sigma-rules

Author	SHA1	Message	Date
Samirbous	c2e95a35dc	[New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234 ) * [New Rule] Evasion via Renamed AutoIt Scripts Interpreter * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:39:04 +02:00
Samirbous	4948582d7c	[New Rule] Mimikatz Memssp Logs File Detected (#228 ) * [New Rule] Mimikatz Memssp Logs File Detected * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:37:40 +02:00
Samirbous	69b2f9f645	[New Rule] Code Injection - Suspicious Conhost Child Process (#226 ) * [New Rule] Code Injection - Suspicious Conhost Child Process * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/defense_evasion_code_injection_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:35:56 +02:00
Samirbous	d43f814c19	[New Rule] Suspicious Elastic Endpoint Parent Process (#214 ) * [New Rule] Suspicious Elastic Endpoint Parent Process * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:34:11 +02:00
Samirbous	42247efc3b	[New Rule] Suspicious WerFault Child Process (#212 ) * [New Rule] Suspicious WerFault Child Process * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * linted * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 14:32:04 +02:00
Samirbous	96992b3ae6	[New Rule] Potential Process Masquerading as WerFault (#210 ) * [New Rule] Potential Process Masquerading as WerFault * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update defense_evasion_masquerading_werfault.toml * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_werfault.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:30:34 +02:00
Samirbous	52b6657d09	[New Rule] Suspicious .Net Compiler Parent Process (#208 ) * [New Rule] Suspicious dotNet Comilper Parent Process * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 14:28:41 +02:00
Samirbous	ae13adf0a9	[New Rule] Suspicious managed code hosting process (#204 ) * [New Rule] Suspicious managed code hosting process * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:27:03 +02:00
Samirbous	3890a90135	[Rule Tuning] Unusual Parent-Child Relationship (#185 ) * [Rule Tuning] Unusual Parent-Child Relationship * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_parentchild_relationship.toml	2020-09-22 14:25:27 +02:00
Samirbous	601a5a1e5b	[New Rule] - Executable File Created by a System Critical Process (#183 ) * Unusual Executable File Creation by a System Critical Process * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml * Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_system_critical_proc_abnormal_file_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:23:37 +02:00
Samirbous	3e67e8fada	[New Rule] Remote SSH Login Enabled (#172 ) * [New Rule] Remote SSH Login Enabled * Update lateral_movement_remote_ssh_login_enabled.toml * Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 14:21:20 +02:00
Samirbous	2ce8c2833f	[New Rule] Microsoft IIS Service Account Password Dumped (#167 ) * [New Rule] Microsoft IIS Service Account Password Dumped * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:58:57 +02:00
Samirbous	ff097719af	[New Rule] UAC Bypass via DiskCleanup Task Hijack (#160 ) * [New Rule] UAC Bypass via DiskCleanup Task Hijack * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:57:37 +02:00
Samirbous	9926071b0d	[New Rule] - Execution via Hidden Shell (#154 ) * [New Rule] - Execution via Hidden Shell * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update execution_via_hidden_shell_conhost.toml * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_via_hidden_shell_conhost.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:56:19 +02:00
Samirbous	79e7f17130	[New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150 ) * [New Rule] - Persistence via TelemetryController Scheduled Task Hijack * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 13:54:51 +02:00
Samirbous	822453b32c	[New Rule] - Suspicious PsExec Execution (#134 ) * [New Rule] - Suspicious PsExec Execution * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_suspicious_psexesvc.toml * Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:52:01 +02:00
Samirbous	9590bc3f68	[New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132 ) * [New Rule] Execution via xp_cmdshell MSSQL stored procedure * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_via_xp_cmdshell_mssql_stored_procedure.toml * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-22 13:48:54 +02:00
Samirbous	cdbd3c0640	[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123 ) * tunning of 3 existing rules added not to accessibility rule added whoami to system identity running discovery utility added regasm.exe to registration utility performing ntcon * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update execution_register_server_program_connecting_to_the_internet.toml * Update persistence_priv_escalation_via_accessibility_features.toml * Update discovery_net_command_system_account.toml * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-22 13:47:22 +02:00
Brent Murphy	6a1e97cd06	[Rule Tuning] Update AWS rules to account for Agent index (#256 ) * Update AWS rules * chnage updated date	2020-09-21 09:04:50 -04:00
Ross Wolf	453553f685	Change the way we get environment variables (#280 ) * Change the way we get environment variables * Change environ to getenv * Read from envvar, then config file * Switch to get_path * Lint: Remove unused import * Add --cloud-id/--elasticsearch-url * Fix comment copy-pasta	2020-09-16 10:23:22 -06:00
Ross Wolf	9d22970e21	Add EQL rules and schema validation (#297 ) * Add EQL rules and schema validation * Lint nitpick * Rename get_schema_from_eql * Add EQL default language * Rename parsed_kql to parsed_query * Fix parsed_kql method call in loader * Autopopulate dependent values	2020-09-16 08:36:48 -06:00
David French	4041fc8bde	update-okta-rules-for-ingest-manager-compatibility (#295 )	2020-09-15 15:42:38 -06:00
Brent Murphy	140091e7b8	[New Rule] Azure Storage Account Key Regenerated (#188 ) * Create credential_access_storage_account_key_regenerated.toml * Update rules/azure/credential_access_storage_account_key_regenerated.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update credential_access_storage_account_key_regenerated.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 14:08:48 -04:00
Brent Murphy	040f56ff0c	[New Rule] Azure Network Watcher Deletion (#232 )	2020-09-04 12:18:18 -04:00
Brent Murphy	21431101b7	[New Rule] Azure External Guest User Invitation (#231 ) * Create initial_access_external_guest_user_invite.toml * Update rules/azure/initial_access_external_guest_user_invite.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * update mitre metadata * lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 12:11:13 -04:00
Brent Murphy	0fc78b3c3b	[New Rule] Azure Key Vault Modified (#230 ) * [New Rule] Azure Update to Key Vault * Update rules/azure/credential_access_key_vault_update.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update credential_access_key_vault_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-04 11:30:01 -04:00
Brent Murphy	70cc7fd112	[Rule Tuning] AWS Root Login Without MFA (#229 ) * Update privilege_escalation_root_login_without_mfa.toml * Update privilege_escalation_root_login_without_mfa.toml * update index * Update privilege_escalation_root_login_without_mfa.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 10:57:51 -04:00
Brent Murphy	e49b69af10	[New Rule] Azure Blob Container Access Level Modification (#192 ) * Create discovery_blob_container_access_mod.toml * Update rules/azure/discovery_blob_container_access_mod.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint * Update rules/azure/discovery_blob_container_access_mod.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 10:48:21 -04:00
David French	6d3955bd8a	[New Rule] High Number of Okta User Password Reset or Unlock Attempts (#187 ) * new-rule-high-number-of-okta-password-reset-or-unlock-attempts * Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml Update ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml Update schedule * Update FP information and format query for readability * Update .gitignore * Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml * Tweak formatting of query * Update rules/okta/credential_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml Update description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-04 08:38:06 -06:00
David French	230b59dfc9	rule-tuning-user-added-as-owner-for-azure-service-principal (#258 )	2020-09-04 08:36:20 -06:00
Brent Murphy	bcd698add2	[New Rule] Azure Event Hub Deletion (#170 ) * Create defense_evasion_event_hub_deletion.toml * Update rules/azure/defense_evasion_event_hub_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/azure/defense_evasion_event_hub_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 10:23:43 -04:00
Brent Murphy	a49d102de3	[New Rule] Azure Event Hub Authorization Rule Created or Updated (#173 ) * Create collection_update_event_hub_auth_rule.toml * Update rules/azure/collection_update_event_hub_auth_rule.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/collection_update_event_hub_auth_rule.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-04 09:32:30 -04:00
Brent Murphy	0ac7f3d672	[New Rule] Azure Firewall Policy Deletion (#169 ) * Create defense_evasion_firewall_policy_deletion.toml * Update rules/azure/defense_evasion_firewall_policy_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 09:28:58 -04:00
Brent Murphy	9025a7d183	[New Rule] Azure Diagnostic Settings Deletion (#157 ) * Create azure_diagnostic_settings_deletion.toml * Update azure_diagnostic_settings_deletion.toml	2020-09-04 09:20:13 -04:00
Brent Murphy	b4a15960cb	[New Rule] Azure Command Execution on Virtual Machine (#155 ) * Create execution_command_virtual_machine.toml * Update execution_command_virtual_machine.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-03 17:09:40 -04:00
Brent Murphy	6b04105936	[New Rule] Azure Resource Group Deletion (#158 ) * Create impact_resource_group_deletion.toml * Update rules/azure/impact_resource_group_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-03 17:06:43 -04:00
David French	1f555c289f	[New Rule] Azure Privileged Identity Management Role Modified (#238 ) * new-rule-azure-pim-role-modified * Add ATT&CK metadata to rule * Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml	2020-09-03 15:02:14 -06:00
David French	89db7384a0	[New Rule] Azure Automation Runbook Deleted (#235 ) * new-rule-azure-automation-runbook-deleted * Update rules/azure/impact_azure_automation_runbook_deleted.toml Fix typo in rule description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/impact_azure_automation_runbook_deleted.toml Remove superfluous parens from query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 13:09:40 -06:00
David French	225aba61c9	[New Rule] Multi-Factor Authentication Disabled for an Azure User (#195 ) * new-rule-mfa-disabled-for-an-azure-user * Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml Update ECS version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 12:42:27 -06:00
David French	43204391b6	[New Rule] User Added as Owner for Azure Service Principal (#194 ) * new-rule-user-added-as-owner-for-azure-service-principal * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Add parens to query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Update ECS version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 12:21:44 -06:00
David French	43f657ac4e	[New Rule] User Added as Owner for Azure Application (#191 ) * new-rule-user-added-as-owner-for-azure-application * Update rule name and description * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Update query to remove superfluous quotes Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Add ATT&CK metadata to rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 12:15:33 -06:00
David French	75474387a8	[New Rule] Attempts to Brute Force an Okta User Account (#186 ) * new-rule-attempts-to-brute-force-an-okta-user-account * Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml * Update rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml Update ecs_version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 11:23:56 -06:00
David French	4c431d2408	[New Rule] Azure Automation Webhook Created (#179 ) * new-rule-azure-automation-webhook-created * Update rules/azure/persistence_azure_automation_webhook_created.toml Update description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/persistence_azure_automation_webhook_created.toml Update ecs_version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 11:20:50 -06:00
David French	98f216404a	[New Rule] Azure Automation Runbook Created or Modified (#178 ) * new-rule-azure-automation-runbook-created-or-modified * Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml Update ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 11:16:42 -06:00
David French	85e799b378	[New Rule] Azure Automation Account Created (#177 ) * new-rule-azure-automation-account-created * Fix rule name format 😄 * Update rules/azure/persistence_azure_automation_account_created.toml Update maturity to production * Update rules/azure/persistence_azure_automation_account_created.toml Update ecs_version to 1.6.0 Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 11:08:38 -06:00
Justin Ibarra	6e931959bb	Update pythonpackage.yml (#242 )	2020-09-02 12:59:33 -08:00
Justin Ibarra	b8e0c379c5	Update packages.yml	2020-09-02 14:10:46 -05:00
Justin Ibarra	6b7ea7e66c	Fix kibana-diff command (#198 )	2020-09-02 12:19:17 -05:00
Ross Wolf	464d5e645a	Fix kibana-upload and remove cumbersome dataclasses (#216 ) * Fix kibana-upload and remove cumbersom dataclasses * Linting fixes	2020-09-01 05:47:27 -06:00
brokensound77	aec3ec31b9	Merge branch '7.9' into main	2020-08-27 15:54:44 -08:00

1 2 3

144 Commits