sigma-rules

Author	SHA1	Message	Date
Samirbous	e2a0172d7d	[New Rule] Remote File Download via MpCmdRun (#247 ) * [New Rule] Remote File Download via MpCmdRun * added ref * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-22 14:44:48 +02:00
Samirbous	f750b89201	[New Rule] Remote File Copy via TeamViewer (#241 ) * [New Rule] Remote File Copy via TeamViewer * Update command_and_control_teamviewer_remote_file_copy.toml * Update command_and_control_teamviewer_remote_file_copy.toml * Update rules/windows/command_and_control_teamviewer_remote_file_copy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:43:32 +02:00
Samirbous	c2e95a35dc	[New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234 ) * [New Rule] Evasion via Renamed AutoIt Scripts Interpreter * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:39:04 +02:00
Samirbous	4948582d7c	[New Rule] Mimikatz Memssp Logs File Detected (#228 ) * [New Rule] Mimikatz Memssp Logs File Detected * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:37:40 +02:00
Samirbous	69b2f9f645	[New Rule] Code Injection - Suspicious Conhost Child Process (#226 ) * [New Rule] Code Injection - Suspicious Conhost Child Process * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:35:56 +02:00
Samirbous	d43f814c19	[New Rule] Suspicious Elastic Endpoint Parent Process (#214 ) * [New Rule] Suspicious Elastic Endpoint Parent Process * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:34:11 +02:00
Samirbous	42247efc3b	[New Rule] Suspicious WerFault Child Process (#212 ) * [New Rule] Suspicious WerFault Child Process * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * linted * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 14:32:04 +02:00
Samirbous	96992b3ae6	[New Rule] Potential Process Masquerading as WerFault (#210 ) * [New Rule] Potential Process Masquerading as WerFault * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:30:34 +02:00
Samirbous	52b6657d09	[New Rule] Suspicious .Net Compiler Parent Process (#208 ) * [New Rule] Suspicious dotNet Comilper Parent Process * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:28:41 +02:00
Samirbous	ae13adf0a9	[New Rule] Suspicious managed code hosting process (#204 ) * [New Rule] Suspicious managed code hosting process * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:27:03 +02:00
Samirbous	3890a90135	[Rule Tuning] Unusual Parent-Child Relationship (#185 ) * [Rule Tuning] Unusual Parent-Child Relationship * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml	2020-09-22 14:25:27 +02:00
Samirbous	601a5a1e5b	[New Rule] - Executable File Created by a System Critical Process (#183 ) * Unusual Executable File Creation by a System Critical Process * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml * Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:23:37 +02:00
Samirbous	2ce8c2833f	[New Rule] Microsoft IIS Service Account Password Dumped (#167 ) * [New Rule] Microsoft IIS Service Account Password Dumped * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:58:57 +02:00
Samirbous	ff097719af	[New Rule] UAC Bypass via DiskCleanup Task Hijack (#160 ) * [New Rule] UAC Bypass via DiskCleanup Task Hijack * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:57:37 +02:00
Samirbous	9926071b0d	[New Rule] - Execution via Hidden Shell (#154 ) * [New Rule] - Execution via Hidden Shell * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:56:19 +02:00
Samirbous	79e7f17130	[New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150 ) * [New Rule] - Persistence via TelemetryController Scheduled Task Hijack * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 13:54:51 +02:00
Samirbous	822453b32c	[New Rule] - Suspicious PsExec Execution (#134 ) * [New Rule] - Suspicious PsExec Execution * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:52:01 +02:00
Samirbous	9590bc3f68	[New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132 ) * [New Rule] Execution via xp_cmdshell MSSQL stored procedure * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_via_xp_cmdshell_mssql_stored_procedure.toml * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:48:54 +02:00
Samirbous	cdbd3c0640	[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123 ) * tunning of 3 existing rules added not to accessibility rule added whoami to system identity running discovery utility added regasm.exe to registration utility performing ntcon * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update persistence_priv_escalation_via_accessibility_features.toml * Update discovery_net_command_system_account.toml * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:47:22 +02:00
brokensound77	aec3ec31b9	Merge branch '7.9' into main	2020-08-27 15:54:44 -08:00
Justin Ibarra	79a0dfefbe	Add ECS 1.6.0 schema for validation testing (#220 ) * Add ecs 1.6.0 and refresh master ecs (2.0.0) * update rule metadata to use ecs_version 1.6.0	2020-08-27 11:54:49 -05:00
Justin Ibarra	be08536880	Increase lookback for endpoint rules (#200 )	2020-08-21 12:23:43 -05:00
Ross Wolf	a99b7c96fe	Merge branch '7.9' into main	2020-08-03 14:03:15 -06:00
Brent Murphy	7efe33e01d	[Rule Tuning] Update Index Pattern for Detection Engine Rules (#101 ) * [Rule Tuning] Update Index Pattern for Detection Engine Rules * update indices	2020-08-03 15:46:57 -04:00
Justin Ibarra	1bf60551ff	Update lateral_movement_dns_server_overflow.toml	2020-07-17 15:52:04 -05:00
Justin Ibarra	1cfb8f92bb	Windows DNS server vulnerability (CVE-2020-1350) rules (#69 )	2020-07-17 14:32:52 -05:00
Ben Skelker	680a04da8f	Fix terminology and doc links (#54 )	2020-07-13 12:47:42 -06:00
Justin Ibarra	95908c22a4	Improve ECS compatibility for endpoint rules	2020-07-07 15:41:23 -06:00
Ross Wolf	5fcece8416	Populate rules/ directory. Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com> Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com> Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-06-29 22:57:03 -06:00

29 Commits