Samirbous 4609a5e8fe [New Rule] Scheduled Task Creation using winlog (#2277) ...

* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2022-09-19 18:50:45 +02:00

..

etc

[New Rule] Scheduled Task Creation using winlog (#2277)

2022-09-19 18:50:45 +02:00

schemas

Prep for 8.5 branch (#2220)

2022-08-09 17:14:42 -04:00

__init__.py

reset evasion rules (#1902)

2022-03-29 15:47:48 -08:00

__main__.py

Move Rule into a dataclass (#1029)

2021-03-24 10:24:32 -06:00

attack.py

Generate ATT&CK navigator layer files and links (#1787)

2022-03-04 08:20:44 -09:00

beats.py

Move etc under detection_rules (#1885)

2022-05-02 10:11:21 -04:00

cli_utils.py

Add index as a required field to rule_prompt (#1595)

2021-11-14 17:05:42 -09:00

devtools.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 09:53:30 -06:00

docs.py

Generate ATT&CK navigator layer files and links (#1787)

2022-03-04 08:20:44 -09:00

ecs.py

Cleanup rule survey code (#1923)

2022-09-06 15:53:47 -06:00

eswrap.py

[Bug] Keyerror on rule-survey hits (#2293)

2022-09-13 11:38:29 -04:00

ghwrap.py

Generate ATT&CK navigator layer files and links (#1787)

2022-03-04 08:20:44 -09:00

integrations.py

add new field related_integrations to the post build (#2060)

2022-08-08 13:44:36 -04:00

kbwrap.py

Cleanup rule survey code (#1923)

2022-09-06 15:53:47 -06:00

main.py

Release ER Production RTAs to DR (#2270)

2022-09-08 12:50:39 -04:00

mappings.py

Release ER Production RTAs to DR (#2270)

2022-09-08 12:50:39 -04:00

misc.py

Cleanup rule survey code (#1923)

2022-09-06 15:53:47 -06:00

mixins.py

Add support for restricted fields (#2053)

2022-06-27 10:02:15 -05:00

ml.py

Refactor experimental ML CLI and code (#1218)

2021-06-02 20:37:12 -08:00

navigator.py

Replace * in navigator filenames (#1813)

2022-03-04 08:45:55 -09:00

packaging.py

[Bug] resolves bug in Rule version methods (#2021)

2022-06-07 15:40:46 -08:00

rule_formatter.py

[Bug] Fix toml-lint ordering of Mitre metadata #1249 (#1774)

2022-02-22 13:57:49 -05:00

rule_loader.py

Add delta command to determine changes to endpoint rules between tags (#1943)

2022-05-03 12:30:11 -08:00

rule_validators.py

Add new required_fields as a build-time restricted field (#2059)

2022-07-06 11:49:44 -04:00

rule.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 09:53:30 -06:00

semver.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 09:53:30 -06:00

utils.py

add new field related_integrations to the post build (#2060)

2022-08-08 13:44:36 -04:00

version_lock.py

Add test command to verify version collisions do not occur (#2272)

2022-09-19 09:53:30 -06:00