security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
27262a585bc4d9cc59f83a68575febe4237bd168
sigma-rules/rules/windows
T
History
sbousseaden 27262a585b [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2024-01-17 13:49:59 +00:00
..
collection_email_outlook_mailbox_via_com.toml
[Rule Tuning] Windows DR Tuning - 1 (#3198)
2023-10-26 17:20:32 -03:00
collection_email_powershell_exchange_mailbox.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_mailbox_export_winlog.toml
[Rule Tuning] Windows DR Tuning - 7 (#3344)
2023-12-18 14:27:55 -03:00
collection_posh_audio_capture.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_posh_clipboard_capture.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_posh_keylogger.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_posh_mailbox.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_posh_screen_grabber.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
collection_winrar_encryption.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
command_and_control_certreq_postdata.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
command_and_control_common_webservices.toml
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080)
2023-12-08 11:54:40 -07:00
command_and_control_dns_tunneling_nslookup.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
command_and_control_encrypted_channel_freesslcert.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
command_and_control_iexplore_via_com.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
command_and_control_ingress_transfer_bits.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
command_and_control_new_terms_commonly_abused_rat_execution.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
command_and_control_port_forwarding_added_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
command_and_control_rdp_tunnel_plink.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
command_and_control_remote_file_copy_desktopimgdownldr.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
command_and_control_remote_file_copy_mpcmdrun.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
command_and_control_remote_file_copy_powershell.toml
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080)
2023-12-08 11:54:40 -07:00
command_and_control_remote_file_copy_scripts.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
command_and_control_sunburst_c2_activity_detected.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
command_and_control_teamviewer_remote_file_copy.toml
[Rule Tuning] Fix Menasec Expired Links (#3271)
2023-11-14 10:18:34 -03:00
credential_access_bruteforce_admin_account.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
[Tuning] Multiple Logon Failure Followed by Logon Success (#3340)
2023-12-14 17:41:06 +00:00
credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_cmdline_dump_tool.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
credential_access_credential_dumping_msbuild.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
credential_access_dcsync_newterm_subjectuser.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_dcsync_replication_rights.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_disable_kerberos_preauth.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_domain_backup_dpapi_private_keys.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_dump_registry_hives.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
credential_access_generic_localdumps.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
credential_access_iis_connectionstrings_dumping.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
credential_access_kerberoasting_unusual_process.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_ldap_attributes.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_lsass_handle_via_malseclogon.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_lsass_loaded_susp_dll.toml
[Rule Tuning] Windows DR Tuning - 7 (#3344)
2023-12-18 14:27:55 -03:00
credential_access_lsass_memdump_file_created.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_lsass_memdump_handle_access.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_lsass_openprocess_api.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
credential_access_mimikatz_memssp_default_logs.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_mimikatz_powershell_module.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_mod_wdigest_security_provider.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_moving_registry_hive_via_smb.toml
[Rule Tuning] Windows DR Tuning - 3 (#3212)
2023-10-26 18:58:59 -03:00
credential_access_persistence_network_logon_provider_modification.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
credential_access_posh_invoke_ninjacopy.toml
[Security Content] Add Windows Investigation Guides (#2825)
2023-07-19 08:07:01 -03:00
credential_access_posh_kerb_ticket_dump.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
credential_access_posh_minidump.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_posh_request_ticket.toml
[Rule Tuning] Windows DR Tuning - 7 (#3344)
2023-12-18 14:27:55 -03:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_relay_ntlm_auth_via_http_spoolss.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
credential_access_remote_sam_secretsdump.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_saved_creds_vault_winlog.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_saved_creds_vaultcmd.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_seenabledelegationprivilege_assigned_to_user.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_shadow_credentials.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_spn_attribute_modified.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_suspicious_comsvcs_imageload.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
credential_access_suspicious_lsass_access_generic.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_suspicious_lsass_access_memdump.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_suspicious_lsass_access_via_snapshot.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_suspicious_winreg_access_via_sebackup_priv.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_symbolic_link_to_shadow_copy_created.toml
[Rule Tuning] Windows DR Tuning - 5 (#3229)
2023-12-05 19:20:40 -03:00
credential_access_via_snapshot_lsass_clone_creation.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
credential_access_wireless_creds_dumping.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_amsi_bypass_dllhijack.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_amsi_bypass_powershell.toml
[Rule Tuning] Windows DR Tuning - 5 (#3229)
2023-12-05 19:20:40 -03:00
defense_evasion_amsienable_key_mod.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_clearing_windows_console_history.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_clearing_windows_event_logs.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Windows DR Tuning - 7 (#3344)
2023-12-18 14:27:55 -03:00
defense_evasion_code_signing_policy_modification_builtin_tools.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_code_signing_policy_modification_registry.toml
[Rule Tuning] Windows DR Tuning - 5 (#3229)
2023-12-05 19:20:40 -03:00
defense_evasion_create_mod_root_certificate.toml
[Rule Tuning] Windows DR Tuning - 5 (#3229)
2023-12-05 19:20:40 -03:00
defense_evasion_cve_2020_0601.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_defender_disabled_via_registry.toml
[Rule Tuning] Windows DR Tuning - 5 (#3229)
2023-12-05 19:20:40 -03:00
defense_evasion_defender_exclusion_via_powershell.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_disable_posh_scriptblocklogging.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_disabling_windows_defender_powershell.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_disabling_windows_logs.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_dns_over_https_enabled.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_dotnet_compiler_parent_process.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_enable_network_discovery_with_netsh.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_control_panel_suspicious_args.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_execution_lolbas_wuauclt.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_msbuild_started_by_script.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_msbuild_started_by_system_process.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_msbuild_started_renamed.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_msbuild_started_unusal_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_execution_suspicious_explorer_winword.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_execution_windefend_unusual_path.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_file_creation_mult_extension.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_from_unusual_directory.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
defense_evasion_hide_encoded_executable_registry.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_iis_httplogging_disabled.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_injection_msbuild.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_installutil_beacon.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
[Rule Tuning] Windows DR Tuning - 6 (#3246)
2023-12-12 11:37:54 -03:00
defense_evasion_masquerading_communication_apps.toml
[Promote] Potential Masquerading as Communication Apps (#3181)
2023-10-23 14:56:03 -03:00
defense_evasion_masquerading_renamed_autoit.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_masquerading_suspicious_werfault_childproc.toml
[Rule Tuning] Fix Menasec Expired Links (#3271)
2023-11-14 10:18:34 -03:00
defense_evasion_masquerading_trusted_directory.toml
[Rule Tuning] Windows DR Tuning - 6 (#3246)
2023-12-12 11:37:54 -03:00
defense_evasion_masquerading_werfault.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_microsoft_defender_tampering.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_ms_office_suspicious_regmod.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Windows DR Tuning - 6 (#3246)
2023-12-12 11:37:54 -03:00
defense_evasion_mshta_beacon.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_msxsl_network.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_network_connection_from_windows_binary.toml
[Rule Tuning] Windows DR Tuning - 6 (#3246)
2023-12-12 11:37:54 -03:00
defense_evasion_parent_process_pid_spoofing.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_persistence_account_tokenfilterpolicy.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_posh_assembly_load.toml
[Rule Tuning] Windows DR Tuning - 8 (#3353)
2024-01-03 12:00:29 -03:00
defense_evasion_posh_compressed.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_posh_encryption.toml
[Security Content] Add Windows Investigation Guides (#2825)
2023-07-19 08:07:01 -03:00
defense_evasion_posh_process_injection.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_powershell_windows_firewall_disabled.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_process_termination_followed_by_deletion.toml
[Rule Tuning] Windows DR Tuning - 6 (#3246)
2023-12-12 11:37:54 -03:00
defense_evasion_proxy_execution_via_msdt.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_rundll32_no_arguments.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_sdelete_like_filename_rename.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_sip_provider_mod.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_suspicious_certutil_commands.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_suspicious_execution_from_mounted_device.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_suspicious_managedcode_host_process.toml
