sigma-rules

Author	SHA1	Message	Date
Samirbous	dc9c63d043	[New Rule] Unusual Svchost ChildProc - ChildLess Services (#370 ) * [New Rule] Unusual Svchost ChildProc - ChildLess Services * changed tags * changed rule filename * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-01 20:30:03 +01:00
Samirbous	61fe8a59ff	[New Rule] WebServer Access Logs Deleted (#457 ) * [New Rule] WebServer Access Logs Deleted * removed timeline_id * added drive letter for better perf * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update defense_evasion_deleting_websvr_access_logs.toml * changed severity from low to medium * fixed duplicate text in description * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-01 10:48:55 +01:00
Samirbous	0fe12d2528	[New Rule] Suspicious Explorer Child Process (#430 ) * [New Rule] Suspicious Explorer Child Process * Update execution_via_explorer_suspicious_child_parent_args.toml * removed timeline_id * fixed typo * adjusted args for better performance * Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-01 00:00:40 +01:00
Ross Wolf	710f4bda10	Add file.extension to SxS .local rule	2020-11-30 15:26:28 -07:00
Samirbous	2465a70dac	[New Rule] Execution via local SxS Shared Module (#424 ) * [New Rule] Execution via local SxS Shared Module * Update execution_shared_modules_local_sxs_dll.toml * Update execution_shared_modules_local_sxs_dll.toml * added tags * added drive letter for less performance impact * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-11-30 23:24:44 +01:00
Samirbous	7138b01001	[New Rule] Potential Command and Control via IEXPLORE (#645 ) * [New Rule] Potential Command and Control via IEXPLORE * Update command_and_control_iexplore_via_com.toml * Update command_and_control_iexplore_via_com.toml * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 21:13:30 +01:00
Samirbous	14ef24e9dd	[New Rule] Command shell activity started via rundll32 (#391 ) * [New Rule] Command shell activity started via rundll32 * added tag * adjusted parent args for performance avoid leading wildcard * filtered a common FP * Update execution_command_shell_via_rundll32.toml * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-11-30 21:02:57 +01:00
Samirbous	52183d78a2	[New Rule] Persistence via Microsoft Outlook VBA (#611 ) * [New Rule] Persistence via Microsoft Outlook VBA * added FPs note and deleted excluded outlook.exe * Update rules/windows/persistence_ms_outlook_vba_template.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 20:57:36 +01:00
Samirbous	ba0cc7a055	[New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422 ) * [New Rule] UAC Bypass via Elevated COM Interface - ClipUp * linted * Update privilege_escalation_uac_bypass_com_clipup.toml * added tags * changed rule name * adjusted rule for more performance * Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 20:26:07 +01:00
Justin Ibarra	d0ba03230a	[Rule Tuning] Unusual File Modification by dns.exe (#472 )	2020-11-30 08:22:27 -09:00
Brent Murphy	310f480027	[New Rule] O365 Exchange Safe Attachment Rule Disabled (#593 ) * [New Rule] O365 Exchange Safe Attachment Rule Disabled * update description	2020-11-30 12:06:42 -05:00
Brent Murphy	ba52c3d426	[New Rule] O365 Exchange Transport Rule Modification (#592 ) * [New Rule] O365 Exchange Transport Rule Modification * Update exfiltration_o365_exchange_transport_rule_mod.toml * update description	2020-11-30 11:57:48 -05:00
Brent Murphy	3751095897	[New Rule] O365 Exchange Malware Filter Rule Modification (#590 ) * [New Rule] O365 Exchange Malware Filter Rule Modification * update description	2020-11-30 11:46:58 -05:00
Brent Murphy	a5960851c0	[New Rule] O365 Exchange Malware Filter Policy Deletion (#589 ) * [New Rule] O365 Exchange Malware Filter Policy Deletion * update description	2020-11-30 11:39:25 -05:00
Brent Murphy	bd6be63d88	[New Rule] O365 Exchange Anti-Phish Rule Modification (#586 ) * [New Rule] O365 Exchange Anti-Phish Rule Modification * bump severity	2020-11-30 11:25:20 -05:00
Brent Murphy	76ec49f764	[New Rule] O365 Exchange Anti-Phish Policy Deletion (#585 ) * [New Rule] O365 Exchange Anti-Phish Policy Deletion * bump severity	2020-11-30 11:19:17 -05:00
Brent Murphy	6b280fe7ed	[New Rule] O365 Exchange Transport Rule Creation (#579 ) * [New Rule] O365 Exchange Transport Rule Creation * bump severity * Update exfiltration_o365_exchange_transport_rule_creation.toml	2020-11-30 11:09:30 -05:00
Brent Murphy	b21d32acf4	[New Rule] O365 Exchange Safe Link Policy Disabled (#577 ) * Create initial_access_o365_exchange_safelinks_disabled.toml * Update initial_access_o365_exchange_safelinks_disabled.toml * linting * update description * update tags Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-30 10:52:33 -05:00
dstepanic17	625b0ec771	[New-Rule] Suspicious WMI Image Load from MS Office (#551 ) * image-load-wmi-ms-office * Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Resolved linting after suggestion Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-20 08:34:02 -06:00
dstepanic17	517ee0dc03	image-load-sched-task-ms-office (#566 )	2020-11-20 07:28:16 -06:00
Samirbous	1ebdcc8248	[New Rule] Suspicious RDP ActiveX Client Loaded (#588 ) * [New Rule] Suspicious RDP ActiveX Client Loaded * added exec from mounted device and UNC * removed unecessary exclusion * Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>	2020-11-20 10:43:12 +01:00
Samirbous	9d2a74ea1b	[New Rule] Connection to Commonly Abused Web Services (#476 ) * [New Rule] Connection to Commonly Abused Web Services * Update command_and_control_common_webservices.toml * Update rules/windows/command_and_control_common_webservices.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * added notabug.org as suggested by Daniel Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-11-18 23:38:09 +01:00
Samirbous	161ea402fe	[New Rule] Kerberos Traffic from Unusual Process (#448 ) * [New Rule] Kerberos Traffic from Unusual Process * removed timeline_id * adjusted args for better perf * added potential rare FPs * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-18 22:07:49 +01:00
Samirbous	3e7be55a24	[New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376 ) * [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack * Delete workspace.xml * Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml * Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-18 20:36:59 +01:00
Samirbous	75ed0f8f92	[New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383 ) * [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface * added tags * Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml * adjusted args to avoid leading wildcard * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * replaced wildcard with In Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-11-18 20:34:10 +01:00
Samirbous	14270a5614	[New Rule] Persistence via MS Office Addins (#381 ) * [New Rule] Persistence via MS Office Addins * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * fixed extension and relaxed file.path * updated references * changed leading wildcard for perf * Update rules/windows/persistence_ms_office_addins_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_ms_office_addins_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-18 20:27:01 +01:00
David French	8f6eba8986	Tune metadata in Okta rules to align with the style of other rules (#491 ) * rune-okta-rule-metadata * update note field to include fleet integration info * separate okta policy rule modification and deletion into two rules * rename file to align with style of others * fix syntax typo * separate zone and policy deactivation, deletion, and modification actions into separate rules * fix typo * fix tpyo 🙃 * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description	2020-11-18 09:59:11 -07:00
David French	a05f160159	[New Rule] Application Added to Google Workspace Domain (#564 ) * Create application_added_to_google_workspace_domain.toml * Update rules/google-workspace/application_added_to_google_workspace_domain.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/google-workspace/application_added_to_google_workspace_domain.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-18 09:23:15 -07:00
David French	dd8c276e42	Create google_workspace_mfa_enforcement_disabled.toml (#563 )	2020-11-18 09:20:31 -07:00
David French	4425bbf436	Create domain_added_to_google_workspace_trusted_domains.toml (#562 )	2020-11-18 09:17:48 -07:00
David French	56bc91cc70	Create google_workspace_admin_role_deletion.toml (#561 )	2020-11-18 09:15:53 -07:00
