security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26fb8e83a59dc7af8a291d2023bb1f4fd049671a
sigma-rules/rules/windows
T
History
Samirbous 26fb8e83a5 [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660) 
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-01-27 15:46:27 +01:00
..
collection_email_powershell_exchange_mailbox.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
collection_posh_audio_capture.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
collection_posh_keylogger.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
collection_posh_screen_grabber.toml
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities (#1581)
2021-12-14 19:30:45 -03:00
collection_winrar_encryption.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_certutil_network_connection.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
command_and_control_common_webservices.toml
[Rule Tuning] Connection to Commonly Abused Web Services (#1708)
2022-01-17 14:52:26 -03:00
command_and_control_dns_tunneling_nslookup.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_encrypted_channel_freesslcert.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
command_and_control_iexplore_via_com.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_port_forwarding_added_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_rdp_tunnel_plink.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
command_and_control_remote_file_copy_scripts.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
command_and_control_sunburst_c2_activity_detected.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_teamviewer_remote_file_copy.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
credential_access_cmdline_dump_tool.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_credential_dumping_msbuild.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_domain_backup_dpapi_private_keys.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_dump_registry_hives.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_iis_connectionstrings_dumping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_kerberoasting_unusual_process.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
credential_access_lsass_memdump_file_created.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_mimikatz_memssp_default_logs.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_mimikatz_powershell_module.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_mod_wdigest_security_provider.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_persistence_network_logon_provider_modification.toml
[New Rule] Network Logon Providers Registry Modification (#1053)
2021-04-14 16:31:46 +02:00
credential_access_posh_minidump.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
credential_access_saved_creds_vaultcmd.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_suspicious_comsvcs_imageload.toml
[New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569)
2021-11-18 10:27:42 +01:00
credential_access_suspicious_lsass_access_memdump.toml
Update credential_access_suspicious_lsass_access_memdump.toml (#1714)
2022-01-27 09:28:16 -03:00
credential_access_suspicious_lsass_access_via_snapshot.toml
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550)
2021-11-17 08:45:38 +01:00
credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
[New Rule] Shadowcopy via Symlink (#1675)
2022-01-12 07:52:37 -03:00
credential_access_via_snapshot_lsass_clone_creation.toml
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632)
2021-12-08 11:16:14 +01:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_amsienable_key_mod.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_clearing_windows_console_history.toml
[New Rule] Clearing Windows Console History (#1623)
2021-11-25 13:25:21 -03:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Add system index to Windows Event Logs Cleared (#1502)
2021-09-24 12:04:56 -05:00
defense_evasion_code_injection_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_create_mod_root_certificate.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_cve_2020_0601.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_defender_disabled_via_registry.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_defender_exclusion_via_powershell.toml
[Rule Tuning] Powershell Defender Exclusion (#1644)
2021-12-08 11:51:32 -03:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_disabling_windows_defender_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_disabling_windows_logs.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_dns_over_https_enabled.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_dotnet_compiler_parent_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_network_discovery_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_control_panel_suspicious_args.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_execution_lolbas_wuauclt.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_execution_msbuild_started_by_office_app.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_by_script.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_execution_msbuild_started_by_system_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_windefend_unusual_path.toml
Update defense_evasion_execution_windefend_unusual_path.toml (#1492)
2021-10-05 16:38:01 -03:00
defense_evasion_file_creation_mult_extension.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_injection_msbuild.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_masquerading_renamed_autoit.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_masquerading_trusted_directory.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_microsoft_defender_tampering.toml
[New Rule] Microsoft Defender Tampering (#1575)
2022-01-13 19:50:01 -03:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601)
2021-11-14 17:01:13 -09:00
defense_evasion_msbuild_beacon_sequence.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_mshta_beacon.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_msxsl_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_network_connection_from_windows_binary.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_parent_process_pid_spoofing.toml
[New Rule] Parent Process PID Spoofing (#1338)
2021-07-15 22:55:46 +02:00
defense_evasion_posh_assembly_load.toml
[New Rule] PowerShell Reflection Assembly Load (#1559)
2021-12-08 17:59:17 -03:00
defense_evasion_posh_compressed.toml
[New Rules] PowerShell Suspicious Payload Encoded and Compressed (#1580)
2021-12-14 19:25:11 -03:00
defense_evasion_posh_process_injection.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
defense_evasion_potential_processherpaderping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_powershell_windows_firewall_disabled.toml