[Tuning] Suspicious Managed Code Hosting Process (#3338)
2023-12-14 17:51:35 +00:00
defense_evasion_suspicious_process_access_direct_syscall.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_suspicious_process_creation_calltrace.toml
[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895)
2023-07-06 10:39:20 -04:00
defense_evasion_suspicious_scrobj_load.toml
[Tuning] Suspicious Script Object Execution (#3339)
2023-12-14 16:49:54 -07:00
defense_evasion_suspicious_short_program_name.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_suspicious_wmi_script.toml
[Rule Tuning] Windows DR Tuning - 8 (#3353)
2024-01-03 12:00:29 -03:00
defense_evasion_suspicious_zoom_child_process.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_timestomp_sysmon.toml
[Rule Tuning] Windows DR Tuning - 8 (#3353)
2024-01-03 12:00:29 -03:00
defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_untrusted_driver_loaded.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
defense_evasion_unusual_ads_file_creation.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
defense_evasion_unusual_dir_ads.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_unusual_process_network_connection.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_unusual_system_vp_child_program.toml
[Rule Tuning] Windows DR Tuning - 8 (#3353)
2024-01-03 12:00:29 -03:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Windows DR Tuning - 8 (#3353)
2024-01-03 12:00:29 -03:00
defense_evasion_windows_filtering_platform.toml
[New] Potential Evasion via Windows Filtering Platform (#3356)
2024-01-03 12:50:12 +00:00
defense_evasion_workfolders_control_execution.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_wsl_bash_exec.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_wsl_child_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_wsl_enabled_via_dism.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_wsl_filesystem.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_wsl_kalilinux.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
defense_evasion_wsl_registry_modification.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
discovery_adfind_command_activity.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
discovery_admin_recon.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
discovery_command_system_account.toml
[Rule Tuning] Windows DR Tuning - 9 (#3354)
2024-01-07 09:49:33 -03:00
discovery_enumerating_domain_trusts_via_dsquery.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
discovery_enumerating_domain_trusts_via_nltest.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
discovery_group_policy_object_discovery.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
discovery_peripheral_device.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
discovery_posh_invoke_sharefinder.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
discovery_posh_suspicious_api_functions.toml
[Rule Tuning] Windows DR Tuning - 9 (#3354)
2024-01-07 09:49:33 -03:00
discovery_privileged_localgroup_membership.toml
[Rule Tuning] Windows DR Tuning - 10 (#3355)
2024-01-17 09:44:10 -03:00
discovery_signal_unusual_discovery_signal_proc_cmdline.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_signal_unusual_discovery_signal_proc_executable.toml
[Rule Tuning] UEBA new_terms process_executable (#3268)
2023-12-07 16:38:08 +01:00
discovery_whoami_command_activity.toml
[Rule Tuning] Windows DR Tuning - 10 (#3355)
2024-01-17 09:44:10 -03:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
[Rule Tuning] Windows DR Tuning - 10 (#3355)
2024-01-17 09:44:10 -03:00
execution_com_object_xwizard.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Windows DR Tuning - 10 (#3355)
2024-01-17 09:44:10 -03:00
execution_command_shell_started_by_svchost.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
execution_command_shell_started_by_unusual_process.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_command_shell_via_rundll32.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_enumeration_via_wmiprvse.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
execution_from_unusual_path_cmdline.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Windows DR Tuning - 10 (#3355)
2024-01-17 09:44:10 -03:00
execution_ms_office_written_file.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
execution_pdf_written_file.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
execution_posh_hacktool_functions.toml
[Rule Tuning] Windows DR Tuning - 11 (#3359)
2024-01-15 10:55:50 -03:00
execution_posh_portable_executable.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_posh_psreflect.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_psexec_lateral_movement_command.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
execution_register_server_program_connecting_to_the_internet.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
execution_scheduled_task_powershell_source.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
execution_shared_modules_local_sxs_dll.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_suspicious_cmd_wmi.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
execution_suspicious_image_load_wmi_ms_office.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_suspicious_pdf_reader.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_suspicious_powershell_imgload.toml
[Rule Tuning] Windows DR Tuning - 11 (#3359)
2024-01-15 10:55:50 -03:00
execution_suspicious_psexesvc.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_via_compiled_html_file.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
execution_via_hidden_shell_conhost.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
exfiltration_smb_rare_destination.toml
[New] Rare SMB Connection to the Internet (#3300)
2023-12-07 13:10:20 -03:00
impact_backup_file_deletion.toml
[Rule Tuning] Windows DR Tuning - 11 (#3359)
2024-01-15 10:55:50 -03:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