David French	10d4e5d8c9	[New Rule] Google Workspace Role Modified (#556 ) * Create persistence_google_workspace_role_modified.toml * fix tpyo 🙃	2020-11-18 09:13:44 -07:00
David French	acf8102607	Create persistence_google_workspace_custom_admin_role_created.toml (#555 )	2020-11-18 09:10:50 -07:00
David French	72fee8d16f	Create persistence_google_workspace_admin_role_assigned_to_user.toml (#554 )	2020-11-18 09:07:39 -07:00
David French	78b8d5c761	new-rule-mfa-disabled-for-google-workspace-organization (#553 )	2020-11-18 09:05:07 -07:00
David French	6aca322cfd	[New Rule] Google Workspace Password Policy Modified (#552 ) * new-rule-google-workspace-policy-modified * lint rule	2020-11-18 09:02:59 -07:00
David French	f11e9f8302	[New Rule] Administrator Role Assigned to Okta User (#489 ) * Create persistence_administrator_role_assigned_to_okta_user.toml * set maturity to production Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Reorder references to put the most relevant at the top * tweak rule name Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-18 08:59:23 -07:00
Samirbous	eb487f9433	[New Rule] Timestomping using Touch Command (#463 ) * [New Rule] Timestomping using Touch Command * Update defense_evasion_timestomp_touch.toml * added macOS tag * Update rules/linux/defense_evasion_timestomp_touch.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 23:29:47 +01:00
Samirbous	abea5d0779	[New Rule] Prompt for Credentials with OSASCRIPT (#540 )	2020-11-17 22:25:40 +01:00
Samirbous	4547ee3750	[New Rule] Suspicious Execution - Short Program Name (#536 ) * [New Rule] Suspicious Execution - Short Program Name * Update rules/windows/execution_suspicious_short_program_name.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:27:37 +01:00
Samirbous	4741f70fad	[New Rule] Potential Remote Desktop Tunneling Detected (#374 ) * [New Rule] Remote Desktop Tunneling using SSH Plink Utility * Update lateral_movement_rdp_tunnel_plink.toml * Update lateral_movement_rdp_tunnel_plink.toml * changed tags * expanded condition to more than plink there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R. * Update lateral_movement_rdp_tunnel_plink.toml * more args options Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:25:48 +01:00
Samirbous	14e36c2693	[New Rule] Security Software Discovery using WMIC (#387 ) * [New Rule] Security Software Discovery using WMIC * added tags * adjusted args for performance avoiding leading wildcard in process args * Update discovery_security_software_wmic.toml * Update discovery_security_software_wmic.toml * Update discovery_security_software_wmic.toml * Update rules/windows/discovery_security_software_wmic.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/discovery_security_software_wmic.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:23:28 +01:00
Samirbous	ba4b8bc3e3	[New Rule] UAC Bypass via Elevated COM IEinstall (#450 ) * [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer * Linted * Update privilege_escalation_uac_bypass_com_ieinstal.toml * adjusted executable path for better performance * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:21:15 +01:00
Samirbous	3af915ff49	[New Rule] Suspicious Cmd Execution via WMI (#389 ) * [New Rule] Suspicious Cmd Execution via WMI * Update lateral_movement_suspicious_cmd_wmi.toml * Update lateral_movement_suspicious_cmd_wmi.toml * expanded process args for more coverage * Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-17 21:19:30 +01:00
David French	9d3395f9e3	Create okta_attempt_to_delete_okta_application.toml (#497 )	2020-11-17 08:53:59 -07:00
David French	58e54f40e3	Create okta_attempt_to_deactivate_okta_application.toml (#496 )	2020-11-17 08:51:51 -07:00
David French	768069a8bc	[New Rule] Attempt to Modify an Okta Application (#495 ) * Create okta_attempt_to_modify_okta_application.toml * add reference	2020-11-17 08:49:02 -07:00
David French	88b8bca929	Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml (#530 )	2020-11-17 08:44:37 -07:00
Justin Ibarra	f87f2a46f4	[Rule Tuning] Remove all rule timelines (#466 )	2020-11-03 09:51:53 -09:00
Justin Ibarra	da64bacac1	[Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452 )	2020-11-02 14:12:20 -09:00

1 2 3 4 5

219 Commits