[New Rule] Windows Firewall Disabled (#1565)
2021-11-24 18:34:12 -03:00
defense_evasion_process_termination_followed_by_deletion.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_sdelete_like_filename_rename.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
defense_evasion_sip_provider_mod.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_suspicious_certutil_commands.toml
[Rule Tuning] Suspicious CertUtil Commands (#1564)
2021-11-17 11:41:07 -09:00
defense_evasion_suspicious_execution_from_mounted_device.toml
[New Rule] Suspicious Execution from a Mounted Device (#1230)
2021-05-28 14:44:07 -04:00
defense_evasion_suspicious_managedcode_host_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_suspicious_process_access_direct_syscall.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_suspicious_process_creation_calltrace.toml
[New Rule] Suspicious Process Creation CallTrace (#1588)
2021-11-30 21:35:43 +01:00
defense_evasion_suspicious_scrobj_load.toml
[Rule Tuning] Windows Suspicious Script Object Execution (#1081)
2021-04-14 23:54:39 +02:00
defense_evasion_suspicious_wmi_script.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_suspicious_zoom_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_unusual_ads_file_creation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[New Rule] Unusual Network Connection via DllHost (#1232)
2021-05-28 15:09:09 -04:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_unusual_process_network_connection.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
defense_evasion_unusual_system_vp_child_program.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_whitespace_padding_in_command_line.toml
Add issue to min_stack_comment (#1652)
2021-12-07 15:52:38 -09:00
discovery_adfind_command_activity.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_admin_recon.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_file_dir_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_net_command_system_account.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_net_view.toml
Fix typos discovered by codespell (#1430)
2021-08-14 20:29:10 -08:00
discovery_peripheral_device.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_posh_suspicious_api_functions.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
discovery_post_exploitation_external_ip_lookup.toml
Fix typos discovered by codespell (#1430)
2021-08-14 20:29:10 -08:00
discovery_privileged_localgroup_membership.toml
[New Rule] Enumeration of Privileged Local Groups Membership (#1557)
2021-12-08 11:23:42 +01:00
discovery_remote_system_discovery_commands_windows.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_security_software_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_whoami_command_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_com_object_xwizard.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_command_shell_started_by_svchost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_started_by_unusual_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_via_rundll32.toml
[Rule Tuning] Command Shell Activity Started via RunDLL32 (#996)
2021-03-18 15:14:22 +01:00
execution_downloaded_shortcut_files.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_downloaded_url_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_enumeration_via_wmiprvse.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_from_unusual_directory.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_from_unusual_path_cmdline.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_ms_office_written_file.toml
[Rule Tuning] Rule description tweaks (#1388)
2021-07-29 10:56:13 -08:00
execution_pdf_written_file.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
execution_posh_portable_executable.toml
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610)
2022-01-20 08:56:53 -03:00
execution_posh_psreflect.toml
[New Rule] PowerShell PSReflect Script (#1558)
2022-01-19 15:31:08 -09:00
execution_psexec_lateral_movement_command.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_register_server_program_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_scheduled_task_powershell_source.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_shared_modules_local_sxs_dll.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_suspicious_cmd_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
execution_suspicious_image_load_wmi_ms_office.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
execution_suspicious_pdf_reader.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_suspicious_powershell_imgload.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
execution_suspicious_psexesvc.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_suspicious_short_program_name.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_via_compiled_html_file.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_via_hidden_shell_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
impact_backup_file_deletion.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_modification_of_boot_config.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_stop_process_service_threshold.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
[Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524)
2021-10-04 16:00:35 -03:00
impact_volume_shadow_copy_deletion_via_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
impact_volume_shadow_copy_deletion_via_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
initial_access_script_executing_powershell.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_scripts_process_started_via_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_files.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_suspicious_ms_exchange_process.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
initial_access_suspicious_ms_office_child_process.toml
Adding control.exe (#1477)
2021-09-08 13:30:46 -05:00
initial_access_suspicious_ms_outlook_child_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_unusual_dns_service_children.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_unusual_dns_service_file_writes.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_via_explorer_suspicious_child_parent_args.toml
[Rule Tuning] Suspicious Explorer Child Process (#1035)
2021-04-14 00:10:29 +02:00
lateral_movement_cmd_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_dcom_hta.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_dcom_mmc20.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[New Rule] NullSessionPipe Registry Modification (#1058)
2021-04-14 00:50:31 +02:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_dns_server_overflow.toml
[rule-tuning] Adding more context with triage/investigation (#1481)
2021-09-15 20:07:21 -05:00
lateral_movement_evasion_rdp_shadowing.toml
[New Rule] Potential Remote Desktop Shadowing Activity (#1101)
2021-04-14 22:09:49 +02:00
lateral_movement_executable_tool_transfer_smb.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_execution_from_tsclient_mup.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_execution_via_file_shares_sequence.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_incoming_wmi.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_powershell_remoting_target.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_rdp_enabled_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_rdp_sharprdp_target.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_remote_file_copy_hidden_share.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_remote_services.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_scheduled_task_target.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_service_control_spawned_script_int.toml
[Rule Tuning] Local Service Commands (#1044)
2021-04-13 12:31:45 -04:00
lateral_movement_suspicious_rdp_client_imageload.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_via_startup_folder_rdp_smb.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_adobe_hijack_persistence.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_app_compat_shim.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appcertdlls_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appinitdlls_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_evasion_registry_ifeo_injection.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[rule-tuning] Adding more context with triage/investigation (#1481)
2021-09-15 20:07:21 -05:00
persistence_gpo_schtask_service_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_job_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_task_creation.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_local_scheduled_task_scripting.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_ms_office_addins_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_ms_outlook_vba_template.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_priv_escalation_via_accessibility_features.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_registry_uncommon.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_remote_password_reset.toml
Update source.ip condition (#1712)
2022-01-27 09:24:55 -03:00
persistence_run_key_and_startup_broad.toml
[Rule Tuning] Startup or Run Key Registry Modification (#1086)
2021-04-14 16:38:00 +02:00
persistence_runtime_run_key_startup_susp_procs.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_services_registry.toml
[Rule Tuning] Unusual Persistence via Services Registry (#1077)
2021-04-14 16:09:46 +02:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_file_written_by_unsigned_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_scripts.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Component Object Model Hijacking (#1491)
2021-11-24 08:57:43 -03:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
persistence_suspicious_scheduled_task_runtime.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_suspicious_service_created_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_system_shells_via_services.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_time_provider_mod.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_user_account_creation_event_logs.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_user_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_application_shimming.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_via_bits_job_notify_command.toml
[New Rule] Persistence via BITS Job Notify Cmdline (#1096)
2021-04-13 23:25:30 +02:00
persistence_via_hidden_run_key_valuename.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_lsa_security_support_provider_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_update_orchestrator_service_hijack.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_windows_management_instrumentation_event_subscription.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_wmi_stdregprov_run_services.toml
[New Rule] Persistence via WMI Standard Registry Provider (#1040)
2021-04-06 17:50:02 +02:00
persistence_webshell_detection.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
privilege_escalation_disable_uac_registry.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_group_policy_iniscript.toml
[New Rule] Startup/Logon Script added to Group Policy Object (#1607)
2022-01-20 09:11:23 -03:00
privilege_escalation_group_policy_privileged_groups.toml
[New Rule] Group Policy Abuse for Privilege Addition (#1603)
2022-01-20 08:40:52 -03:00
privilege_escalation_group_policy_scheduled_task.toml
[New Rule] Scheduled Task Execution at Scale via GPO (#1605)
2022-01-19 16:06:48 -09:00
privilege_escalation_installertakeover.toml
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver (#1629)
2022-01-20 08:53:58 -03:00
privilege_escalation_lsa_auth_package.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_named_pipe_impersonation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_persistence_phantom_dll.toml
Update privilege_escalation_persistence_phantom_dll.toml (#1228)
2021-06-01 09:29:09 -04:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_printspooler_malicious_driver_file_changes.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_malicious_registry_modification.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_registry_copyfiles.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_printspooler_service_suspicious_file.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
privilege_escalation_rogue_windir_environment_var.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_samaccountname_spoofing_attack.toml
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660)
2022-01-27 15:46:27 +01:00
privilege_escalation_uac_bypass_com_clipup.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_event_viewer.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_mock_windir.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_sdclt.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 12:54:15 -08:00
privilege_escalation_unusual_printspooler_childprocess.toml
[Rule Tuning] Remove \Program Files*\ style wildcards (#1369)
2021-07-22 11:55:22 -06:00
privilege_escalation_unusual_svchost_childproc_childless.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
privilege_escalation_via_rogue_named_pipe.toml
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544)
2021-12-08 11:21:04 +01:00
privilege_escalation_wpad_exploitation.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00