security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,884 Commits 1 Branch 0 Tags
f233909e7dcbb8cccaa8024ea4a7509dd97e55da
Commit Graph

622 Commits

Author SHA1 Message Date
Jonhnathan 97e49795ab [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-14 10:23:06 -03:00
Jonhnathan ae00f30574 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-14 09:58:31 -03:00
Jonhnathan 21b559c97f [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-08 06:27:16 -03:00
Samirbous 6906a27c3a Update lateral_movement_remote_task_creation_winlog.toml (#3419) 2024-02-05 18:36:24 +00:00
Jonhnathan 8274f9a816 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-05 12:47:24 -03:00
Jonhnathan edd3556b63 [Rule Tuning] Startup or Run Key Registry Modification (#3367) 2024-02-05 12:28:06 -03:00
Samirbous 5a68ccfd0d [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml
 2024-02-02 14:19:22 +00:00
Jonhnathan 50df6f3e9b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-01 11:26:39 -03:00
Samirbous d7f4d7972e [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml
 2024-01-30 11:43:28 +00:00
Jonhnathan 92804343bc [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml
 2024-01-23 16:48:31 -03:00
Jonhnathan e33389b2ef [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml
 2024-01-23 15:33:49 -03:00
Jonhnathan e0bdb59deb [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml
 2024-01-22 18:47:53 -03:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Jonhnathan f6ba12a700 [Rule Tuning] Windows DR Tuning - 12 (#3364) 2024-01-17 13:19:12 -03:00
sbousseaden 27262a585b [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-17 13:49:59 +00:00
Jonhnathan 71cec2a0e1 [Rule Tuning] Windows DR Tuning - 13 (#3369) 2024-01-17 09:53:18 -03:00
Jonhnathan c6ab294627 [Rule Tuning] Windows DR Tuning - 10 (#3355) 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml
 2024-01-17 09:44:10 -03:00
Jonhnathan 0469785793 [Rule Tuning] Windows DR Tuning - 14 (#3376) 
* [Rule Tuning] Windows DR Tuning - 14

* Update persistence_suspicious_com_hijack_registry.toml

* Update rules/windows/persistence_webshell_detection.toml
 2024-01-15 11:16:04 -03:00
Jonhnathan caf38fd1b1 [Rule Tuning] Windows DR Tuning - 11 (#3359) 
* [Rule Tuning] Windows DR Tuning - 10

* Update execution_posh_hacktool_functions.toml

* Update impact_backup_file_deletion.toml
 2024-01-15 10:55:50 -03:00
Jonhnathan 724e34ba95 [Rule Tuning] Windows DR Tuning - 9 (#3354) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-07 09:49:33 -03:00
Jonhnathan 7b1215ccf1 [Rule Tuning] Windows DR Tuning - 8 (#3353) 
* [Rule Tuning] Windows DR Tuning - 8

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-03 12:00:29 -03:00
Samirbous b7e21d8c29 [New] Potential Evasion via Windows Filtering Platform (#3356) 
* Create defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update rules/windows/defense_evasion_windows_filtering_platform.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_windows_filtering_platform.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-03 12:50:12 +00:00
Samirbous 341499a2bc [Deprecate] Potential Process Herpaderping Attempt (#3336) 
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-19 15:59:48 -05:00
Jonhnathan 578936d37a [Security Content] Add Windows Investigation Guides (#3257) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2023-12-19 12:38:28 -03:00
Jonhnathan 2f468ddcba [Rule Tuning] Windows DR Tuning - 7 (#3344) 
* [Rule Tuning] Windows Rule Tuning -1

