (#228) 
* [New Rule] Mimikatz Memssp Logs File Detected

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:37:40 +02:00
Samirbous 69b2f9f645 [New Rule] Code Injection - Suspicious Conhost Child Process (#226) 
* [New Rule] Code Injection - Suspicious Conhost Child Process

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:35:56 +02:00
Samirbous d43f814c19 [New Rule] Suspicious Elastic Endpoint Parent Process (#214) 
* [New Rule] Suspicious Elastic Endpoint Parent Process

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:34:11 +02:00
Samirbous 42247efc3b [New Rule] Suspicious WerFault Child Process (#212) 
* [New Rule] Suspicious WerFault Child Process

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* linted

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 14:32:04 +02:00
Samirbous 96992b3ae6 [New Rule] Potential Process Masquerading as WerFault (#210) 
* [New Rule] Potential Process Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:30:34 +02:00
Samirbous 52b6657d09 [New Rule] Suspicious .Net Compiler Parent Process (#208) 
* [New Rule] Suspicious dotNet Comilper Parent Process

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:28:41 +02:00
Samirbous ae13adf0a9 [New Rule] Suspicious managed code hosting process (#204) 
* [New Rule] Suspicious managed code hosting process

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:27:03 +02:00
Samirbous 3890a90135 [Rule Tuning] Unusual Parent-Child Relationship (#185) 
* [Rule Tuning] Unusual Parent-Child Relationship

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml
 2020-09-22 14:25:27 +02:00
Samirbous 601a5a1e5b [New Rule] - Executable File Created by a System Critical Process (#183) 
* Unusual Executable File Creation by a System Critical Process

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

* Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:23:37 +02:00
Samirbous 3e67e8fada [New Rule] Remote SSH Login Enabled (#172) 
* [New Rule] Remote SSH Login Enabled

* Update lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:21:20 +02:00
Samirbous 2ce8c2833f [New Rule] Microsoft IIS Service Account Password Dumped (#167) 
* [New Rule] Microsoft IIS Service Account Password Dumped

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 13:58:57 +02:00
Samirbous ff097719af [New Rule] UAC Bypass via DiskCleanup Task Hijack (#160) 
* [New Rule] UAC Bypass via DiskCleanup Task Hijack

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:57:37 +02:00
Samirbous 9926071b0d [New Rule] - Execution via Hidden Shell (#154) 
* [New Rule] - Execution via Hidden Shell

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:56:19 +02:00
Samirbous 79e7f17130 [New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150) 
* [New Rule] - Persistence via TelemetryController Scheduled Task Hijack

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 13:54:51 +02:00
Samirbous 822453b32c [New Rule] - Suspicious PsExec Execution (#134) 
* [New Rule] - Suspicious PsExec Execution

* Update defense_evasion_execution_suspicious_psexesvc.toml

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_psexesvc.toml

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:52:01 +02:00
Samirbous 9590bc3f68 [New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132) 
* [New Rule] Execution via xp_cmdshell MSSQL stored procedure

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_via_xp_cmdshell_mssql_stored_procedure.toml

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:48:54 +02:00
Samirbous cdbd3c0640 [Rule Tuning] - Tuning of 3 Existing Windows Rules (#123) 
* tunning of 3 existing rules

added not to accessibility rule
added whoami to system identity running discovery utility
added regasm.exe to registration utility performing ntcon

* Update rules/windows/discovery_net_command_system_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update persistence_priv_escalation_via_accessibility_features.toml

* Update discovery_net_command_system_account.toml

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_net_command_system_account.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 13:47:22 +02:00
Brent Murphy 6a1e97cd06 [Rule Tuning] Update AWS rules to account for Agent index (#256) 
* Update AWS rules

* chnage updated date
 2020-09-21 09:04:50 -04:00
David French 4041fc8bde update-okta-rules-for-ingest-manager-compatibility (#295) 2020-09-15 15:42:38 -06:00
Brent Murphy 140091e7b8 [New Rule] Azure Storage Account Key Regenerated (#188) 
* Create credential_access_storage_account_key_regenerated.toml

