Samirbous
79a5ca9b78
* bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules * ruleID * fixed process names to include both 32 and 64bits * fixed process names to include both 32 and 64 bits * deleted unnecessary condition * adjusted rule to cover cmd and ps * renamed rule and fixed tactic * added rule to SW package - Exporting MailBox with Powershell * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added details to FP tag as sug by JLB * added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * adjusted desc and FPs * adjusted alert name as sug by DevK * Update collection_email_powershell_exchange_mailbox.toml * Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated registry to include symlink * Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1195 as sug by JLB * added T1195 as sug by JLB * added T1195 as sug by JLB * added pwsh as sug by Dan * added pwsh as sug by Dan * [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Restore packages file Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
aws/ |
Rules written for the Amazon Web Services (AWS) module of filebeat |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
okta/ |
Rules written for the Okta module of filebeat |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |