Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

Mono Color

• dc53fc1f04 [New Rule] Persistence via Docker Shortcut Modification (#733) Samirbous 2021-01-26 08:38:38 +01:00
• 6883ea0aa6 [New Rule] Potential Persistence via Login Hook (#900) Samirbous 2021-01-26 08:35:16 +01:00
• dd2f655367 [New Rule] Potential Cookies Theft via Browser Debugging (#741) Samirbous 2021-01-26 08:21:45 +01:00
• 1ae769a563 [New Rule] Creation of a Hidden Local User Account (#738) Samirbous 2021-01-26 08:15:50 +01:00
• 7fdb6b2e80 Create persistence_time_provider_mod.toml (#890) Brent Murphy 2021-01-25 14:42:56 -05:00
• ecbb57814a Create credential_access_saved_creds_vaultcmd.toml (#884) Brent Murphy 2021-01-25 14:25:35 -05:00
• 4639df022b [New Rule] Modification of WDigest Security Provider (#883) Brent Murphy 2021-01-25 13:54:36 -05:00
• 8c123785f0 [New Rule] Enumeration Command Spawned via WMIPrvSE (#882) Brent Murphy 2021-01-25 13:46:26 -05:00
• 01c3c718f5 [New Rule] Executable File Creation with Multiple Extensions (#881) Brent Murphy 2021-01-25 13:40:25 -05:00
• aa409111b8 [New Rule] Azure Active Directory High Risk Sign-in (#790) Brent Murphy 2021-01-25 13:27:06 -05:00
• 1708ea3252 Loosen query DSL filter schema validation (#895) Ross Wolf 2021-01-20 12:21:46 -07:00
• fb92c69797 [New Rule] Clearing Windows Security Logs (#529) Anabella Cristaldi 2021-01-12 01:17:20 +01:00
• 6177458bd8 Add empty technique array to rules (#828) 7.11 Justin Ibarra 2021-01-11 08:58:18 -09:00
• 5bbe43144d Fix default branch name for GitHub Actions Ross Wolf 2021-01-05 20:05:37 -07:00
• a0ae05c78e Fix spelling of Continuous Monitoring (#795) Ross Wolf 2021-01-04 15:05:34 -07:00
• 67413cee47 Update ML-DGA docs (#750) Justin Ibarra 2020-12-21 16:25:24 -09:00
• 992eabd6dc update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic Justin Ibarra 2020-12-18 22:04:19 -09:00
• 5561738f28 update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic ML-experimental-detections-20201221-2 Justin Ibarra 2020-12-18 22:01:06 -09:00
• 425e0ddf64 Add flattened subtechniques to rule-search (#739) Justin Ibarra 2020-12-18 14:21:37 -09:00
• c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) Justin Ibarra 2020-12-18 12:46:16 -09:00
• 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) Brent Murphy 2020-12-18 12:23:12 -05:00
• 783332642d Merge branch '7.11' into main Ross Wolf 2020-12-18 09:28:30 -07:00
• 7dcb666d81 Fix 7.11 -> 7.10 ATT&CK downgrade logic for optional techiques (#736) Ross Wolf 2020-12-18 09:28:05 -07:00
• 331d321648 Make threat.technique optional (#727) Ross Wolf 2020-12-17 22:22:59 -07:00
• 39ab9f14e1 strip trailing slash from kibana_url only if defined Justin Ibarra 2020-12-16 13:00:20 -09:00
• ff76571366 strip trailing slash in kibana_url only when defined ML-DGA-20201216-1 Justin Ibarra 2020-12-16 12:59:30 -09:00
• 86fe2d6279 Restore PR jobs Ross Wolf 2020-12-16 08:12:21 -07:00
• 97f9f864d1 Remove duplicate PR job (#728) Ross Wolf 2020-12-15 13:59:14 -07:00
• 889828d473 [New Rule] SUNBURST Command and Control Activity Detected (#723) Andrew Pease 2020-12-15 14:41:54 -06:00
• 79a5ca9b78 [New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722) Samirbous 2020-12-15 21:33:00 +01:00
• b6aa6c6548 Auth to Kibana connector using an existing cookie (#711) Justin Ibarra 2020-12-12 19:10:52 -06:00
• 3042cbb5d6 [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) Samirbous 2020-12-15 19:10:52 +01:00
• 5244151b2e [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) Samirbous 2020-12-15 19:10:52 +01:00
