sigma-rules

Author	SHA1	Message	Date
Jonhnathan	094f3ead92	[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080 ) * [Security Content] Introduce Investigate Plugin in Investigation Guides * Add compatibility note * Update Transform format * update transform unit tests for investigate * updated docs with transform --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> (cherry picked from commit `aeb1f91320`)	2023-12-08 18:59:53 +00:00
Ruben Groenewoud	2e585eab84	[New Rule] Out-Of-Tree Kernel Module Load (#3233 ) * [New Rule] Out-Of-Tree Kernel Module Load * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `490fa0e1d2`)	2023-12-07 21:58:26 +00:00
Ruben Groenewoud	84240c082e	[New BBR] Pot. Persistence Through Systemd-udevd (#3235 ) * [New BBR] Persistence Through Systemd-udevd * Formatting change * Update rules_building_block/persistence_udev_rule_creation.toml * Update rules_building_block/persistence_udev_rule_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_udev_rule_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `07b1cab919`)	2023-12-07 21:47:32 +00:00
Ruben Groenewoud	6c28ba53ad	[Tuning] Small Linux DR Tuning (#3287 ) (cherry picked from commit `38862b89e9`)	2023-12-07 11:50:11 +00:00
Ruben Groenewoud	73c239557b	[New BBR] Segfault Detected (#3240 ) * [New BBR] Segfault Detected * Update rules_building_block/execution_linux_segfault.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/execution_linux_segfault.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `dff4633dd4`)	2023-11-02 08:47:06 +00:00
Ruben Groenewoud	396bfc5bec	[New BBR] Kernel Driver Load (#3236 ) * [New BBR] Kernel Driver Load * added event.dataset to the query --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `967f6a4c89`)	2023-11-02 08:39:10 +00:00
shashank-elastic	4bde69f1ad	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 ) (cherry picked from commit `a568c56bc1`)	2023-10-30 11:29:26 +00:00
Ruben Groenewoud	c16adb4f98	[Rule Tuning] Tainted Kernel Module Load (#3234 ) * [Rule Tuning] Tainted kernel module load * Update persistence_tainted_kernel_module_load.toml * Update rules_building_block/persistence_tainted_kernel_module_load.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `ad25c922fd`)	2023-10-30 08:55:51 +00:00
Jonhnathan	e0342e6cfd	[Rule Tuning] Windows DR Tuning - 1 (#3198 ) * [Rule Tuning] Windows DR Tuning - 1 * Update collection_winrar_encryption.toml (cherry picked from commit `a5240e4063`)	2023-10-26 20:27:18 +00:00
Jonhnathan	7b74244afb	[Promote] Potential Masquerading as Communication Apps (#3181 ) * [Promote] Potential Masquerading as Communication Apps * Update defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_communication_apps.toml * Update rules/windows/defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_communication_apps.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `6fcf26b20e`)	2023-10-23 18:02:07 +00:00
Ruben Groenewoud	7d8ee7fb34	[New BBR] Unix Socket Communication (#3072 ) * [New Rule] Unix Socket Communication * Update rules_building_block/execution_unix_socket_communication.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/execution_unix_socket_communication.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> (cherry picked from commit `9807bebd8e`)	2023-10-23 15:25:11 +00:00
Ruben Groenewoud	302125f8c3	[New BBR] Tainted Kernel Module Load (#3211 ) * [New Rule] Tainted Kernel Module Load * added setup note * Fixed tag * added type change * timestamp override --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `024d45bd56`)	2023-10-23 15:13:03 +00:00
Jonhnathan	e5598c5f4c	[Promote] Expired or Revoked Driver Loaded (#3185 ) * [Promote] Expired or Revoked Driver Loaded * Update privilege_escalation_expired_driver_loaded.toml (cherry picked from commit `18ff85ce84`)	2023-10-23 14:51:30 +00:00
Ruben Groenewoud	6c36d2afa3	[Rule Tuning] Linux Rules (#3092 ) * [Rule Tuning] [WIP] Linux DR * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Fixed tag * Added additional tuning * unit test fix * Additional tuning * tuning * added max signals * Added max_signals=1 to brute force rules * Cross-Platform Tuning * Small fix * new_terms conversion * typo * new_terms conversion * Ransomware rule tuning * performance tuning * new_terms conversion for auditd_manager * tune * Need coffee * kql/eql stuff * formatting improvement * new_terms sudo hijacking conversion * exclusion * Deprecations that were added last tuning * Deprecations that were added last tuning * Increased max timespan for brute force rules * version bump * added domain tag * Two tunings * More tuning * Additional tuning * updated_date bump * query optimization * Tuning * Readded the exclusions for this one * Changed int comparison * Some tunings * Update persistence_systemd_scheduled_timer_created.toml * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml * Update rules/linux/command_and_control_cat_network_activity.toml * Update persistence_message_of_the_day_execution.toml * Changed max_signals * Revert "Merge branch 'main' into rule-tuning-ongoing-dr" This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8. * Revertable merge * Update defense_evasion_ld_preload_env_variable_process_injection.toml * File name change --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `020fff3aea`)	2023-10-23 14:35:37 +00:00
