e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
49cb2e8dbf
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
2021-06-15 11:40:47 -06:00
177cfc85bf
[Rule Tuning] Attempts to Brute Force an Okta User Account ( #1216 )
...
* update rule.threshold field value
* add rule authors
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-06-15 10:07:51 -06:00
1f7c88c6f4
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-15 07:20:50 -07:00
12577f7380
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:22:59 -04:00
546e43071c
[Rule Tuning] Attempts to brute force a microsoft 365 user account ( #1163 )
...
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:20:20 -04:00
13bf55480a
Update persistence_suspicious_com_hijack_registry.toml ( #1244 )
2021-06-14 09:00:22 -04:00
6b45186827
[New Rule] AWS EC2 VM Export Failure ( #1142 )
...
* New Rule: AWS EC2 VM Export Failure
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-09 13:03:37 -06:00
fce022c275
[New Rule] Modification of AmsiEnable Registry Key ( #1248 )
...
* Create defense_evasion_amsienable_key_mod.toml
2021-06-07 13:21:18 -04:00
6626cbb943
Update privilege_escalation_persistence_phantom_dll.toml ( #1228 )
2021-06-01 09:29:09 -04:00
c457614e37
[New Rule] Unusual Network Connection via DllHost ( #1232 )
...
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override
2021-05-28 15:09:09 -04:00
31e8d03438
[New Rule] Suspicious Execution from a Mounted Device ( #1230 )
...
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-05-28 14:44:07 -04:00
58ea49b092
[Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts ( #1200 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-05-14 15:52:02 -04:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
82ec6ac1ee
Convert windows rules from KQL to EQL ( #1114 )
2021-04-30 11:21:12 -08:00
92eaa5b18a
[New Rule] Threat intel indicator match rule ( #1133 )
2021-04-26 07:07:04 -05:00
8362578492
[Rule Tuning] AWS IAM Deactivation of MFA Device ( #1132 )
...
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-23 14:52:54 -04:00
ff45539369
[Deprecation] Deprecate inherently noisy rules based on testing ( #1122 )
...
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-04-21 15:10:06 -04:00
791c911b9e
Merge branch '7.12' into main
2021-04-15 16:17:59 -06:00
0400dc207a
[Deprecation] Process Discovery via Tasklist ( #1116 )
...
* [Deprecation] Process Discovery via Tasklist
* deprecation_date
* update date
* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-15 22:18:56 +02:00
e323084433
[Deprecation] Trusted Developer Application Usage ( #1118 )
...
* [Deprecation] Trusted Developer Application Usage
* update date
2021-04-15 22:15:38 +02:00
170b87097d
[New Rule] Potential Protocol Tunneling via EarthWorm ( #1094 )
...
* [New Rule] Potential Protocol Tunneling via EarthWorm
* fixed tactic ID
* fixed rule_id
* tactic case sensitive
* tags
* Update rules/linux/command_and_control_tunneling_via_earthworm.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-15 10:17:56 +02:00
dbd2874b4f
[Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files ( #1026 )
...
* [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files
* revise note with information from microsoft
* add Exchange Server to paths
* replaced process.parent.name with process.name and C drive with ?
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-14 20:24:44 -08:00
8f78afb8e5
[Rule Tuning] Windows Suspicious Script Object Execution ( #1081 )
...
* [Rule Tuning] Windows Suspicious Script Object Execution
* renamed rule in version.lock.json
* adjusted codesig check
* added 1 exclusion
* update date
* added cmd to exclusion as per EG telem
* removed changes to version.lock.json
* restored comment for code sig to support winlogbeat
* Revert "removed changes to version.lock.json"
This reverts commit 62794be02486b668ae5f25e5613f18b292342377.
* restored rule name in version.lock
* fixed typo
* removed winlogbeat index
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 23:54:39 +02:00
c1fd3b3374
[Rule Tuning] AWS Config Service Tampering ( #1108 )
...
* Update defense_evasion_config_service_rule_deletion.toml
2021-04-14 17:13:27 -04:00
4a46b2f03b
Create collection_microsoft_365_new_inbox_rule.toml ( #1068 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-14 17:06:39 -04:00
7408133f79
[New Rule] Potential Remote Desktop Shadowing Activity ( #1101 )
...
* [New Rule] Potential Remote Desktop Shadowing Activity
* added event.ingested
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 22:09:49 +02:00
66dff28498
[Rule Tuning] Public IP Reconnaissance Activity ( #1091 )
...
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml
* Updated ip lookup rule
* Modified index field
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 09:58:00 -05:00
c64e700c56
[Rule Tuning] Update Cloud Rule Syntax ( #1061 )
...
