security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
864 Commits 1 Branch 0 Tags
d4e06beee609c9895ad81cbffa034db9be6fd5e7
Commit Graph

639 Commits

Author SHA1 Message Date
Jonhnathan d4e06beee6 [New Rule] PowerShell Reflection Assembly Load (#1559) 
* Create defense_evasion_posh_assembly_load.toml

* Update defense_evasion_posh_assembly_load.toml

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Change event.code to event.category

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 17:59:17 -03:00
Jonhnathan ee548328d5 [Rule Tuning] Powershell Defender Exclusion (#1644) 
* Split process.args condition

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:51:32 -03:00
Samirbous b85818f49c [New Rule] Enumeration of Privileged Local Groups Membership (#1557) 
* [New Rule] Enumeration of Privileged Local Groups Membership

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml

* removed endpoint index (not needed)

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:23:42 +01:00
Samirbous 434e2d0426 [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544) 
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_via_rogue_named_pipe.toml

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:21:04 +01:00
Samirbous e3b76b7cf7 [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632) 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url
 2021-12-08 11:16:14 +01:00
Jonhnathan 851c566730 [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) 
* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 21:32:39 -09:00
Jonhnathan b7b5449033 Add issue to min_stack_comment (#1652) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 15:52:38 -09:00
Justin Ibarra 14c46f50b9 [Rule Tuning] updates from documentation review for 7.16 (#1645) 2021-12-07 15:42:58 -09:00
Jonhnathan c21337fe4f Add min_stack and indexes back (#1648) 2021-12-07 10:00:58 -03:00
Jonhnathan 7b0383ffe2 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) 
* Update command_and_control_download_rar_powershell_from_internet.toml

* bump updated_date
 2021-12-07 09:09:03 -03:00
Jonhnathan f6a2437cf8 Limit index to logs-endpoint.events (#1647) 2021-12-06 13:45:12 -03:00
Samirbous d43e3d8e4e [New Rule] Suspicious Process Creation CallTrace (#1588) 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-30 21:35:43 +01:00
Khristinin Nikita c619844b0d [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) 
* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
 2021-11-30 12:25:42 -06:00
Austin Songer 521f0987ae [New Rule] Azure Kubernetes Rolebindings Created (#1576) 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-29 09:16:00 -03:00
Austin Songer 13fc69b70a [New Rule] Clearing Windows Console History (#1623) 
* Create defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* bump severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-25 13:25:21 -03:00
Austin Songer 2ac19440c2 [New Rule] Windows Firewall Disabled (#1565) 
* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 18:34:12 -03:00
LaZyDK dd3e924e4a [Rule Tuning] Component Object Model Hijacking (#1491) 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 08:57:43 -03:00
Samirbous d1636258e4 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) 
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL

* update dates

* adding config note

* relinted

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update minstack version

* minstack not needed, rule should work on previous versions

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:27:42 +01:00
Samirbous 53a17e6b06 [New Rule] Account Password Reset Remotely (#1571) 
* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:25:50 +01:00
Austin Songer 3dd32608a0 [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:38:12 -03:00
Jonhnathan 4b6794df32 [New Rule] PowerShell Keylogging Script (#1561) 
* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:36:40 -03:00
Austin Songer ab521f7c4f [Rule Tuning] Suspicious CertUtil Commands (#1564) 2021-11-17 11:41:07 -09:00
Jonhnathan 9c54e21820 [New Rule] Potential Process Injection via PowerShell (#1552) 
* Create defense_evasion_posh_process_injection.toml

* Update defense_evasion_posh_process_injection.toml

* Update description

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 07:33:13 -03:00
Samirbous e99478db00 [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) 
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

* lint

* Update etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* moved FP txt to Note.

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fix json

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 08:45:38 +01:00
Samirbous c18c08a976 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) 
* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-17 08:36:26 +01:00
Jonhnathan 858d1cf12c [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) 2021-11-15 21:19:38 -09:00
Samirbous 81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-11-15 10:18:26 +01:00
Jonhnathan 017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) 2021-11-14 17:01:13 -09:00
Adrian Serrano aa219710a1 Fix Windows path causing emoji to be rendered in Kibana (#1585) 
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.

Surrounding the path in backticks fixes it.
 2021-11-03 11:01:25 -05:00
Khristinin Nikita f47b0f61cc Change interval and lookback time for IM rule (#1596) 2021-11-01 09:27:38 +01:00
Justin Ibarra ff16832003 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) 
* [Rule Tuning] Hosts File Modified - add process check for linux

* add echo and sed to process names in query
 2021-10-28 22:56:34 -05:00
Justin Ibarra c8cf88cd62 Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) 
* Refresh ECS (1.12.1) and beats (7.15.1) schemas

* update ecs to 1.10 for 7.14 stack validation

* add note with reference url
 2021-10-28 11:24:28 -05:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra 5bdf70e72c Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema
 2021-10-19 20:52:53 -08:00
Jonhnathan f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-18 17:50:16 -03:00
Austin Songer 3ab67d1562 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-18 15:36:21 -03:00
Austin Songer cf2b3ee753 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) 
* Create defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-10-15 23:25:12 -03:00
Austin Songer 2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:23:07 -03:00
Austin Songer 702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:11:15 -03:00
Austin Songer 50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:06:27 -03:00
Austin Songer 790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:11:05 -03:00
Austin Songer 761df5fe84 [New Rule] Azure Kubernetes Pods Deleted (#1309) 
* Create impact_kubernetes_pod_deleted.toml

* Update impact_kubernetes_pod_deleted.toml

* Update

* Update impact_kubernetes_pod_deleted.toml

* quote value in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:07:39 -03:00
Austin Songer dc980effb0 [New Rule] AWS RDS Snapshot Restored (#1312) 
* Create exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

* Delete exfiltration_rds_snapshot_restored.toml

* Create exfiltration_rds_snapshot_restored.toml

* Update

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:05:00 -03:00
Austin Songer 3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:01:50 -03:00
Austin Songer 90504915ad [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) 
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:59:33 -03:00