Jonhnathan	44fe4feaf0	[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 3 * Update defense_evasion_invalid_codesign_imageload.toml * Update defense_evasion_invalid_codesign_imageload.toml * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/initial_access_xsl_script_execution_via_com.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> (cherry picked from commit `74222f86eb`)	2023-10-17 17:22:52 +00:00
Jonhnathan	cf54191c1d	[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 2 * Update defense_evasion_unsigned_bits_client.toml * Update rules_building_block/defense_evasion_suspicious_msiexec_execution.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * . --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit `3ea3e5a9fd`)	2023-10-17 16:56:23 +00:00
Jonhnathan	d6fc6d5385	[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 1 * . * . * Update defense_evasion_dotnet_clickonce_dfsvc_netcon.toml * . (cherry picked from commit `32002fd89b`)	2023-10-17 14:43:41 +00:00
Jonhnathan	6d43dab0b0	[New Rule] [BBR] Memory Dump File Rules (#3122 ) * [New Rule] Memory Dump File Rules * . * . * . (cherry picked from commit `a33a124eab`)	2023-10-17 12:41:59 +00:00
Jonhnathan	3cb754c4bd	[Rule Tuning] Potential Masquerading as Browser Process (#3180 ) * [Rule Tuning] Potential Masquerading as Browser Process * Update defense_evasion_masquerading_browsers.toml * Update defense_evasion_masquerading_browsers.toml (cherry picked from commit `8035516e8e`)	2023-10-17 12:00:00 +00:00
Jonhnathan	637521b7c9	[Rule Tuning] Potential Masquerading as System32 DLL (#3184 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit `e4e68c2dd8`)	2023-10-17 11:35:46 +00:00
Jonhnathan	4190317ec2	[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165 ) * [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules * Fix dates * Fix unit test errors * updated tags and fixed branch conflicts updated tags and fixed branch conflicts * description nit * Reverting unintended changes * Update initial_access_suspicious_ms_office_child_process.toml --------- Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> (cherry picked from commit `f584fb6e31`)	2023-10-15 21:18:47 +00:00
Jonhnathan	3f2a709370	[Rule Tuning] PowerShell Rules Tuning (#3169 )	2023-10-11 17:57:32 -03:00
Justin Ibarra	7f8a9849c4	[New Rule] File Compressed or Archived into Common Format (#3173 ) * [New Rule] File Compressed or Archived into Common Format * new build-threat-map-entry-command --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-11 11:34:34 -07:00
Ruben Groenewoud	c2822e175c	[Tuning] Windows Execution Rule Tuning for UEBA (#3107 ) * Update defense_evasion_execution_msbuild_started_by_script.toml * Mostly updated Execution tags, also new_terms conv * removed index * Removed index * WMIPrvSE tuning * Additional tuning * Tuning & changes * Additional tuning * Applied unit test optimization * Addressed feedback * Update rules/windows/execution_command_shell_started_by_svchost.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * caseless unit testing fix * fixed caseless executable unit test * unit testing fix * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_ms_office_written_file.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml * Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml * Added user ids to new terms * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/execution_unsigned_service_executable.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update execution_unsigned_service_executable.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-10-11 10:15:29 +02:00
Ruben Groenewoud	4cdf52129a	[Tuning] Windows Discovery Rule Tuning for UEBA (#3097 ) * [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Formatting fix --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-11 09:43:26 +02:00
Ruben Groenewoud	8f122197bb	[New BBR] Sus. Process Started via tmux or screen (#3071 ) * [New BBR] Sus. Process Started via tmux or screen * [New BBR] Unix Socket Connection * Revert "[New BBR] Unix Socket Connection" This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9. * Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-30 12:57:18 +02:00
Jonhnathan	f77bec8552	[New Rule] [BBR] File with Suspicious Extension Downloaded (#3139 ) * [New Rule] [BBR] File with Suspicious Extension Downloaded * Update defense_evasion_download_susp_extension.toml	2023-09-27 12:37:11 -03:00
Jonhnathan	ddb1f75352	[New Rule] New BBR Rules - Part 2 (#3029 ) * [New Rule] New BBR Rules - Part 2 * Update discovery_generic_account_groups.toml * Update discovery_generic_account_groups.toml * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/execution_downloaded_shortcut_files.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/defense_evasion_unusual_process_extension.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update defense_evasion_unusual_process_extension.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-12 21:49:22 -03:00
Jonhnathan	af99186992	[New Rule] New BBR Rules - Part 3 (#3034 ) * [New Rule] New BBR Rules - Part 3 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-09-12 21:28:01 -03:00
Jonhnathan	3614f42b00	[New Rule] New BBR Rules - Part 5 (#3052 ) * [New Rule] New BBR Rules - Part 5 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Tag work --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-09-05 18:36:34 -03:00
Jonhnathan	8049c96281	[New Rule] New BBR Rules - Part 1 (#3026 ) * [New Rule] New BBR Rules - Part 1 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/lateral_movement_at.toml * Update rules_building_block/collection_outlook_email_archive.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-05 18:07:47 -03:00
