security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34655374c18b7a3da779a02ef8ace39b72aaeb23
sigma-rules/rules/windows
T
History
Samirbous a0672c7d2a [New Rule] Potential Privileged Escalation via KrbRelayUp (#1940) 
* [New Rule] Potential Privileged Escalation via KrbRelayUp

Identifies a suspicious local successful logon event where the Logon Package is kerberos, the remote address is set to localhost and the target user SID is the builtin local Administrator account, this may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from filtered administrator token to a token with full System privileges.

https://github.com/Dec0ne/KrbRelayUp

DATA :

```
{
        "_index" : ".ds-logs-system.security-default-2022.04.12-000003",
        "_id" : "Cwy1YoABQhClK0XGfqEU",
        "_source" : {
          "agent" : {
            "name" : "02694w-win10",
            "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
            "type" : "filebeat",
            "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
            "version" : "8.0.0"
          },
          "process" : {
            "name" : "-",
            "pid" : 0,
            "executable" : "-"
          },
          "winlog" : {
            "computer_name" : "02694w-win10.corpcorp.com",
            "process" : {
              "pid" : 688,
              "thread" : {
                "id" : 9384
              }
            },
            "keywords" : [
              "Audit Success"
            ],
            "logon" : {
              "id" : "0x0",
              "type" : "Network"
            },
            "channel" : "Security",
            "event_data" : {
              "LogonGuid" : "{daac0d7c-3273-752c-bf5d-ea1c60851819}",
              "TargetOutboundDomainName" : "-",
              "VirtualAccount" : "%%1843",
              "LogonType" : "3",
              "TransmittedServices" : "-",
              "SubjectLogonId" : "0x0",
              "LmPackageName" : "-",
              "TargetOutboundUserName" : "-",
              "KeyLength" : "0",
              "RestrictedAdminMode" : "-",
              "TargetLogonId" : "0xebd3d4",
              "SubjectUserName" : "-",
              "TargetLinkedLogonId" : "0x0",
              "ElevatedToken" : "%%1842",
              "SubjectDomainName" : "-",
              "TargetUserName" : "Administrator",
              "ImpersonationLevel" : "%%1833",
              "LogonProcessName" : "Kerberos",
              "TargetDomainName" : "CORPCORP.COM",
              "SubjectUserSid" : "S-1-0-0",
              "AuthenticationPackageName" : "Kerberos",
              "TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500"
            },
            "opcode" : "Info",
            "version" : 2,
            "record_id" : "59063",
            "task" : "Logon",
            "event_id" : "4624",
            "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
            "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
            "api" : "wineventlog",
            "provider_name" : "Microsoft-Windows-Security-Auditing"
          },
          "log" : {
            "level" : "information"
          },
          "elastic_agent" : {
            "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
            "version" : "8.0.0",
            "snapshot" : false
          },
          "source" : {
            "port" : 50480,
            "ip" : "127.0.0.1",
            "domain" : "-"
          },
          "message" : """An account was successfully logged on.

Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		S-1-5-21-308926384-506822093-3341789130-500
	Account Name:		Administrator
	Account Domain:		CORPCORP.COM
	Logon ID:		0xEBD3D4
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{daac0d7c-3273-752c-bf5d-ea1c60851819}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	127.0.0.1
	Source Port:		50480

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""",
          "input" : {
            "type" : "winlog"
          },
          "@timestamp" : "2022-04-25T21:07:15.306Z",
          "ecs" : {
            "version" : "1.12.0"
          },
          "related" : {
            "ip" : [
              "127.0.0.1"
            ],
            "user" : [
              "Administrator"
            ]
          },
          "data_stream" : {
            "namespace" : "default",
            "type" : "logs",
            "dataset" : "system.security"
          },
          "host" : {
            "hostname" : "02694w-win10",
            "os" : {
              "build" : "18363.815",
              "kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
              "name" : "Windows 10 Enterprise",
              "family" : "windows",
              "type" : "windows",
              "version" : "10.0",
              "platform" : "windows"
            },
            "ip" : [
              "fe80::7587:a5c1:5a7b:68f6",
              "172.16.66.25"
            ],
            "name" : "02694w-win10.corpcorp.com",
            "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
            "mac" : [
              "00:50:56:03:c6:93"
            ],
            "architecture" : "x86_64"
          },
          "event" : {
            "agent_id_status" : "verified",
            "ingested" : "2022-04-25T21:51:43Z",
            "code" : "4624",
            "provider" : "Microsoft-Windows-Security-Auditing",
            "kind" : "event",
            "created" : "2022-04-25T21:51:08.433Z",
            "action" : "logged-in",
            "category" : [
              "authentication"
            ],
            "type" : [
              "start"
            ],
            "dataset" : "system.security",
            "outcome" : "success"
          },
          "user" : {
            "domain" : "CORPCORP.COM",
            "name" : "Administrator",
            "id" : "S-1-5-21-308926384-506822093-3341789130-500"
          }
        }
      }
```

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-04-27 01:39:54 +02:00
..
