security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
250bb4cc273cbbb7ffa01892688fdd23cb1c9e14
sigma-rules/rules/windows
T
History
Simon 250bb4cc27 Add Rule to Detect User creation via Eventlog (#794) 
* Add Rule to Detect User creation via Eventlog

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_user_account_creation_event_logs.toml

* update with fp info

* Update persistence_user_account_creation_event_logs.toml

* Update rules/windows/persistence_user_account_creation_event_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-02-10 15:48:33 -05:00
..
collection_email_powershell_exchange_mailbox.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
collection_winrar_encryption.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_certutil_network_connection.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_common_webservices.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
command_and_control_dns_tunneling_nslookup.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_encrypted_channel_freesslcert.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_iexplore_via_com.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_remote_file_copy_mpcmdrun.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
command_and_control_remote_file_copy_scripts.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
command_and_control_sunburst_c2_activity_detected.toml
[New Rule] SUNBURST Command and Control Activity Detected (#723)
2020-12-15 14:41:54 -06:00
command_and_control_teamviewer_remote_file_copy.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_cmdline_dump_tool.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_credential_dumping_msbuild.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_domain_backup_dpapi_private_keys.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_dump_registry_hives.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_iis_connectionstrings_dumping.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_kerberoasting_unusual_process.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
credential_access_lsass_memdump_file_created.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_mimikatz_memssp_default_logs.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_mimikatz_powershell_module.toml
[New Rule] Detects Mimikatz via Invoke-Mimikatz (#700)
2020-12-09 14:51:45 -06:00
credential_access_mod_wdigest_security_provider.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
credential_access_saved_creds_vaultcmd.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_code_injection_conhost.toml
[Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929)
2021-02-10 08:53:04 -09:00
defense_evasion_create_mod_root_certificate.toml
[New Rule] Creation or Modification of Root Certificate (#927)
2021-02-08 10:01:59 -05:00
defense_evasion_cve_2020_0601.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_defender_disabled_via_registry.toml
[New Rule] DefenderControl Activity (#769)
2021-02-09 10:12:54 -06:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_dotnet_compiler_parent_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_encoding_or_decoding_files_via_certutil.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_lolbas_wuauclt.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_msbuild_started_by_office_app.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_msbuild_started_by_script.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_msbuild_started_by_system_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_msbuild_started_unusal_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_suspicious_explorer_winword.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_execution_via_trusted_developer_utilities.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_file_creation_mult_extension.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_injection_msbuild.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_masquerading_renamed_autoit.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
[Rule Tuning] Suspicious WerFault Child Process (#915)
2021-02-10 14:17:57 -05:00
defense_evasion_masquerading_trusted_directory.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_modification_of_boot_config.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_msbuild_beacon_sequence.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_mshta_beacon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_mshta_making_network_connections.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_msxsl_beacon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_network_connection_from_windows_binary.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_port_forwarding_added_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_potential_processherpaderping.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_process_termination_followed_by_deletion.toml
[New Rule] Process Termination Followed by Deletion (#482)
2020-12-08 22:26:11 +01:00
defense_evasion_reg_beacon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_sdelete_like_filename_rename.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
defense_evasion_sip_provider_mod.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_stop_process_service_threshold.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_suspicious_managedcode_host_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_suspicious_scrobj_load.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
defense_evasion_suspicious_wmi_script.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
defense_evasion_suspicious_zoom_child_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_unusual_ads_file_creation.toml
[New Rule] Unusual File Creation - Alternate Data Stream (#902)
2021-02-10 09:28:25 -05:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_unusual_process_network_connection.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_unusual_system_vp_child_program.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_adfind_command_activity.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_admin_recon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_file_dir_discovery.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_net_command_system_account.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_net_view.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_peripheral_device.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_process_discovery_via_tasklist_command.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_query_registry_via_reg.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_remote_system_discovery_commands_windows.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_security_software_wmic.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
discovery_whoami_command_activity.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_com_object_xwizard.toml
[New Rule] Execution of COM object via Xwizard (#896)
2021-01-28 16:58:19 -05:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_command_shell_started_by_powershell.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_command_shell_started_by_svchost.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_command_shell_started_by_unusual_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_command_shell_via_rundll32.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_downloaded_shortcut_files.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_downloaded_url_file.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_enumeration_via_wmiprvse.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_from_unusual_directory.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_from_unusual_path_cmdline.toml
[Rule Tuning] Execution from Unusual Directory - Command Line (#837)
