sbousseaden
27262a585b
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |