d2365783fa
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-08-03 12:28:17 -08:00
b736d6e748
[Rule Tuning] Rule description tweaks ( #1388 )
2021-07-29 10:56:13 -08:00
7b62fe296d
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
2021-07-22 11:55:22 -06:00
4aab1278bf
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-22 09:08:58 -08:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
9f3d5328f4
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
2021-07-21 11:49:32 -06:00
9b559d0cd9
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
2021-07-21 11:47:40 -06:00
23626b814c
[Rule Tuning] Update Google Workspace rules to use google_workspace event schema ( #1374 )
...
* use google_workspace event schema
* update to use google_workspace schema
2021-07-21 11:38:43 -06:00
fbd4cf2117
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-07-21 11:54:11 -05:00
163d9e3864
Update cardinality field in schema for threshold rules ( #1349 )
...
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array
* Add two new rules to detect agent spoofing
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-21 08:32:54 -08:00
95e6458c6e
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
2021-07-20 23:08:04 -08:00
34df7c6b89
[Rule Tuning] Add Filebeat and Auditbeat to Network Rules ( #1282 )
...
* standardized indices and added the from field
2021-07-20 22:59:22 -08:00
64c3f7cdc5
[New Rule] O365 Excessive SSO Logon Errors ( #1215 )
2021-07-20 22:55:00 -08:00
c82790f588
[New Rule] Disable Windows Event and Security Logs ( #1181 )
2021-07-20 22:44:35 -08:00
4a11ef9514
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
2021-07-20 22:26:36 -08:00
920d973064
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
2021-07-20 21:47:39 -08:00
f3c794c48a
[New Rule] CyberArkPas promotion rules ( #1336 )
...
* add cyberarkpas promotion rules
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-20 10:01:02 -08:00
81ab43898c
[New Rule] Parent Process PID Spoofing ( #1338 )
...
* [New Rule] Parent Process PID Spoofing
* excluding sihost FPs
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* relinted and added 2 non ecs fields
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-07-15 22:55:46 +02:00
7ec97e622f
[APM] Adds APM data stream 'traces-apm*' to apm rules ( #105334 ) ( #1335 )
2021-07-13 07:04:58 -06:00
89420ae976
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-07-07 18:56:39 +02:00
9fadc4c1dc
[New Rule] Complementary Rules for Recent REvil TTPs ( #1329 )
...
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-07-07 17:02:40 +02:00
63a39665e3
Make "config" in note field consistent ( #1310 )
...
* Add test to ensure consistent config in note field
* Update inconsistent rule
2021-07-06 15:54:01 -08:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
8e451f2318
[New Rule] AWS RDS Security Group Created ( #1260 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:14:56 -08:00
fe14cd23ed
[New Rule] AWS RDS Security Group Deleted ( #1261 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:09:15 -08:00
9d4574b267
[New Rule] AWS RDS Instance Creation ( #1269 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:02:48 -08:00
ccae1dc841
[New Rule] AWS RDS Snapshot Export ( #1270 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 15:58:13 -08:00
c215c44809
[Rule Tuning] Potential password spraying of microsoft 365 user accounts ( #1164 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-22 13:36:13 -04:00
31f63e728e
Switch from process.ppid to process.parent.pid ( #1255 )
...
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
2021-06-22 09:10:28 -06:00
d8ef9a81ef
[Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account ( #1251 )
...
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml
* add authors
2021-06-22 08:38:49 -06:00
a8c9d7174f
Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml ( #1225 )
2021-06-22 10:22:01 -04:00
ea9a23af8d
[New Rule] AWS Route 53 Domain Transferred to Another Account ( #1198 )
2021-06-21 22:08:59 -08:00
2cadee1718
[New Rule] AWS Route 53 Domain Transfer Lock Disabled ( #1197 )
2021-06-21 22:05:53 -08:00
d7e0e37e54
[New Rule] EC2 Full Network Packet Capture Detected ( #1175 )
2021-06-21 22:00:48 -08:00
6986f28af6
[New Rule] Azure Service Principal Credentials Added ( #1169 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-06-21 21:49:45 -08:00
e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
49cb2e8dbf
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
2021-06-15 11:40:47 -06:00
177cfc85bf
[Rule Tuning] Attempts to Brute Force an Okta User Account ( #1216 )
...
* update rule.threshold field value
* add rule authors
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-06-15 10:07:51 -06:00
1f7c88c6f4
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-15 07:20:50 -07:00
12577f7380
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:22:59 -04:00
546e43071c
[Rule Tuning] Attempts to brute force a microsoft 365 user account ( #1163 )
...
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:20:20 -04:00
13bf55480a
Update persistence_suspicious_com_hijack_registry.toml ( #1244 )
2021-06-14 09:00:22 -04:00
6b45186827
[New Rule] AWS EC2 VM Export Failure ( #1142 )
...
* New Rule: AWS EC2 VM Export Failure
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-09 13:03:37 -06:00
fce022c275
[New Rule] Modification of AmsiEnable Registry Key ( #1248 )
...
* Create defense_evasion_amsienable_key_mod.toml
2021-06-07 13:21:18 -04:00
6626cbb943
Update privilege_escalation_persistence_phantom_dll.toml ( #1228 )
2021-06-01 09:29:09 -04:00
c457614e37
[New Rule] Unusual Network Connection via DllHost ( #1232 )
...
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override
2021-05-28 15:09:09 -04:00
31e8d03438
[New Rule] Suspicious Execution from a Mounted Device ( #1230 )
...
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-05-28 14:44:07 -04:00
58ea49b092
[Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts ( #1200 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-05-14 15:52:02 -04:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
Austin Songer