security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,763 Commits 1 Branch 0 Tags
f3d55185c2ff6fbefee2b8a90294f6af767dfbe4
Commit Graph

60 Commits

Author SHA1 Message Date
Ruben Groenewoud 515ee158fb [New BBR] Segfault Detected (#3240) 
* [New BBR] Segfault Detected

* Update rules_building_block/execution_linux_segfault.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules_building_block/execution_linux_segfault.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit dff4633dd4)
 2023-11-02 08:46:22 +00:00
Ruben Groenewoud 13c6fbbcea [New BBR] Kernel Driver Load (#3236) 
* [New BBR] Kernel Driver Load

* added event.dataset to the query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 967f6a4c89)
 2023-11-02 08:38:32 +00:00
shashank-elastic a31d788dcb Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 
(cherry picked from commit a568c56bc1)
 2023-10-30 11:28:47 +00:00
Ruben Groenewoud 01a8fd30f2 [Rule Tuning] Tainted Kernel Module Load (#3234) 
* [Rule Tuning] Tainted kernel module load

* Update persistence_tainted_kernel_module_load.toml

* Update rules_building_block/persistence_tainted_kernel_module_load.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ad25c922fd)
 2023-10-30 08:55:15 +00:00
Jonhnathan aa62790ae6 [Rule Tuning] Windows DR Tuning - 1 (#3198) 
* [Rule Tuning] Windows DR Tuning - 1

* Update collection_winrar_encryption.toml

(cherry picked from commit a5240e4063)
 2023-10-26 20:26:43 +00:00
Jonhnathan 223bfe0a6d [Promote] Potential Masquerading as Communication Apps (#3181) 
* [Promote] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6fcf26b20e)
 2023-10-23 18:01:34 +00:00
Ruben Groenewoud 9078f76827 [New BBR] Unix Socket Communication (#3072) 
* [New Rule] Unix Socket Communication

* Update rules_building_block/execution_unix_socket_communication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules_building_block/execution_unix_socket_communication.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit 9807bebd8e)
 2023-10-23 15:24:36 +00:00
Ruben Groenewoud 23337d90d4 [New BBR] Tainted Kernel Module Load (#3211) 
* [New Rule] Tainted Kernel Module Load

* added setup note

* Fixed tag

* added type change

* timestamp override

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 024d45bd56)
 2023-10-23 15:12:20 +00:00
Jonhnathan 916b1a2cad [Promote] Expired or Revoked Driver Loaded (#3185) 
* [Promote] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml

(cherry picked from commit 18ff85ce84)
 2023-10-23 14:50:52 +00:00
Ruben Groenewoud 9b2e74b220 [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 020fff3aea)
 2023-10-23 14:34:55 +00:00
Jonhnathan f82c0b6e0b [New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143) 
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 3

* Update defense_evasion_invalid_codesign_imageload.toml

* Update defense_evasion_invalid_codesign_imageload.toml

* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/initial_access_xsl_script_execution_via_com.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit 74222f86eb)
 2023-10-17 17:22:19 +00:00
Jonhnathan 7921daeddd [New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138) 
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 2

* Update defense_evasion_unsigned_bits_client.toml

* Update rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* .

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 3ea3e5a9fd)
 2023-10-17 16:55:50 +00:00
Jonhnathan d24492678e [New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131) 
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 1

* .

* .

* Update defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

* .

(cherry picked from commit 32002fd89b)
 2023-10-17 14:42:54 +00:00
Jonhnathan 18dc3b0f73 [New Rule] [BBR] Memory Dump File Rules (#3122) 
* [New Rule] Memory Dump File Rules

* .

* .

* .

(cherry picked from commit a33a124eab)
 2023-10-17 12:41:28 +00:00
Jonhnathan f7a2c9b0b4 [Rule Tuning] Potential Masquerading as Browser Process (#3180) 
* [Rule Tuning] Potential Masquerading as Browser Process

* Update defense_evasion_masquerading_browsers.toml

* Update defense_evasion_masquerading_browsers.toml

(cherry picked from commit 8035516e8e)
 2023-10-17 11:59:16 +00:00
Jonhnathan 97ce9d7478 [Rule Tuning] Potential Masquerading as System32 DLL (#3184) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit e4e68c2dd8)
 2023-10-17 11:35:05 +00:00
Jonhnathan ef715864f4 [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165) 
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

* Fix dates

* Fix unit test errors

* updated tags and fixed branch conflicts

updated tags and fixed branch conflicts

* description nit

* Reverting unintended changes

* Update initial_access_suspicious_ms_office_child_process.toml

---------

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>

(cherry picked from commit f584fb6e31)
 2023-10-15 21:18:03 +00:00
Jonhnathan 788f2ce884 [Rule Tuning] PowerShell Rules Tuning (#3169) 
(cherry picked from commit 3f2a709370)
 2023-10-11 21:03:44 +00:00
Justin Ibarra 7c563fb834 [New Rule] File Compressed or Archived into Common Format (#3173) 
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 7f8a9849c4)
 2023-10-11 18:40:16 +00:00
Ruben Groenewoud f66b82c0ec [Tuning] Windows Execution Rule Tuning for UEBA (#3107) 
* Update defense_evasion_execution_msbuild_started_by_script.toml

* Mostly updated Execution tags, also new_terms conv

* removed index

* Removed index

* WMIPrvSE tuning

* Additional tuning

* Tuning & changes

* Additional tuning

* Applied unit test optimization

* Addressed feedback

* Update rules/windows/execution_command_shell_started_by_svchost.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* caseless unit testing fix

* fixed caseless executable unit test

* unit testing fix

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

* Added user ids to new terms

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/execution_unsigned_service_executable.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update execution_unsigned_service_executable.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit c2822e175c)
 2023-10-11 08:21:37 +00:00
Ruben Groenewoud d4d794b586 [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 4cdf52129a)
 2023-10-11 07:49:08 +00:00
Ruben Groenewoud dd080b7850 [New BBR] Sus. Process Started via tmux or screen (#3071) 
* [New BBR] Sus. Process Started via tmux or screen

* [New BBR] Unix Socket Connection

* Revert "[New BBR] Unix Socket Connection"

This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.

* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 8f122197bb)
 2023-09-30 11:02:39 +00:00
Jonhnathan 7cb4c5216d [New Rule] [BBR] File with Suspicious Extension Downloaded (#3139) 
* [New Rule] [BBR] File with Suspicious Extension Downloaded

* Update defense_evasion_download_susp_extension.toml

(cherry picked from commit f77bec8552)
 2023-09-27 15:43:02 +00:00
Jonhnathan 711e0f3ab7 [New Rule] New BBR Rules - Part 2 (#3029) 
* [New Rule] New BBR Rules - Part 2

* Update discovery_generic_account_groups.toml

* Update discovery_generic_account_groups.toml

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/execution_downloaded_shortcut_files.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/defense_evasion_unusual_process_extension.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update defense_evasion_unusual_process_extension.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ddb1f75352)
 2023-09-13 00:54:52 +00:00
Jonhnathan 4b2112f4a0 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit af99186992)
 2023-09-13 00:34:12 +00:00
Jonhnathan e9b1ebae3f [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 3614f42b00)
 2023-09-05 21:42:38 +00:00
Jonhnathan 521ecdc6c4 [New Rule] New BBR Rules - Part 1 (#3026) 
* [New Rule] New BBR Rules - Part 1

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/lateral_movement_at.toml

* Update rules_building_block/collection_outlook_email_archive.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 8049c96281)
 2023-09-05 21:14:06 +00:00
Jonhnathan 56e54e714c [New Rule] Potential Masquerading as Business App Installer (#3068) 
(cherry picked from commit 26c97dc241)
 2023-09-05 21:04:26 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Jonhnathan 6c074f21d8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit fdd45148b8)
 2023-08-31 16:04:58 +00:00
Ruben Groenewoud 3926384446 [New Rules] GDB Secret Dumping (#3060) 
* [New Rules] GDB Secret Dumping

* Added references to BBR

* Update rules/linux/credential_access_gdb_init_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit f7d8d4752a)
 2023-08-31 15:47:30 +00:00
Ruben Groenewoud 7b5897bad4 [New BBR] Suspicious which Enumeration (#3059) 
(cherry picked from commit 04d1c3cd5b)
 2023-08-31 12:01:57 +00:00
Jonhnathan dee3a5f61c [New Rule] Suspicious Communication App Child Process (#2998) 
* [New Rule] Suspicious Communication App Child Process

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit c89b722a34)
 2023-08-31 10:38:57 +00:00
Jonhnathan ae1f704845 [New Rule] Potential Masquerading as VLC DLL (#3006) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a7a22a0917)
 2023-08-30 20:51:39 +00:00
Ruben Groenewoud 1da5bca492 [New Rules] Linux Tunneling and Port Forwarding (#3028) 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 32abdb95f7)
 2023-08-30 20:17:43 +00:00
Jonhnathan 374ac8ad1c [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 7004c99ef5)
 2023-08-29 12:16:12 +00:00
Jonhnathan 154ee50051 [New Rule] New BBR Rules - Part 4 (#3035) 
* [New Rule] New BBR Rules - Part 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0e337e2c36)
 2023-08-29 11:55:07 +00:00
Jonhnathan 520a670568 [New Rule] Potential Masquerading as Browser Process (#2995) 
* [New Rule] Potential Masquerading as Browser Process

* Update rules_building_block/defense_evasion_masquerading_browsers.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_masquerading_browsers.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 9f213cc9f7)
 2023-08-28 16:34:26 +00:00
Jonhnathan 112e2f2864 [New Rule] Potential Masquerading as Windows System32 DLL (#3021) 
* [New Rule] Potential Masquerading as Windows System32 DLL

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Restrict logic

* Update defense_evasion_masquerading_windows_dll.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7496c5cb68)
 2023-08-28 11:37:53 +00:00
Jonhnathan f00a14c3af [New Rule] Network-Level Authentication (NLA) Disabled (#3039) 
* [New Rule] Network-Level Authentication (NLA) Disabled

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit ffa60f2d03)
 2023-08-28 11:11:26 +00:00
shashank-elastic 8aad7d7d02 BBR Rules Addition (#3027) 
(cherry picked from commit d21ed24e4f)
 2023-08-25 13:45:51 +00:00
Ruben Groenewoud ed2daecb25 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1716bd673)
 2023-08-25 12:09:16 +00:00
Jonhnathan a16735676f [Rule Tuning] Windows BBR Rules (#3018) 
* [Rule Tuning] Windows BBR Rules

* Update discovery_generic_process_discovery.toml

(cherry picked from commit 17f6537e44)
 2023-08-25 08:26:51 +00:00
Jonhnathan 38aca58b17 [Rule Tuning] Compression DLL Loaded by Unusual Process (#3017) 
(cherry picked from commit 460919a9d7)
 2023-08-25 08:14:13 +00:00
Jonhnathan 37ff018674 [New Rule] Potential Masquerading as Windows System32 Executable (#3022) 
* [New Rule] Potential Masquerading as Windows System32 Executable

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit f8df53626e)
 2023-08-21 18:20:06 +00:00
Jonhnathan 7c4ca0a4a3 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 9144dc0448)
 2023-08-17 16:06:41 +00:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Jonhnathan 2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) 
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities

* Update collection_posh_webcam_video_capture.toml

* Update rules_building_block/collection_posh_webcam_video_capture.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-09 15:17:15 -03:00
Ruben Groenewoud ef1fa94c52 [New BBR] Suspicious Clipboard Activity (#2970) 
* [New BBR] Suspicious Clipboard Activity

* Added new line to end of file

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 15:41:23 +02:00
Jonhnathan d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) 
* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml
 2023-07-31 11:03:57 -03:00