Jonhnathan	26c97dc241	[New Rule] Potential Masquerading as Business App Installer (#3068 )	2023-09-05 17:58:34 -03:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	fdd45148b8	[New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015 ) * [New Rule] WRITEDAC Access on Active Directory Object * Update defense_evasion_write_dac_access.toml * Fix Setup Instructions * Update defense_evasion_write_dac_access.toml * Update rules_building_block/defense_evasion_write_dac_access.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-31 12:59:02 -03:00
Ruben Groenewoud	f7d8d4752a	[New Rules] GDB Secret Dumping (#3060 ) * [New Rules] GDB Secret Dumping * Added references to BBR * Update rules/linux/credential_access_gdb_init_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 17:41:22 +02:00
Ruben Groenewoud	04d1c3cd5b	[New BBR] Suspicious which Enumeration (#3059 )	2023-08-31 13:55:56 +02:00
Jonhnathan	c89b722a34	[New Rule] Suspicious Communication App Child Process (#2998 ) * [New Rule] Suspicious Communication App Child Process * Update defense_evasion_communication_apps_suspicious_child_process.toml * Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-31 07:33:16 -03:00
Jonhnathan	a7a22a0917	[New Rule] Potential Masquerading as VLC DLL (#3006 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-30 17:45:45 -03:00
Ruben Groenewoud	32abdb95f7	[New Rules] Linux Tunneling and Port Forwarding (#3028 ) * Removed iodine rule due to new tunneling rule * [New Rules] Linux Tunneling and Port Forwarding * added ash * Fixed description styling * Changed rule name * Update command_and_control_linux_suspicious_proxychains_activity.toml * Added deprecation note & name change * Changed deprecation status * Removed deprecation date * Fixed unit testing * Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-30 22:12:19 +02:00
Jonhnathan	7004c99ef5	[New Rule] Unusual Process For MSSQL Service Accounts (#3040 ) * [New Rule] Unusual Process For MSSQL Service Accounts * Update initial_access_unusual_process_sql_accounts.toml * Update initial_access_unusual_process_sql_accounts.toml * Update collection_archive_data_zip_imageload.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update initial_access_unusual_process_sql_accounts.toml * Update rules_building_block/initial_access_unusual_process_sql_accounts.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope. * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-08-29 09:10:25 -03:00
Jonhnathan	0e337e2c36	[New Rule] New BBR Rules - Part 4 (#3035 ) * [New Rule] New BBR Rules - Part 4 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-08-29 08:49:22 -03:00
Jonhnathan	9f213cc9f7	[New Rule] Potential Masquerading as Browser Process (#2995 ) * [New Rule] Potential Masquerading as Browser Process * Update rules_building_block/defense_evasion_masquerading_browsers.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update defense_evasion_masquerading_browsers.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-08-28 13:28:26 -03:00
Jonhnathan	7496c5cb68	[New Rule] Potential Masquerading as Windows System32 DLL (#3021 ) * [New Rule] Potential Masquerading as Windows System32 DLL * Update rules_building_block/defense_evasion_masquerading_windows_dll.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_masquerading_windows_dll.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Restrict logic * Update defense_evasion_masquerading_windows_dll.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-08-28 08:31:20 -03:00
Jonhnathan	ffa60f2d03	[New Rule] Network-Level Authentication (NLA) Disabled (#3039 ) * [New Rule] Network-Level Authentication (NLA) Disabled * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-08-28 08:05:21 -03:00
shashank-elastic	d21ed24e4f	BBR Rules Addition (#3027 )	2023-08-25 19:10:12 +05:30
Ruben Groenewoud	a1716bd673	[Rule Tuning] Several rule tunings (#3024 ) * [Rule Tuning] Several rule tunings * Added 1 more * optimized ransomware encryption rules * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml * Added 2 more tunings based on todays telemetry * Some tunings * Tuning * Tuning * fixed user.id comparison * Something went wrong with deprecation * Something went wrong with deprecation * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/discovery_linux_nping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_linux_hping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Dedeprecated the rule to deprecate later --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-25 14:03:29 +02:00
Jonhnathan	17f6537e44	[Rule Tuning] Windows BBR Rules (#3018 ) * [Rule Tuning] Windows BBR Rules * Update discovery_generic_process_discovery.toml	2023-08-25 05:21:16 -03:00
Jonhnathan	460919a9d7	[Rule Tuning] Compression DLL Loaded by Unusual Process (#3017 )	2023-08-25 05:08:36 -03:00
Jonhnathan	f8df53626e	[New Rule] Potential Masquerading as Windows System32 Executable (#3022 ) * [New Rule] Potential Masquerading as Windows System32 Executable * Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-08-21 15:14:22 -03:00
Jonhnathan	9144dc0448	[New Rule] Building Block Rules - Part 2 (#2923 ) * [New Rule] Building Block Rules - Part 2 * . * Update rules_building_block/defense_evasion_dll_hijack.toml * Update rules_building_block/defense_evasion_file_permission_modification.toml * Update rules_building_block/discovery_posh_password_policy.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-17 13:00:50 -03:00

1 2

64 Commits