2021-02-03 10:54:19 -05:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_ms_office_written_file.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_pdf_written_file.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_psexec_lateral_movement_command.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_register_server_program_connecting_to_the_internet.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_scheduled_task_powershell_source.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
execution_shared_modules_local_sxs_dll.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
execution_suspicious_cmd_wmi.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
execution_suspicious_image_load_wmi_ms_office.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
execution_suspicious_pdf_reader.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_suspicious_powershell_imgload.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
execution_suspicious_psexesvc.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_suspicious_short_program_name.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_via_compiled_html_file.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_via_hidden_shell_conhost.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_via_net_com_assemblies.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
impact_volume_shadow_copy_deletion_via_vssadmin.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_script_executing_powershell.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_scripts_process_started_via_wmi.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
initial_access_suspicious_ms_office_child_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_suspicious_ms_outlook_child_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_unusual_dns_service_children.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_unusual_dns_service_file_writes.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
initial_access_via_explorer_suspicious_child_parent_args.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
lateral_movement_cmd_service.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
lateral_movement_dcom_hta.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_dcom_mmc20.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_dns_server_overflow.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
lateral_movement_executable_tool_transfer_smb.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_execution_from_tsclient_mup.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_execution_via_file_shares_sequence.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_incoming_wmi.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_local_service_commands.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_powershell_remoting_target.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
lateral_movement_rdp_enabled_registry.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
lateral_movement_rdp_sharprdp_target.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_rdp_tunnel_plink.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
lateral_movement_remote_file_copy_hidden_share.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_remote_services.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_scheduled_task_target.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
lateral_movement_suspicious_rdp_client_imageload.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
lateral_movement_via_startup_folder_rdp_smb.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_adobe_hijack_persistence.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_app_compat_shim.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
persistence_appcertdlls_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_appinitdlls_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
persistence_evasion_registry_ifeo_injection.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_gpo_schtask_service_creation.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_local_scheduled_task_commands.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_local_scheduled_task_scripting.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
persistence_ms_office_addins_file.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
persistence_ms_outlook_vba_template.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
persistence_priv_escalation_via_accessibility_features.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_registry_uncommon.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_run_key_and_startup_broad.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_runtime_run_key_startup_susp_procs.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_services_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_startup_folder_file_written_by_suspicious_process.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_startup_folder_file_written_by_unsigned_process.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
persistence_startup_folder_scripts.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
[Rule Tuning] Update file.name to dll.name for Library events (#893)
2021-02-03 11:09:29 -05:00
persistence_suspicious_scheduled_task_runtime.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
persistence_suspicious_service_created_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_system_shells_via_services.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_time_provider_mod.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_user_account_added_to_privileged_group_ad.toml
[New Rule] User Added to Privileged Group in Active Directory (#827)
2021-02-10 14:53:15 -05:00
persistence_user_account_creation_event_logs.toml
Add Rule to Detect User creation via Eventlog (#794)
2021-02-10 15:48:33 -05:00
persistence_user_account_creation.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_via_application_shimming.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_via_hidden_run_key_valuename.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_via_lsa_security_support_provider_registry.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
persistence_via_update_orchestrator_service_hijack.toml
[Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939)
2021-02-10 20:11:45 +01:00
persistence_via_windows_management_instrumentation_event_subscription.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_disable_uac_registry.toml
[New Rule] Disabling User Account Control via Registry (#892)
2021-02-10 09:11:45 -05:00
privilege_escalation_lsa_auth_package.toml
[New Rule] Potential LSA Authentication Package Abuse (#903)
2021-02-10 09:00:58 -05:00
privilege_escalation_named_pipe_impersonation.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_persistence_phantom_dll.toml
[New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819)
2021-02-08 23:04:02 +01:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901)
2021-02-01 16:24:49 -05:00
privilege_escalation_printspooler_registry_copyfiles.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_printspooler_service_suspicious_file.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_printspooler_suspicious_spl_file.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_rogue_windir_environment_var.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_uac_bypass_com_clipup.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_uac_bypass_com_ieinstal.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_uac_bypass_dll_sideloading.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_uac_bypass_event_viewer.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_uac_bypass_mock_windir.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_uac_sdclt.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_unusual_svchost_childproc_childless.toml
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
privilege_escalation_wpad_exploitation.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00