impact_modification_of_boot_config.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
impact_stop_process_service_threshold.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
impact_volume_shadow_copy_deletion_via_powershell.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
impact_volume_shadow_copy_deletion_via_wmic.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
initial_access_evasion_suspicious_htm_file_creation.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
initial_access_execution_via_office_addins.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
initial_access_exfiltration_first_time_seen_usb.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
initial_access_script_executing_powershell.toml
[Rule Tuning] Windows DR Tuning - 11 (#3359)
2024-01-15 10:55:50 -03:00
initial_access_scripts_process_started_via_wmi.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
initial_access_suspicious_ms_exchange_files.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
initial_access_suspicious_ms_exchange_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
initial_access_suspicious_ms_office_child_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
initial_access_suspicious_ms_outlook_child_process.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
initial_access_via_explorer_suspicious_child_parent_args.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_alternate_creds_pth.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
lateral_movement_cmd_service.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_dcom_hta.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_dcom_mmc20.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329)
2023-12-14 11:21:46 -07:00
lateral_movement_evasion_rdp_shadowing.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_executable_tool_transfer_smb.toml
[Tuning] Adjusted Rules for Anti-Evasion (#3163)
2023-10-16 17:56:09 +01:00
lateral_movement_execution_from_tsclient_mup.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_execution_via_file_shares_sequence.toml
[Rule Tuning] Fix Menasec Expired Links (#3271)
2023-11-14 10:18:34 -03:00
lateral_movement_incoming_winrm_shell_execution.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_incoming_wmi.toml
[Tuning] Adjusted Rules for Anti-Evasion (#3163)
2023-10-16 17:56:09 +01:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_powershell_remoting_target.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
lateral_movement_rdp_enabled_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_rdp_sharprdp_target.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_remote_file_copy_hidden_share.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_remote_service_installed_winlog.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
lateral_movement_remote_services.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_remote_task_creation_winlog.toml
[Tuning] Remote Scheduled Task Creation (#3337)
2023-12-14 16:39:52 -07:00
lateral_movement_scheduled_task_target.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
lateral_movement_suspicious_rdp_client_imageload.toml
[Rule Tuning] Windows DR Tuning - 13 (#3369)
2024-01-17 09:53:18 -03:00
lateral_movement_unusual_dns_service_children.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_unusual_dns_service_file_writes.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
lateral_movement_via_startup_folder_rdp_smb.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_ad_adminsdholder.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_adobe_hijack_persistence.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_app_compat_shim.toml
[Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331)
2023-12-14 15:04:08 -07:00
persistence_appcertdlls_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_appinitdlls_registry.toml
[Rule Tuning] Windows DR Tuning - 13 (#3369)
2024-01-17 09:53:18 -03:00
persistence_dontexpirepasswd_account.toml
[Rule Tuning] Fix Menasec Expired Links (#3271)
2023-11-14 10:18:34 -03:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Fix Menasec Expired Links (#3271)
2023-11-14 10:18:34 -03:00
persistence_evasion_registry_ifeo_injection.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_local_scheduled_job_creation.toml
[Rule Tuning] Windows DR Tuning - 13 (#3369)
2024-01-17 09:53:18 -03:00
persistence_local_scheduled_task_creation.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
persistence_local_scheduled_task_scripting.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_ms_office_addins_file.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_ms_outlook_vba_template.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_msds_alloweddelegateto_krbtgt.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_powershell_exch_mailbox_activesync_add_device.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_powershell_profiles.toml
[Security Content] Add Windows Investigation Guides (#3257)
2023-12-19 12:38:28 -03:00
persistence_priv_escalation_via_accessibility_features.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_registry_uncommon.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
persistence_remote_password_reset.toml
[Rule Tuning] Account Password Reset Remotely (#3335)
2023-12-14 17:22:19 +00:00
persistence_run_key_and_startup_broad.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
persistence_runtime_run_key_startup_susp_procs.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
persistence_scheduled_task_creation_winlog.toml
[Rule Tuning] Windows DR Tuning - 13 (#3369)
2024-01-17 09:53:18 -03:00
persistence_scheduled_task_updated.toml
[Rules Tuning] diverse tuning (#2506)
2023-06-30 18:57:00 +01:00
persistence_sdprop_exclusion_dsheuristics.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_service_dll_unsigned.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_service_windows_service_winlog.toml
