security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,777 Commits 1 Branch 0 Tags
d528af6bdb02b69cd04de321afb788bf6053b294
Commit Graph

586 Commits

Author SHA1 Message Date
Ruben Groenewoud d528af6bdb [Rule Tuning] UEBA new_terms process_executable (#3268) 
* [Rule Tuning] UEBA new_terms process_executable

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 1647a16fab)
 2023-12-07 15:42:41 +00:00
Samirbous 97db361c09 [New] Process Created with a Duplicated Token (#3152) 
* [New] Process Created with a Duplicated Token

using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 7488c60090)
 2023-12-07 11:25:07 +00:00
Jonhnathan 4c5511254f [Rule Tuning] Windows DR Tuning - 5 (#3229) 
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit e5d676797e)
 2023-12-05 22:25:21 +00:00
Samirbous d9860ca855 [New] Interactive Logon by an Unusual Process (#3299) 
* Create privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

(cherry picked from commit e6df245ff3)
 2023-12-05 17:39:08 +00:00
Samirbous 315b4df8ca [New] First Time Seen NewCredentials Lgon Process (#3276) 
* Create privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 88f752bf8b)
 2023-11-27 18:42:12 +00:00
Jonhnathan 699c835043 [Rule Tuning] Fix Menasec Expired Links (#3271) 
(cherry picked from commit f53f46efd5)
 2023-11-14 13:23:48 +00:00
shashank-elastic a31d788dcb Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 
(cherry picked from commit a568c56bc1)
 2023-10-30 11:28:47 +00:00
Jonhnathan 924056878d [Rule Tuning] Windows DR Tuning - 4 (#3214) 
* [Rule Tuning] Windows DR Tuning - 4

* Update credential_access_remote_sam_secretsdump.toml

(cherry picked from commit 1133b3a8a9)
 2023-10-27 00:04:57 +00:00
Jonhnathan 44cf454ce2 [Rule Tuning] Windows DR Tuning - 3 (#3212) 
* [Rule Tuning] Windows DR Tuning - 3

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_moving_registry_hive_via_smb.toml

(cherry picked from commit 3d73427e29)
 2023-10-26 22:04:49 +00:00
Jonhnathan 4d98afbc1d [Rule Tuning] Windows DR Tuning - 2 (#3209) 
* [Rule Tuning] Windows DR Tuning - 2

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

* Update credential_access_kerberoasting_unusual_process.toml

* Update command_and_control_teamviewer_remote_file_copy.toml

(cherry picked from commit efa7c428ea)
 2023-10-26 21:17:05 +00:00
Jonhnathan aa62790ae6 [Rule Tuning] Windows DR Tuning - 1 (#3198) 
* [Rule Tuning] Windows DR Tuning - 1

* Update collection_winrar_encryption.toml

(cherry picked from commit a5240e4063)
 2023-10-26 20:26:43 +00:00
Jonhnathan 223bfe0a6d [Promote] Potential Masquerading as Communication Apps (#3181) 
* [Promote] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6fcf26b20e)
 2023-10-23 18:01:34 +00:00
Jonhnathan 574a130346 [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver (#3215) 
* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver

* Update privilege_escalation_installertakeover.toml

(cherry picked from commit a471f6fc60)
 2023-10-23 17:40:51 +00:00
Jonhnathan 916b1a2cad [Promote] Expired or Revoked Driver Loaded (#3185) 
* [Promote] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml

(cherry picked from commit 18ff85ce84)
 2023-10-23 14:50:52 +00:00
Ruben Groenewoud 9b2e74b220 [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 020fff3aea)
 2023-10-23 14:34:55 +00:00
Jonhnathan 97ce9d7478 [Rule Tuning] Potential Masquerading as System32 DLL (#3184) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit e4e68c2dd8)
 2023-10-17 11:35:05 +00:00
Samirbous 9426d79b1c [Tuning] Adjusted Rules for Anti-Evasion (#3163) 
* Update lateral_movement_executable_tool_transfer_smb.toml

* Update lateral_movement_incoming_wmi.toml

* Update lateral_movement_execution_via_file_shares_sequence.toml

* Update lateral_movement_executable_tool_transfer_smb.toml

* Update lateral_movement_execution_via_file_shares_sequence.toml

* Update lateral_movement_executable_tool_transfer_smb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 24b0aa5c63)
 2023-10-16 17:02:08 +00:00
Jonhnathan ef715864f4 [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165) 
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

