Samirbous 0ed2918b8d [New Rule] Scheduled Task Creation using winlog (#2277) ...

* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4609a5e8fe)

2022-09-19 16:51:46 +00:00

..

etc

[New Rule] Scheduled Task Creation using winlog (#2277)

2022-09-19 16:51:46 +00:00

schemas

Prep for 8.5 branch (#2220)

2022-08-09 21:15:37 +00:00

__init__.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

__main__.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

attack.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

beats.py

Move etc under detection_rules (#1885)

2022-05-02 14:13:36 +00:00

cli_utils.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

devtools.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 15:54:33 +00:00

docs.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

ecs.py

Cleanup rule survey code (#1923)

2022-09-06 21:54:38 +00:00

eswrap.py

[Bug] Keyerror on rule-survey hits (#2293)

2022-09-13 15:39:53 +00:00

ghwrap.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

integrations.py

add new field related_integrations to the post build (#2060)

2022-08-08 17:45:26 +00:00

kbwrap.py

Cleanup rule survey code (#1923)

2022-09-06 21:54:38 +00:00

main.py

Release ER Production RTAs to DR (#2270)

2022-09-08 16:51:32 +00:00

mappings.py

Release ER Production RTAs to DR (#2270)

2022-09-08 16:51:32 +00:00

misc.py

Cleanup rule survey code (#1923)

2022-09-06 21:54:38 +00:00

mixins.py

Add support for restricted fields (#2053)

2022-06-27 15:03:32 +00:00

ml.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

navigator.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

packaging.py

[Bug] resolves bug in Rule version methods (#2021)

2022-06-07 23:41:40 +00:00

rule_formatter.py

Linux Shell Evasion Rule Tuning (#1878)

2022-03-29 21:03:35 -04:00

rule_loader.py

Add delta command to determine changes to endpoint rules between tags (#1943)

2022-05-03 20:32:29 +00:00

rule_validators.py

Add new required_fields as a build-time restricted field (#2059)

2022-07-06 15:51:18 +00:00

rule.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 15:54:33 +00:00

semver.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 15:54:33 +00:00

utils.py

add new field related_integrations to the post build (#2060)

2022-08-08 17:45:26 +00:00

version_lock.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 15:54:33 +00:00