* Update command_and_control_ingress_transfer_bits.toml
 2023-12-18 14:27:55 -03:00
Samirbous 4b183be124 [Tuning] Suspicious Script Object Execution (#3339) 
* Update defense_evasion_suspicious_scrobj_load.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:49:54 -07:00
Samirbous 07b952b7bc [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:39:52 -07:00
Justin Ibarra aff7f37b92 [Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331) 
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-12-14 15:04:08 -07:00
Justin Ibarra a7b9a61942 [Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329) 
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-12-14 11:21:46 -07:00
Samirbous 8b2aed4fc0 [Tuning] Suspicious Managed Code Hosting Process (#3338) 
* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update defense_evasion_suspicious_managedcode_host_process.toml
 2023-12-14 17:51:35 +00:00
Samirbous 727c23e3d2 [Tuning] Multiple Logon Failure Followed by Logon Success (#3340) 
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
 2023-12-14 17:41:06 +00:00
Samirbous 7a4f1224dc [Rule Tuning] Account Password Reset Remotely (#3335) 
* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml
 2023-12-14 17:22:19 +00:00
Jonhnathan 6f4c323929 [Rule Tuning] Windows DR Tuning - 6 (#3246) 
* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-12 11:37:54 -03:00
Jonhnathan aeb1f91320 [Security Content] Introduce Investigate Plugin in Investigation Guides (#3080) 
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-08 11:54:40 -07:00
Jonhnathan eb7c5f6717 [Security Content] Add Windows Investigation Guides (#3095) 
* [Security Content] Add Windows Investigation Guides

* Update defense_evasion_rundll32_no_arguments.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update rules/windows/defense_evasion_rundll32_no_arguments.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/execution_ms_office_written_file.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update privilege_escalation_posh_token_impersonation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
 2023-12-08 11:31:16 -03:00
Samirbous 7070eb3b34 [New] Rare SMB Connection to the Internet (#3300) 
* Create exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 13:10:20 -03:00
Ruben Groenewoud 1647a16fab [Rule Tuning] UEBA new_terms process_executable (#3268) 
* [Rule Tuning] UEBA new_terms process_executable

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 16:38:08 +01:00
Samirbous 7488c60090 [New] Process Created with a Duplicated Token (#3152) 
* [New] Process Created with a Duplicated Token

using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 08:20:30 -03:00
Jonhnathan e5d676797e [Rule Tuning] Windows DR Tuning - 5 (#3229) 
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-05 19:20:40 -03:00
Samirbous e6df245ff3 [New] Interactive Logon by an Unusual Process (#3299) 
* Create privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml
 2023-12-05 17:34:10 +00:00
Samirbous 88f752bf8b [New] First Time Seen NewCredentials Lgon Process (#3276) 
* Create privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 18:37:15 +00:00
Jonhnathan f53f46efd5 [Rule Tuning] Fix Menasec Expired Links (#3271) 2023-11-14 10:18:34 -03:00
shashank-elastic a568c56bc1 Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 2023-10-30 16:53:04 +05:30
Jonhnathan 1133b3a8a9 [Rule Tuning] Windows DR Tuning - 4 (#3214) 
* [Rule Tuning] Windows DR Tuning - 4

* Update credential_access_remote_sam_secretsdump.toml
 2023-10-26 20:58:49 -03:00
Jonhnathan 3d73427e29 [Rule Tuning] Windows DR Tuning - 3 (#3212) 
* [Rule Tuning] Windows DR Tuning - 3

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_moving_registry_hive_via_smb.toml
 2023-10-26 18:58:59 -03:00
Jonhnathan efa7c428ea [Rule Tuning] Windows DR Tuning - 2 (#3209) 
* [Rule Tuning] Windows DR Tuning - 2

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

* Update credential_access_kerberoasting_unusual_process.toml

* Update command_and_control_teamviewer_remote_file_copy.toml
 2023-10-26 18:10:31 -03:00
Jonhnathan a5240e4063 [Rule Tuning] Windows DR Tuning - 1 (#3198) 
* [Rule Tuning] Windows DR Tuning - 1

* Update collection_winrar_encryption.toml
 2023-10-26 17:20:32 -03:00
Jonhnathan 6fcf26b20e [Promote] Potential Masquerading as Communication Apps (#3181) 
* [Promote] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-23 14:56:03 -03:00
Jonhnathan a471f6fc60 [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver (#3215) 
* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver

* Update privilege_escalation_installertakeover.toml
 2023-10-23 14:34:36 -03:00
Jonhnathan 18ff85ce84 [Promote] Expired or Revoked Driver Loaded (#3185) 
* [Promote] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml
 2023-10-23 11:44:37 -03:00