sigma-rules

Author	SHA1	Message	Date
shashank-elastic	e4856d3c2c	Refresh ecs, beats, integration manifests & schemas (#4699 )	2025-05-05 23:06:40 +05:30
shashank-elastic	e8c54169a4	Prep main for 9.1 (#4555 ) * Prep for Release 9.1 * Update Patch Version * Update Patch version * Update Patch version	2025-03-26 11:04:14 -04:00
Jonhnathan	c0f12ddecf	[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 ) * [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags * Format & order * Update pyproject.toml * Update credential_access_cookies_chromium_browsers_debugging.toml	2025-02-19 12:54:31 -03:00
shashank-elastic	818467f132	Replace master doc URLs with current (#4439 )	2025-02-03 21:27:50 +05:30
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
Jonhnathan	7b655759ab	[Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035 ) * [Rule Tuning] 3rd Party EDR Compatibility - 10 * min_stack for merge, bump updated_date	2024-10-11 15:58:37 -03:00
Mika Ayenson	b80d8342d6	[Docs \| Rule Tuning] Add blog references to rules (#4097 ) * [Docs \| Rule Tuning] Add blog references to rules * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestions from code review * Update google_workspace blog references * add okta blog references * Update dates --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-09-25 15:19:20 -05:00
Jonhnathan	f5069763b6	[Rule Tuning] Add System tag to DRs (#3968 ) * [Rule Tuning] Add System tag to DRs * bump	2024-08-09 11:14:33 -03:00
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	b47b91b9ec	[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549 ) * [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules * Delete test.pkl --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-01 20:45:12 -03:00
Jonhnathan	458e67918a	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules	2024-03-11 09:09:40 -03:00
sbousseaden	27262a585b	[Tuning] Add logs-system. index where applicable (#3390 ) * Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-01-17 13:49:59 +00:00
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	411ec36ff0	Validate markdown plugin fields (#2602 )	2023-03-28 09:17:50 -04:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	1a4510c9d4	[Security Content] Add Investigation Guides to Windows Rules - 2 (#2534 ) * [Security Content] Add Investigation Guides to Windows Rules - 2 * tags * Adjust some phrasing based on the review * Update credential_access_bruteforce_admin_account.toml * Missing Osquery Note * Missing note	2023-03-01 21:23:09 -03:00
Jonhnathan	f17b6f1702	[Security Content] Fix verbiage used on Osquery Note (#2513 ) * [Security Content] Fix verbiage used on Osquery Note * Adjust verbiage * date bump --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-02-22 12:33:23 -03:00
shashank-elastic	f8e97da549	Rule Tuning Update MITRE Details (#2526 ) Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-02-10 23:05:28 +05:30
Jonhnathan	7725e32126	[Security Content] Fix Osquery Markdown Plugin Escaped queries (#2447 ) * [Security Content] Fix Osquery Markdown Plugin Escaped queries * Re-add line * Update credential_access_credential_dumping_msbuild.toml * Update command_and_control_common_webservices.toml	2023-01-09 14:45:31 -03:00
Jonhnathan	9981cca275	[Security Content] Investigation Guides Line breaks refactor (#2454 ) * [Security Content] Investigation Guides Line breaks refactor (#2412) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key * Remove changes to deprecated rules * Update command_and_control_certutil_network_connection.toml	2023-01-09 13:28:10 -03:00
Terrance DeJesus	b1a689b6fd	Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 ) This reverts commit `d1481e1a88`.	2023-01-09 10:44:54 -05:00
Jonhnathan	d1481e1a88	[Security Content] Investigation Guides Line breaks refactor (#2412 ) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key	2023-01-09 11:56:39 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	ac01718bb6	[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352 ) * [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py	2022-11-18 12:32:27 -03:00
Jonhnathan	6055d0db60	[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides (#2387 ) * [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides * Remove min_stack and add Note * Fix Typo and preffix * Update command_and_control_certutil_network_connection.toml * Add unit test to check Note about Osquery Markdown plugin and Version limitations * Update test_all_rules.py * Update test_all_rules.py * Change Note Verbiage	2022-11-17 18:38:34 -03:00
Jonhnathan	183b1ffdd3	[Rule Tuning] Add endgame support for Windows Rules (#2285 ) * [Rule Tuning] Add endgame support for Windows Rules * Update collection_email_powershell_exchange_mailbox.toml * Supported Rules - First Half * bum updated_date * Add tag * Revert compat * missing tags	2022-10-19 08:27:44 -07:00
Jonhnathan	9861958833	[Security Content] Add missing "has_guide" tag (#2349 ) * Add missing "has_guide" tag * bump updated_date	2022-10-11 06:30:19 -07:00
Jonhnathan	f02ffbbe13	[Security Content] Add Investigation Guides - 8.5 (#2305 ) * [Security Content] Add Investigation Guides - 8.5 * Update persistence_run_key_and_startup_broad.toml * Apply suggestions from security-docs review review * Update execution_suspicious_jar_child_process.toml * Apply suggestions from review	2022-09-23 18:44:24 -03:00
Jonhnathan	d52c0d2257	[Rule Tuning] Remove "process_started" from Windows Rules (#2238 ) * [Rule Tuning] Remove "process_started" from Windows Rules * Additional, pending ones * Update defense_evasion_code_injection_conhost.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-09-19 13:06:30 -05:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Samirbous	b15f0de9a4	[Rules Tuning] Diverse Windows Rules - FPs reduction (#2213 ) * [Rules Tuning] 7 diverse Windows rules Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata. * Update initial_access_suspicious_ms_exchange_process.toml * Update privilege_escalation_persistence_phantom_dll.toml * Update execution_psexec_lateral_movement_command.toml * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update discovery_privileged_localgroup_membership.toml	2022-08-02 18:37:07 +02:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
Justin Ibarra	6ef5c53b0c	Cleanup note field in rules (#1194 ) * standardize usage of note field	2021-05-10 13:40:56 -08:00
Samirbous	04f3cd967d	[Rule Tuning] Execution from Unusual Directory - Command Line (#1012 ) * [Rule Tuning] Execution from Unusual Directory - Command Line * format change as per JLB sugg	2021-03-19 10:16:47 +01:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
brokensound77	a77bd6178f	Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 # Conflicts: # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml	2021-02-17 14:11:50 -09:00
Justin Ibarra	90a9320f93	[Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951 ) * remove timestamp_override from endgame promotion rules * updated version.lock to previous state for endgame promotion rule changes * fix incorrect year in updated_date	2021-02-17 13:48:57 -09:00
brokensound77	6ce418877f	Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 # Conflicts: # etc/version.lock.json # rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml # rules/cross-platform/impact_hosts_file_modified.toml # rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml # rules/cross-platform/privilege_escalation_sudoers_file_mod.toml # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml # rules/linux/defense_evasion_timestomp_touch.toml # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml # rules/macos/credential_access_credentials_keychains.toml # rules/macos/credential_access_promt_for_pwd_via_osascript.toml # rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml # rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml # rules/promotions/external_alerts.toml # rules/windows/collection_email_powershell_exchange_mailbox.toml # rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml # rules/windows/collection_winrar_encryption.toml # rules/windows/command_and_control_common_webservices.toml # rules/windows/command_and_control_encrypted_channel_freesslcert.toml # rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml # rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml # rules/windows/command_and_control_teamviewer_remote_file_copy.toml # rules/windows/credential_access_cmdline_dump_tool.toml # rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml # rules/windows/credential_access_credential_dumping_msbuild.toml # rules/windows/credential_access_domain_backup_dpapi_private_keys.toml # rules/windows/credential_access_dump_registry_hives.toml # rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml # rules/windows/credential_access_iis_connectionstrings_dumping.toml # rules/windows/credential_access_kerberoasting_unusual_process.toml # rules/windows/credential_access_lsass_memdump_file_created.toml # rules/windows/credential_access_mimikatz_memssp_default_logs.toml # rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml # rules/windows/defense_evasion_clearing_windows_event_logs.toml # rules/windows/defense_evasion_code_injection_conhost.toml # rules/windows/defense_evasion_cve_2020_0601.toml # rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml # rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml # rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml # rules/windows/defense_evasion_dotnet_compiler_parent_process.toml # rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml # rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml # rules/windows/defense_evasion_execution_lolbas_wuauclt.toml # rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml # rules/windows/defense_evasion_execution_msbuild_started_by_script.toml # rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml # rules/windows/defense_evasion_execution_msbuild_started_renamed.toml # rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml # rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml # rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/windows/defense_evasion_hide_encoded_executable_registry.toml # rules/windows/defense_evasion_iis_httplogging_disabled.toml # rules/windows/defense_evasion_injection_msbuild.toml # rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml # rules/windows/defense_evasion_masquerading_renamed_autoit.toml # rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml # rules/windows/defense_evasion_masquerading_trusted_directory.toml # rules/windows/defense_evasion_modification_of_boot_config.toml # rules/windows/defense_evasion_port_forwarding_added_registry.toml # rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml # rules/windows/defense_evasion_sdelete_like_filename_rename.toml # rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml # rules/windows/defense_evasion_suspicious_managedcode_host_process.toml # rules/windows/defense_evasion_suspicious_zoom_child_process.toml # rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml # rules/windows/defense_evasion_unusual_dir_ads.toml # rules/windows/defense_evasion_unusual_system_vp_child_program.toml # rules/windows/defense_evasion_via_filter_manager.toml # rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml # rules/windows/discovery_adfind_command_activity.toml # rules/windows/discovery_admin_recon.toml # rules/windows/discovery_file_dir_discovery.toml # rules/windows/discovery_net_command_system_account.toml # rules/windows/discovery_net_view.toml # rules/windows/discovery_peripheral_device.toml # rules/windows/discovery_process_discovery_via_tasklist_command.toml # rules/windows/discovery_query_registry_via_reg.toml # rules/windows/discovery_remote_system_discovery_commands_windows.toml # rules/windows/discovery_security_software_wmic.toml # rules/windows/discovery_whoami_command_activity.toml # rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml # rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml # rules/windows/execution_command_shell_started_by_powershell.toml # rules/windows/execution_command_shell_started_by_svchost.toml # rules/windows/execution_command_shell_started_by_unusual_process.toml # rules/windows/execution_command_shell_via_rundll32.toml # rules/windows/execution_from_unusual_directory.toml # rules/windows/execution_from_unusual_path_cmdline.toml # rules/windows/execution_shared_modules_local_sxs_dll.toml # rules/windows/execution_suspicious_cmd_wmi.toml # rules/windows/execution_suspicious_image_load_wmi_ms_office.toml # rules/windows/execution_suspicious_pdf_reader.toml # rules/windows/execution_suspicious_powershell_imgload.toml # rules/windows/execution_suspicious_psexesvc.toml # rules/windows/execution_suspicious_short_program_name.toml # rules/windows/execution_via_compiled_html_file.toml # rules/windows/execution_via_hidden_shell_conhost.toml # rules/windows/execution_via_net_com_assemblies.toml # rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml # rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml # rules/windows/initial_access_script_executing_powershell.toml # rules/windows/initial_access_suspicious_ms_office_child_process.toml # rules/windows/initial_access_suspicious_ms_outlook_child_process.toml # rules/windows/initial_access_unusual_dns_service_children.toml # rules/windows/initial_access_unusual_dns_service_file_writes.toml # rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml # rules/windows/lateral_movement_execution_from_tsclient_mup.toml # rules/windows/lateral_movement_local_service_commands.toml # rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml # rules/windows/lateral_movement_rdp_enabled_registry.toml # rules/windows/lateral_movement_rdp_tunnel_plink.toml # rules/windows/lateral_movement_remote_file_copy_hidden_share.toml # rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml # rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml # rules/windows/persistence_adobe_hijack_persistence.toml # rules/windows/persistence_appcertdlls_registry.toml # rules/windows/persistence_appinitdlls_registry.toml # rules/windows/persistence_evasion_registry_ifeo_injection.toml # rules/windows/persistence_gpo_schtask_service_creation.toml # rules/windows/persistence_local_scheduled_task_commands.toml # rules/windows/persistence_ms_office_addins_file.toml # rules/windows/persistence_ms_outlook_vba_template.toml # rules/windows/persistence_priv_escalation_via_accessibility_features.toml # rules/windows/persistence_registry_uncommon.toml # rules/windows/persistence_run_key_and_startup_broad.toml # rules/windows/persistence_services_registry.toml # rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml # rules/windows/persistence_startup_folder_scripts.toml # rules/windows/persistence_suspicious_com_hijack_registry.toml # rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml # rules/windows/persistence_suspicious_scheduled_task_runtime.toml # rules/windows/persistence_suspicious_service_created_registry.toml # rules/windows/persistence_system_shells_via_services.toml # rules/windows/persistence_user_account_creation.toml # rules/windows/persistence_via_application_shimming.toml # rules/windows/persistence_via_hidden_run_key_valuename.toml # rules/windows/persistence_via_lsa_security_support_provider_registry.toml # rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml # rules/windows/persistence_via_update_orchestrator_service_hijack.toml # rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml # rules/windows/privilege_escalation_named_pipe_impersonation.toml # rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml # rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml # rules/windows/privilege_escalation_rogue_windir_environment_var.toml # rules/windows/privilege_escalation_uac_bypass_com_clipup.toml # rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml # rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml # rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml # rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml # rules/windows/privilege_escalation_uac_bypass_event_viewer.toml # rules/windows/privilege_escalation_uac_bypass_mock_windir.toml # rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml # rules/windows/privilege_escalation_unusual_parentchild_relationship.toml # rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	2021-02-17 12:18:06 -09:00
Justin Ibarra	61deed3fd2	[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 ) * [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules	2021-02-16 10:52:48 -09:00
Brent Murphy	fdf9384e4d	[Rule Tuning] Execution from Unusual Directory - Command Line (#837 ) * Update execution_from_unusual_path_cmdline.toml * lint * Update execution_from_unusual_path_cmdline.toml	2021-02-03 10:54:19 -05:00
Justin Ibarra	a0e86e20d6	[Rule Tuning] Add windows integration index to rules (#923 )	2021-01-28 20:53:57 -09:00
Samirbous	49abcd7f4d	[New Rule] Execution from unusual directory - CommandLine (#435 ) * [New Rule] Execution from unusual directory - cmdline * Update execution_from_unusual_path_cmdline.toml * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linted and added note as sug by JLB * note * ecs_version * fixed path * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:13:52 +01:00

48 Commits