* Fix dates

* Fix unit test errors

* updated tags and fixed branch conflicts

updated tags and fixed branch conflicts

* description nit

* Reverting unintended changes

* Update initial_access_suspicious_ms_office_child_process.toml

---------

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>

(cherry picked from commit f584fb6e31)
 2023-10-15 21:18:03 +00:00
Jonhnathan 788f2ce884 [Rule Tuning] PowerShell Rules Tuning (#3169) 
(cherry picked from commit 3f2a709370)
 2023-10-11 21:03:44 +00:00
Ruben Groenewoud f66b82c0ec [Tuning] Windows Execution Rule Tuning for UEBA (#3107) 
* Update defense_evasion_execution_msbuild_started_by_script.toml

* Mostly updated Execution tags, also new_terms conv

* removed index

* Removed index

* WMIPrvSE tuning

* Additional tuning

* Tuning & changes

* Additional tuning

* Applied unit test optimization

* Addressed feedback

* Update rules/windows/execution_command_shell_started_by_svchost.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* caseless unit testing fix

* fixed caseless executable unit test

* unit testing fix

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

* Added user ids to new terms

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/execution_unsigned_service_executable.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update execution_unsigned_service_executable.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit c2822e175c)
 2023-10-11 08:21:37 +00:00
Ruben Groenewoud d4d794b586 [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 4cdf52129a)
 2023-10-11 07:49:08 +00:00
Terrance DeJesus 54303f84fc adjusting minimum stack version for version control (#3154) 
(cherry picked from commit 8d2b730bc5)
 2023-10-03 17:41:45 +00:00
Hilton 0bc9b126f6 Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity (#3091) 
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity

When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server"  as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html

Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.

* simplified detection logic by utilising process.parent.args

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ccfc931fbd)
 2023-09-13 16:56:38 +00:00
Jonhnathan 711e0f3ab7 [New Rule] New BBR Rules - Part 2 (#3029) 
* [New Rule] New BBR Rules - Part 2

* Update discovery_generic_account_groups.toml

* Update discovery_generic_account_groups.toml

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/execution_downloaded_shortcut_files.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/defense_evasion_unusual_process_extension.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update defense_evasion_unusual_process_extension.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ddb1f75352)
 2023-09-13 00:54:52 +00:00
Jonhnathan 4b2112f4a0 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit af99186992)
 2023-09-13 00:34:12 +00:00
Jonhnathan e9b1ebae3f [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 3614f42b00)
 2023-09-05 21:42:38 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Jonhnathan 6c074f21d8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit fdd45148b8)
 2023-08-31 16:04:58 +00:00
Eric 4a4588c856 Tune rule for new DLL written to Windows Servicing (#3062) 
(cherry picked from commit 41a7a36817)
 2023-08-30 16:57:00 +00:00
Jonhnathan d45b693e20 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 6d7df50d78)
 2023-08-29 19:48:03 +00:00
Jonhnathan 374ac8ad1c [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 7004c99ef5)
 2023-08-29 12:16:12 +00:00
Samirbous d0d092a036 Update credential_access_lsass_openprocess_api.toml (#3047) 
(cherry picked from commit 22931d6afb)
 2023-08-28 15:28:09 +00:00
Jonhnathan c067542e13 [Rule Tuning] High Number of Process and/or Service Terminations (#2940) 
(cherry picked from commit de32287889)
 2023-08-25 22:25:19 +00:00
Terrance DeJesus 10fa921c84 [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) 
* adding tuning to ignore windows update

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 2ddcf7817e)
 2023-08-22 17:10:02 +00:00
Jonhnathan 121134347a [Rule Tuning] PowerShell Keylogging Script (#3023) 
(cherry picked from commit 0c3b251208)
 2023-08-22 10:50:44 +00:00
Samirbous 3534b37ba6 [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 5e801b2edf)
 2023-08-21 15:29:47 +00:00
Jonhnathan 8058b4054c [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 72f15dda6a)
 2023-08-20 20:34:43 +00:00
Joe Desimone 27e246bd5e [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit b5e011a892)
 2023-08-17 16:58:24 +00:00
Jonhnathan 7c4ca0a4a3 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 9144dc0448)
 2023-08-17 16:06:41 +00:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Eric df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) 
* Tune WMI Incoming Lateral Movement

* Tune WMI Incoming Lateral Movement

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 17:12:05 -04:00
Eric f78de8c9d4 Add MS Office exceptions to query (#2836) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 16:09:17 -04:00
Eric 35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) 2023-06-30 18:01:35 -04:00