d4e06beee6
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 17:59:17 -03:00
ee548328d5
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:51:32 -03:00
b85818f49c
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:23:42 +01:00
434e2d0426
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:21:04 +01:00
e3b76b7cf7
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
2021-12-08 11:16:14 +01:00
851c566730
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-07 21:32:39 -09:00
b7b5449033
Add issue to min_stack_comment ( #1652 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-07 15:52:38 -09:00
14c46f50b9
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
2021-12-07 15:42:58 -09:00
0935a853fb
Updates Host Risk Score documentation ( #1643 )
...
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com >
Co-authored-by: Ryland Herrick <ryalnd@gmail.com >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
2021-12-07 15:05:11 -09:00
c21337fe4f
Add min_stack and indexes back ( #1648 )
2021-12-07 10:00:58 -03:00
7b0383ffe2
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
2021-12-07 09:09:03 -03:00
f6a2437cf8
Limit index to logs-endpoint.events ( #1647 )
2021-12-06 13:45:12 -03:00
237dcd2e19
Adding Beaconing docs ( #1621 )
...
* Adding beaconing docs
* Adding a call out about import options
* Adding a note about the AD job
* Adding more clarity on the release bundle
* Update beaconing.md
* Update docs/experimental-machine-learning/beaconing.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-12-01 13:44:42 -03:00
d43e3d8e4e
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-30 21:35:43 +01:00
d061bf8e7c
Updating host risk score and experimental detections docs ( #1639 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-30 16:24:37 -03:00
c619844b0d
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
2021-11-30 12:25:42 -06:00
521f0987ae
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-29 09:16:00 -03:00
13fc69b70a
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-25 13:25:21 -03:00
2ac19440c2
[New Rule] Windows Firewall Disabled ( #1565 )
...
* Create defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-24 18:34:12 -03:00
dd3e924e4a
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-24 08:57:43 -03:00
d1636258e4
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-18 10:27:42 +01:00
53a17e6b06
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-18 10:25:50 +01:00
3dd32608a0
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-17 19:38:12 -03:00
4b6794df32
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-17 19:36:40 -03:00
ab521f7c4f
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
2021-11-17 11:41:07 -09:00
9c54e21820
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-17 07:33:13 -03:00
e99478db00
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-17 08:45:38 +01:00
c18c08a976
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-11-17 08:36:26 +01:00
f0f3b83eab
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1619 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
2021-11-16 00:31:27 -09:00
bd9e33e761
[bug] Current stack version in deprecation lock missing parens ( #1618 )
...
The function was not being properly called, leading to `null` values
2021-11-16 00:18:27 -09:00
76503e8bcd
Fix kibana-pr command ( #1616 )
2021-11-15 23:55:05 -09:00
0cce812552
Update registry data to reflect "ga" for release ( #1482 )
2021-11-15 21:44:21 -09:00
858d1cf12c
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
2021-11-15 21:19:38 -09:00
d78f6354df
Bump min_stack_version in version.lock for specific rules ( #1614 )
2021-11-15 14:38:19 -09:00
59ba8e1540
Test to trigger workflows ( #1612 )
2021-11-15 10:02:31 -09:00
95d7e9b6f5
Prepare for creation of 7.16 release branch ( #1611 )
2021-11-15 09:39:34 -09:00
0efae3a52e
Move version lock code to object for portability ( #1553 )
...
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
2021-11-15 08:46:12 -09:00
81a62f5f68
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-11-15 10:18:26 +01:00
5e6a58ebab
Add index as a required field to rule_prompt ( #1595 )
2021-11-14 17:05:42 -09:00
017d9a51b7
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
2021-11-14 17:01:13 -09:00
aa219710a1
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
2021-11-03 11:01:25 -05:00
e29a1ca25c
Create host-risk-score.md ( #1599 )
...
update the script name to match shipped artifact
2021-11-03 11:05:59 +03:00
f47b0f61cc
Change interval and lookback time for IM rule ( #1596 )
2021-11-01 09:27:38 +01:00
ff16832003
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
2021-10-28 22:56:34 -05:00
d03e7972a6
Update the marshmallow dependencies in requirements.txt ( #1475 )
...
* Update the marshmallow dependencies in requirements.txt
* Fix typo
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-28 22:50:49 -05:00
c8cf88cd62
Refresh ECS (1.12.1) and beats (7.15.1) schemas ( #1584 )
...
* Refresh ECS (1.12.1) and beats (7.15.1) schemas
* update ecs to 1.10 for 7.14 stack validation
* add note with reference url
2021-10-28 11:24:28 -05:00
d12c04761f
Add support for eql-wildcard and kql-match_only_text ( #1583 )
...
* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-10-28 08:57:43 -05:00
0b57778be6
Updating docs to highlight explainability ( #1542 )
...
* Updating docs to highlight explainability
* Update typosquatting_rule.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-26 13:34:19 -07:00
ab17dfcc28
[Bug] Tighten definitions validation patterns ( #1396 )
...
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-10-26 10:26:20 -05:00
ef7548f04c
[Rule Tuning] Added Powershell_ise.exe to some rules. ( #1566 )
...
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_webshell_detection.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_system_shells_via_services.toml
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_system_shells_via_services.toml
* Update persistence_webshell_detection.toml
* Update rules/windows/persistence_local_scheduled_task_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-26 12:16:31 -03:00
Jonhnathan