collection_email_powershell_exchange_mailbox.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
collection_posh_audio_capture.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
collection_posh_keylogger.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
collection_posh_screen_grabber.toml
[Security Content] Add Investigation Guides - 2 (#1822)
2022-03-30 14:43:55 -03:00
collection_winrar_encryption.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
command_and_control_certutil_network_connection.toml
[Security Content] Add Investigation Guides - 2 (#1822)
2022-03-30 14:43:55 -03:00
command_and_control_common_webservices.toml
[Security Content] Add Investigation Guides - 2 (#1822)
2022-03-30 14:43:55 -03:00
command_and_control_dns_tunneling_nslookup.toml
[Security Content] Add Investigation Guides - 2 (#1822)
2022-03-30 14:43:55 -03:00
command_and_control_encrypted_channel_freesslcert.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
command_and_control_iexplore_via_com.toml
[Rule Tuning] Potential Command and Control via Internet Explorer (#1771)
2022-02-15 22:58:01 -03:00
command_and_control_port_forwarding_added_registry.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_rdp_tunnel_plink.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_remote_file_copy_powershell.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_remote_file_copy_scripts.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_sunburst_c2_activity_detected.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
command_and_control_teamviewer_remote_file_copy.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
credential_access_cmdline_dump_tool.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_credential_dumping_msbuild.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_dcsync_replication_rights.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
credential_access_disable_kerberos_preauth.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
credential_access_domain_backup_dpapi_private_keys.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
credential_access_dump_registry_hives.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_iis_connectionstrings_dumping.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_kerberoasting_unusual_process.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
credential_access_lsass_memdump_file_created.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_lsass_memdump_handle_access.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
credential_access_mimikatz_memssp_default_logs.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
credential_access_mimikatz_powershell_module.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
credential_access_mod_wdigest_security_provider.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_moving_registry_hive_via_smb.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
credential_access_persistence_network_logon_provider_modification.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_posh_minidump.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
credential_access_posh_request_ticket.toml
[Security Content] Add Investigation Guides (#1799)
2022-03-24 18:16:00 -03:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_remote_sam_secretsdump.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
credential_access_saved_creds_vaultcmd.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
credential_access_seenabledelegationprivilege_assigned_to_user.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
credential_access_shadow_credentials.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
credential_access_spn_attribute_modified.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
credential_access_suspicious_comsvcs_imageload.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_suspicious_lsass_access_memdump.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_suspicious_lsass_access_via_snapshot.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_suspicious_winreg_access_via_sebackup_priv.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_symbolic_link_to_shadow_copy_created.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
credential_access_via_snapshot_lsass_clone_creation.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_amsienable_key_mod.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_clearing_windows_console_history.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
defense_evasion_clearing_windows_event_logs.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
defense_evasion_code_injection_conhost.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_create_mod_root_certificate.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_cve_2020_0601.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_defender_disabled_via_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_defender_exclusion_via_powershell.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_disable_posh_scriptblocklogging.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
defense_evasion_disabling_windows_defender_powershell.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_disabling_windows_logs.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_dns_over_https_enabled.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_dotnet_compiler_parent_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
defense_evasion_enable_network_discovery_with_netsh.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_control_panel_suspicious_args.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_lolbas_wuauclt.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_msbuild_started_by_script.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_msbuild_started_renamed.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_execution_windefend_unusual_path.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_file_creation_mult_extension.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_iis_httplogging_disabled.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_injection_msbuild.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_masquerading_renamed_autoit.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_masquerading_trusted_directory.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_microsoft_defender_tampering.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601)
2021-11-14 17:01:13 -09:00
defense_evasion_ms_office_suspicious_regmod.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_msbuild_beacon_sequence.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_mshta_beacon.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_msxsl_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_network_connection_from_windows_binary.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_parent_process_pid_spoofing.toml
[New Rule] Parent Process PID Spoofing (#1338)
2021-07-15 22:55:46 +02:00
defense_evasion_posh_assembly_load.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