fixing typo in 127.0.0.1 address (#3004)
2023-08-08 17:06:26 +02:00
persistence_services_registry.toml
[Rule Tuning] Windows DR Tuning - 13 (#3369)
2024-01-17 09:53:18 -03:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_startup_folder_file_written_by_unsigned_process.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_startup_folder_scripts.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Windows DR Tuning - 14 (#3376)
2024-01-15 11:16:04 -03:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
persistence_suspicious_scheduled_task_runtime.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_suspicious_service_created_registry.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_sysmon_wmi_event_subscription.toml
adjusting minimum stack version for version control (#3154)
2023-10-03 13:36:06 -04:00
persistence_system_shells_via_services.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
persistence_temp_scheduled_task.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
persistence_time_provider_mod.toml
[Rule Tuning] Windows DR Tuning - 14 (#3376)
2024-01-15 11:16:04 -03:00
persistence_user_account_added_to_privileged_group_ad.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_user_account_creation_event_logs.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_user_account_creation.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_via_application_shimming.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
persistence_via_bits_job_notify_command.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_via_hidden_run_key_valuename.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_via_lsa_security_support_provider_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
persistence_via_update_orchestrator_service_hijack.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
persistence_via_windows_management_instrumentation_event_subscription.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
persistence_via_wmi_stdregprov_run_services.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
persistence_via_xp_cmdshell_mssql_stored_procedure.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
persistence_webshell_detection.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_create_process_as_different_user.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_create_process_with_token_unpriv.toml
[New] Process Created with a Duplicated Token (#3152)
2023-12-07 08:20:30 -03:00
privilege_escalation_credroaming_ldap.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_disable_uac_registry.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_driver_newterm_imphash.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
privilege_escalation_expired_driver_loaded.toml
[Rule Tuning] Windows DR Tuning - 14 (#3376)
2024-01-15 11:16:04 -03:00
privilege_escalation_gpo_schtask_service_creation.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_group_policy_iniscript.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_group_policy_privileged_groups.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_group_policy_scheduled_task.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_installertakeover.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_krbrelayup_service_creation.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
privilege_escalation_lsa_auth_package.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_make_token_local.toml
[New] Interactive Logon by an Unusual Process (#3299)
2023-12-05 17:34:10 +00:00
privilege_escalation_named_pipe_impersonation.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_newcreds_logon_rare_process.toml
[New] First Time Seen NewCredentials Lgon Process (#3276)
2023-11-27 18:37:15 +00:00
privilege_escalation_persistence_phantom_dll.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
privilege_escalation_posh_token_impersonation.toml
[Security Content] Add Windows Investigation Guides (#3095)
2023-12-08 11:31:16 -03:00
privilege_escalation_printspooler_registry_copyfiles.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_printspooler_service_suspicious_file.toml
[Rule Tuning] Windows DR Tuning - 14 (#3376)
2024-01-15 11:16:04 -03:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_printspooler_suspicious_spl_file.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_rogue_windir_environment_var.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_samaccountname_spoofing_attack.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_service_control_spawned_script_int.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
privilege_escalation_suspicious_dnshostname_update.toml
[Tuning] Improve Performance (#2953)
2023-08-21 16:23:34 +01:00
privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_uac_bypass_com_clipup.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_uac_bypass_com_ieinstal.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_uac_bypass_event_viewer.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_uac_bypass_mock_windir.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_uac_sdclt.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 18:12:20 -03:00
privilege_escalation_unusual_parentchild_relationship.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_unusual_printspooler_childprocess.toml
[Tuning] Add logs-system. index where applicable (#3390)
2024-01-17 13:49:59 +00:00
privilege_escalation_unusual_svchost_childproc_childless.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_via_ppid_spoofing.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_via_rogue_named_pipe.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_via_token_theft.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_windows_service_via_unusual_client.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 16:53:04 +05:30
privilege_escalation_wpad_exploitation.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00