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 10:49:28 -04:00
00923dcde1
[Rule Tuning] Setuid / Setgid Bit Set via chmod ( #1032 )
...
* [Rule Tuning] Setuid / Setgid Bit Set via chmod
* update date
* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:41:37 +02:00
2926e98c5d
[Rule Tuning] Startup or Run Key Registry Modification ( #1086 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* update date
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:38:00 +02:00
1354d8059c
[New Rule] Network Logon Providers Registry Modification ( #1053 )
...
* [New Rule] Network Logon Providers Registry Modification
* fix mitre filename mapping error
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:31:46 +02:00
dc774517bf
[New Rule] Persistence via Scheduled Job Creation ( #1038 )
...
* [New Rule] Persistence via Scheduled Job Creation
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:15:54 +02:00
731d2b2a54
[Rule Tuning] Unusual Persistence via Services Registry ( #1077 )
...
* [Rule Tuning] Unusual Persistence via Services Registry
* update date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:09:46 +02:00
462fab3ff8
Update threshold rule schema to disallow empty field string ( #1098 )
...
* Update threshold rule schema to disallow empty field string
* lock versions for rule changes
2021-04-14 04:56:38 -08:00
dd4bc3e57e
[Rule Tuning] Connection to Commonly Abused Web Services ( #1079 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* adjusted 1 exclusion
* update date
* added 3 dns.names as suggested by Daniel
* added requestbin.net used for DNS tunneling by APT34
2021-04-14 00:53:27 +02:00
0fe09aaed5
[New Rule] NullSessionPipe Registry Modification ( #1058 )
...
* [New Rule] NullSessionPipe Registry Modification
* Update lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
* Update rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 00:50:31 +02:00
0ba469dbe4
[Rule Tuning] Modification of Standard Authentication Module or Confi… ( #1056 )
...
* [Rule Tuning] Modification of Standard Authentication Module or Configuration
* update date
2021-04-14 00:36:38 +02:00
0669e9be00
[New Rule] Suspicious Startup Shell Folder Modification ( #1042 )
...
* [New Rule] Suspicious Startup Shell Folder Modification
* Update rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:33:54 +02:00
f2bc0c685d
[Rule Tuning] Suspicious Explorer Child Process ( #1035 )
...
* [Rule Tuning] Suspicious Explorer Child Process
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:10:29 +02:00
0cc0e3d31f
[New Rule] Persistence via BITS Job Notify Cmdline ( #1096 )
...
* [New Rule] Persistence via BITS Job Notify Cmdline
* changed severity and added 1 exclusion
* Update rules/windows/persistence_via_bits_job_notify_command.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-13 23:25:30 +02:00
af067797c2
Update defense_evasion_unusual_network_connection_via_rundll32.toml ( #1109 )
2021-04-13 16:58:30 -04:00
3876ef3a37
Adjust loopback for Cloudtrail ( #1103 )
...
* #1092 adjusting loopback for cloudtrail
* refactored time interval, adjusted updated_date
* reverting bucket interval back to 15m
2021-04-13 13:58:13 -04:00
a7bb15eaf7
[Rule Tuning] Enumeration of Users or Groups via Built-in Commands ( #1046 )
...
* Update discovery_users_domain_built_in_commands.toml
* tweak whitespace in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-13 11:31:47 -06:00
aa61283dfa
[Rule Tuning] Local Service Commands ( #1044 )
...
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-13 12:31:45 -04:00
31daa7b36a
[Rule Tuning] Keychain Password Retrieval via Command Line ( #992 )
...
* [Rule Tuning] Keychain Password Retrieval via Command Line
* removed duplicate tactic
* Update credential_access_keychain_pwd_retrieval_security_cmd.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-13 18:16:43 +02:00
b5bd9d2fe1
Bump version for endpoint promotion rules for 7.12.1 ( #1082 )
...
* Bump version for endpoint promotion rules
* remove timestamp_override
* lock versions
2021-04-12 05:55:51 -08:00
414d320276
[Rule Tuning] Local Scheduled Task Commands ( #1043 )
...
* Update persistence_local_scheduled_task_commands.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-08 14:28:21 -04:00
0095a80014
Network rules for the 7.13 release ( #1087 )
...
* Adding network rules for the 7.13 release
* Adding rule guids
* Update rules/ml/ml_high_count_network_denies.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_high_count_network_events.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_spike_in_traffic_to_a_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Minor changes
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-08 09:34:47 -07:00
Apoorva Joshi