defense_evasion_posh_compressed.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
defense_evasion_posh_process_injection.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
defense_evasion_potential_processherpaderping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_powershell_windows_firewall_disabled.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_process_termination_followed_by_deletion.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_sdelete_like_filename_rename.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_sip_provider_mod.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_certutil_commands.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_execution_from_mounted_device.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_managedcode_host_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_process_access_direct_syscall.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_process_creation_calltrace.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_suspicious_scrobj_load.toml
[Rule Tuning] Windows Suspicious Script Object Execution (#1081)
2021-04-14 23:54:39 +02:00
defense_evasion_suspicious_wmi_script.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
defense_evasion_suspicious_zoom_child_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_unusual_ads_file_creation.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_unusual_dir_ads.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_unusual_network_connection_via_dllhost.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_unusual_process_network_connection.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
defense_evasion_unusual_system_vp_child_program.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_via_filter_manager.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_whitespace_padding_in_command_line.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_workfolders_control_execution.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
discovery_adfind_command_activity.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
discovery_admin_recon.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_file_dir_discovery.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_net_command_system_account.toml
Update discovery_net_command_system_account.toml (#1912)
2022-04-11 15:03:49 -03:00
discovery_net_view.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_peripheral_device.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_posh_suspicious_api_functions.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
discovery_post_exploitation_external_ip_lookup.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
discovery_privileged_localgroup_membership.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
discovery_remote_system_discovery_commands_windows.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_security_software_wmic.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_whoami_command_activity.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
execution_com_object_xwizard.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_command_shell_started_by_svchost.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_command_shell_started_by_unusual_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_command_shell_via_rundll32.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_downloaded_shortcut_files.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_downloaded_url_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_enumeration_via_wmiprvse.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_from_unusual_directory.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_from_unusual_path_cmdline.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_ms_office_written_file.toml
[Rule Tuning] Rule description tweaks (#1388)
2021-07-29 10:56:13 -08:00
execution_pdf_written_file.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
execution_posh_portable_executable.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
execution_posh_psreflect.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
execution_psexec_lateral_movement_command.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_register_server_program_connecting_to_the_internet.toml
[Rule Tuning] Add EQL optional field syntax (#1910)
2022-04-05 16:32:37 -03:00
execution_scheduled_task_powershell_source.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_shared_modules_local_sxs_dll.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_cmd_wmi.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_image_load_wmi_ms_office.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_pdf_reader.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_powershell_imgload.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_psexesvc.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_suspicious_short_program_name.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_via_compiled_html_file.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_via_hidden_shell_conhost.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
impact_backup_file_deletion.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
impact_deleting_backup_catalogs_with_wbadmin.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
impact_modification_of_boot_config.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
impact_stop_process_service_threshold.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
impact_volume_shadow_copy_deletion_via_powershell.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
impact_volume_shadow_copy_deletion_via_wmic.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_script_executing_powershell.toml
[Security Content] Add Investigation Guides - 4 (#1871)
2022-04-10 15:37:06 -03:00
initial_access_scripts_process_started_via_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_files.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_suspicious_ms_exchange_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_suspicious_ms_office_child_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_suspicious_ms_outlook_child_process.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_unusual_dns_service_children.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_unusual_dns_service_file_writes.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
initial_access_via_explorer_suspicious_child_parent_args.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_cmd_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_dcom_hta.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
lateral_movement_dcom_mmc20.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_dns_server_overflow.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
lateral_movement_evasion_rdp_shadowing.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_executable_tool_transfer_smb.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_execution_from_tsclient_mup.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_execution_via_file_shares_sequence.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_incoming_wmi.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_powershell_remoting_target.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