* Update rules/azure/credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 14:08:48 -04:00
Brent Murphy 040f56ff0c [New Rule] Azure Network Watcher Deletion (#232) 2020-09-04 12:18:18 -04:00
Brent Murphy 21431101b7 [New Rule] Azure External Guest User Invitation (#231) 
* Create initial_access_external_guest_user_invite.toml

* Update rules/azure/initial_access_external_guest_user_invite.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* update mitre metadata

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 12:11:13 -04:00
Brent Murphy 0fc78b3c3b [New Rule] Azure Key Vault Modified (#230) 
* [New Rule] Azure Update to Key Vault

* Update rules/azure/credential_access_key_vault_update.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_key_vault_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 11:30:01 -04:00
Brent Murphy 70cc7fd112 [Rule Tuning] AWS Root Login Without MFA (#229) 
* Update privilege_escalation_root_login_without_mfa.toml

* Update privilege_escalation_root_login_without_mfa.toml

* update index

* Update privilege_escalation_root_login_without_mfa.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:57:51 -04:00
Brent Murphy e49b69af10 [New Rule] Azure Blob Container Access Level Modification (#192) 
* Create discovery_blob_container_access_mod.toml

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:48:21 -04:00
David French 6d3955bd8a [New Rule] High Number of Okta User Password Reset or Unlock Attempts (#187) 
* new-rule-high-number-of-okta-password-reset-or-unlock-attempts

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update schedule

* Update FP information and format query for readability

* Update .gitignore

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

* Tweak formatting of query

* Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Update description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 08:38:06 -06:00
David French 230b59dfc9 rule-tuning-user-added-as-owner-for-azure-service-principal (#258) 2020-09-04 08:36:20 -06:00
Brent Murphy bcd698add2 [New Rule] Azure Event Hub Deletion (#170) 
* Create defense_evasion_event_hub_deletion.toml

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:23:43 -04:00
Brent Murphy a49d102de3 [New Rule] Azure Event Hub Authorization Rule Created or Updated (#173) 
* Create collection_update_event_hub_auth_rule.toml

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 09:32:30 -04:00
Brent Murphy 0ac7f3d672 [New Rule] Azure Firewall Policy Deletion (#169) 
* Create defense_evasion_firewall_policy_deletion.toml

* Update rules/azure/defense_evasion_firewall_policy_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 09:28:58 -04:00
Brent Murphy 9025a7d183 [New Rule] Azure Diagnostic Settings Deletion (#157) 
* Create azure_diagnostic_settings_deletion.toml

* Update azure_diagnostic_settings_deletion.toml
 2020-09-04 09:20:13 -04:00
Brent Murphy b4a15960cb [New Rule] Azure Command Execution on Virtual Machine (#155) 
* Create execution_command_virtual_machine.toml

* Update execution_command_virtual_machine.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:09:40 -04:00
Brent Murphy 6b04105936 [New Rule] Azure Resource Group Deletion (#158) 
* Create impact_resource_group_deletion.toml

* Update rules/azure/impact_resource_group_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:06:43 -04:00
David French 1f555c289f [New Rule] Azure Privileged Identity Management Role Modified (#238) 
* new-rule-azure-pim-role-modified

* Add ATT&CK metadata to rule

* Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml
 2020-09-03 15:02:14 -06:00
David French 89db7384a0 [New Rule] Azure Automation Runbook Deleted (#235) 
* new-rule-azure-automation-runbook-deleted

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Fix typo in rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Remove superfluous parens from query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 13:09:40 -06:00
David French 225aba61c9 [New Rule] Multi-Factor Authentication Disabled for an Azure User (#195) 
* new-rule-mfa-disabled-for-an-azure-user

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Update ECS version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 12:42:27 -06:00
David French 43204391b6 [New Rule] User Added as Owner for Azure Service Principal (#194) 
* new-rule-user-added-as-owner-for-azure-service-principal

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Add parens to query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update ECS version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:21:44 -06:00
David French 43f657ac4e [New Rule] User Added as Owner for Azure Application (#191) 
* new-rule-user-added-as-owner-for-azure-application

* Update rule name and description

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update query to remove superfluous quotes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Add ATT&CK metadata to rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:15:33 -06:00
David French 75474387a8 [New Rule] Attempts to Brute Force an Okta User Account (#186) 
* new-rule-attempts-to-brute-force-an-okta-user-account

* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

* Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Update ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:23:56 -06:00