• c5cae5c437 [New Rule] Azure Active Directory PowerShell Sign-in (#718) Brent Murphy 2020-12-15 11:52:43 -05:00
• 6b31b96bf8 [New Rule] Azure Service Principal Addition (#717) Brent Murphy 2020-12-15 11:47:23 -05:00
• 84ab3db48c [New Rule] Azure Application Credential Modification (#716) Brent Murphy 2020-12-15 11:41:26 -05:00
• a6463b435c [Rule Tuning] Replace line comments with block comments (#710) Justin Ibarra 2020-12-12 20:11:17 -06:00
• b012a23df8 Auth to Kibana connector using an existing cookie (#711) Justin Ibarra 2020-12-12 19:10:52 -06:00
• 7926e50b8f bump package version to 7.12 Justin Ibarra 2020-12-09 13:51:19 -09:00
• 7c2abc68d7 [Docs] Update ML_DGA.md (#707) Justin Ibarra 2020-12-09 23:06:35 +01:00
• a5cd35f498 AdFind Command Activity (#395) Andrew Pease 2020-12-09 15:01:28 -06:00
• 66506139d9 [New Rule] Detects Mimikatz via Invoke-Mimikatz (#700) Andrew Pease 2020-12-09 14:51:45 -06:00
• 17cf79d076 [New Rule] Default Cobalt Strike Team Server Certificate (#358) Andrew Pease 2020-12-09 14:49:31 -06:00
• d5eaf5db53 [New Rule] High Number of Process and/or Services Termination (#672) ML-experimental-detections-20201209-1 Samirbous 2020-12-09 09:00:19 +01:00
• 14fe63bb1e [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676) Samirbous 2020-12-09 08:55:58 +01:00
• e272800a5d Add ATT&CK sub-technique support to CLI (#614) Justin Ibarra 2020-12-09 07:56:55 +01:00
• b8d2f6fc96 [Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575) David French 2020-12-08 17:20:30 -07:00
• 24828ea9cb [New Rule] Conversions of some APT-29 Endgame rules (#702) Justin Ibarra 2020-12-09 00:13:34 +01:00
• 598e807a5c [New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657) Brent Murphy 2020-12-08 17:36:47 -05:00
• 0ed1e1df71 Add support to validate against dev ECS and beats schemas (#691) Justin Ibarra 2020-12-08 23:29:56 +01:00
• 73e2690ec0 [New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665) Brent Murphy 2020-12-08 17:19:39 -05:00
• 200fbe939e [Bug] Allow duplicative queries across different rule types (#704) Justin Ibarra 2020-12-08 23:16:59 +01:00
• 8c92ae7348 Add ATT&CK subtechniques to the schema (#337) Ross Wolf 2020-12-08 14:57:30 -07:00
• d74b41c1a0 [New Rule] Microsoft 365 Teams External Access Enabled (#661) Brent Murphy 2020-12-08 16:48:15 -05:00
• 6bfe5d3dd8 [New Rule] Microsoft 365 Teams Guest Access Enabled (#601) Brent Murphy 2020-12-08 16:44:15 -05:00
• 6a296c64c5 [New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578) Brent Murphy 2020-12-08 16:38:00 -05:00
• 94e8fa80bb [Rule Tuning] Suspicious Endpoint Security Parent Process (#509) Samirbous 2020-12-08 22:34:28 +01:00
• 538aa80bba [New Rule] Process Termination Followed by Deletion (#482) Samirbous 2020-12-08 22:26:11 +01:00
• 97fa6c62cd [New Rule] Remote File Download via Powershell (#660) Samirbous 2020-12-08 21:28:28 +01:00
• 9792d967d7 [Rule Tuning] Convert to EQL 5 existing rules (#414) Samirbous 2020-12-08 21:07:26 +01:00
• afb00d7097 [New Rule] Encoded Executable Stored in the Registry (#636) Samirbous 2020-12-08 20:51:14 +01:00
• 19e0de3bed [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573) Samirbous 2020-12-08 20:35:18 +01:00
• 16a49b3278 [New Rule] Windows Script Executing a Process via WMI (#643) Samirbous 2020-12-08 19:23:48 +01:00
• b98f5d4042 [New Rule] Launch Agent Creation or Modification followed by Loading (#696) Samirbous 2020-12-08 19:08:16 +01:00
• 5483712805 [New Rule] Lolbas ImageLoad via Windows Update Client (#366) Samirbous 2020-12-08 18:54:09 +01:00