lateral_movement_rdp_enabled_registry.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
lateral_movement_rdp_sharprdp_target.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
lateral_movement_remote_file_copy_hidden_share.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_remote_services.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_scheduled_task_target.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
lateral_movement_service_control_spawned_script_int.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_suspicious_rdp_client_imageload.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
lateral_movement_via_startup_folder_rdp_smb.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_ad_adminsdholder.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
persistence_adobe_hijack_persistence.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
persistence_app_compat_shim.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appcertdlls_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_appinitdlls_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_dontexpirepasswd_account.toml
[New Rule] Account configured with never Expiring Password (#1790)
2022-03-26 08:19:28 -03:00
persistence_evasion_hidden_local_account_creation.toml
[Security Content] Add Investigation Guides - 3 (#1836)
2022-04-12 15:58:50 -08:00
persistence_evasion_registry_ifeo_injection.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
persistence_gpo_schtask_service_creation.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_local_scheduled_job_creation.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_local_scheduled_task_creation.toml
[Rule Tuning] Add EQL optional field syntax (#1910)
2022-04-05 16:32:37 -03:00
persistence_local_scheduled_task_scripting.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_ms_office_addins_file.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_ms_outlook_vba_template.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_msds_alloweddelegateto_krbtgt.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_priv_escalation_via_accessibility_features.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
persistence_registry_uncommon.toml
[Rule Tuning] Timeline Templates For Windows and Linux (#1892)
2022-04-01 13:44:35 -04:00
persistence_remote_password_reset.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
persistence_run_key_and_startup_broad.toml
[Rule Tuning] Timeline Templates For Windows and Linux (#1892)
2022-04-01 13:44:35 -04:00
persistence_runtime_run_key_startup_susp_procs.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_sdprop_exclusion_dsheuristics.toml
[Security Content] Current Investigation Guides Review (#1896)
2022-04-12 22:05:13 -03:00
persistence_services_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_startup_folder_file_written_by_suspicious_process.toml
[Security Content] Add Investigation Guides - 4 (#1871)
2022-04-10 15:37:06 -03:00
persistence_startup_folder_file_written_by_unsigned_process.toml
[Security Content] Add Investigation Guides - 4 (#1871)
2022-04-10 15:37:06 -03:00
persistence_startup_folder_scripts.toml
[Security Content] Add Investigation Guides - 4 (#1871)
2022-04-10 15:37:06 -03:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model Hijacking (#1932)
2022-04-26 11:43:33 -04:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_suspicious_scheduled_task_runtime.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_suspicious_service_created_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_system_shells_via_services.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
persistence_time_provider_mod.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
persistence_user_account_creation_event_logs.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
persistence_user_account_creation.toml
[Security Content] Add Investigation Guides - 4 (#1871)
2022-04-10 15:37:06 -03:00
persistence_via_application_shimming.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_bits_job_notify_command.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_hidden_run_key_valuename.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_lsa_security_support_provider_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_update_orchestrator_service_hijack.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_windows_management_instrumentation_event_subscription.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_via_wmi_stdregprov_run_services.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_webshell_detection.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_disable_uac_registry.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_group_policy_iniscript.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
privilege_escalation_group_policy_privileged_groups.toml
[Security Content] Adjust Investigation Guides to be less generic (#1805)
2022-03-31 11:29:30 -03:00
privilege_escalation_group_policy_scheduled_task.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
privilege_escalation_installertakeover.toml
MInor changes from Investigation Guides Review (#1927)
2022-04-13 16:53:29 -08:00
privilege_escalation_krbrelayup_suspicious_logon.toml
[New Rule] Potential Privileged Escalation via KrbRelayUp (#1940)
2022-04-27 01:39:54 +02:00
privilege_escalation_lsa_auth_package.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
privilege_escalation_named_pipe_impersonation.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_persistence_phantom_dll.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_printspooler_registry_copyfiles.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_printspooler_service_suspicious_file.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_rogue_windir_environment_var.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_samaccountname_spoofing_attack.toml
[Rule Tuning] Remove logs-windows.* index (#1928)
2022-04-14 09:25:44 -03:00
privilege_escalation_uac_bypass_com_clipup.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_event_viewer.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_mock_windir.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_uac_sdclt.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_unusual_printspooler_childprocess.toml
Review & Fix Invalid References (#1936)
2022-04-26 17:57:15 -03:00
privilege_escalation_unusual_svchost_childproc_childless.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_via_rogue_named_pipe.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
privilege_escalation_windows_service_via_unusual_client.toml
[New Rule] Windows Service Installed via an Unusual Client (#1759)
2022-02-11 21:56:59 +01:00
privilege_escalation_wpad_exploitation.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00