• 1c2166b23f [New Rule] - Execution from Unusual Directory (#433) Samirbous 2020-12-08 18:46:56 +01:00
• e7695f862f [New Rule] Potential Credential Access with LolBas (#620) Samirbous 2020-12-08 17:56:25 +01:00
• 6bc4a6b9bb [New Rule] Linux System Log Files Deleted (#461) Samirbous 2020-12-08 17:34:33 +01:00
• c0c369181a [New Rule] New Port Forwarding Rule Added (#630) Samirbous 2020-12-08 17:32:08 +01:00
• 35ee818854 [Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502) Samirbous 2020-12-08 17:27:16 +01:00
• 63759a4bf4 [New Rule] Lsass Memory Dump Created (#618) Samirbous 2020-12-08 17:24:51 +01:00
• feb79c0304 [New Rule] Suspicious Execution via Scheduled Task (#584) Samirbous 2020-12-08 17:20:21 +01:00
• ccea74d9d8 [New Rule] Incoming Execution via PowerShell Remoting (#624) Samirbous 2020-12-08 17:16:10 +01:00
• 0479a8f8a3 [New Rule] Image File Execution Options Injection (#550) Samirbous 2020-12-08 17:13:00 +01:00
• 0e78638655 [New Rule] Program Files Directory Masquerading (#581) Samirbous 2020-12-08 17:04:31 +01:00
• 02e9c082df [New Rule] Potential SharpRdp Detected (#527) Samirbous 2020-12-08 17:00:51 +01:00
• bd2006d70d [New Rule] WMI Incoming Lateral Movement (#532) Samirbous 2020-12-08 16:57:41 +01:00
• 16551bbfe7 [New Rule] NTDS or SAM Database File Copied (#622) Samirbous 2020-12-08 16:55:35 +01:00
• e707b53a03 [New Rule] Scheduled Jobs AT Protocol Enabled (#609) Samirbous 2020-12-08 16:52:17 +01:00
• 637d06f6c9 [New Rule] Mounting Hidden or WebDav Remote Shares (#444) Samirbous 2020-12-08 16:50:09 +01:00
• 0544461b45 [New Rule] Remote Scheduled Task Creation (#598) Samirbous 2020-12-08 16:40:48 +01:00
• 7d7d010509 [New Rule] Persistence via Hidden Run Key ValName (#534) Samirbous 2020-12-08 16:38:23 +01:00
• 929277486d [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499) Samirbous 2020-12-08 16:34:36 +01:00
• efba50d670 [New Rule] Enable RDP Through Registry (#632) Samirbous 2020-12-08 16:32:24 +01:00
• 6b96b99dc1 [New Rule] Execution from TSClient Mountpoint (#524) Samirbous 2020-12-08 16:30:10 +01:00
• 58174015bd [New Rule] Privilege Escalation via Windir Environment Variable (#638) Samirbous 2020-12-08 16:21:42 +01:00
• fbecc85593 [New Rule] Incoming DCOM Lateral Movement with MMC (#488) Samirbous 2020-12-08 16:19:26 +01:00
• e038b34344 [New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478) Samirbous 2020-12-08 16:16:11 +01:00
• 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) Samirbous 2020-12-08 16:13:52 +01:00
• 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) Samirbous 2020-12-08 16:07:18 +01:00
• 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) Samirbous 2020-12-08 16:04:34 +01:00
• 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) Samirbous 2020-12-08 15:55:36 +01:00
• 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) Samirbous 2020-12-08 15:07:26 +01:00
• 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) Samirbous 2020-12-08 12:42:34 +01:00
• d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) Samirbous 2020-12-08 12:39:44 +01:00
• 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) Samirbous 2020-12-08 12:37:51 +01:00
• c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) Samirbous 2020-12-08 12:27:03 +01:00
• d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) Samirbous 2020-12-08 12:25:03 +01:00
• aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) Samirbous 2020-12-08 12:09:36 +01:00
• bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) Samirbous 2020-12-08 12:01:17 +01:00