security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ca32f14237da3aef0f2fae5437c5b4e8335c977
sigma-rules/rules/windows
T
History
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
..
command_and_control_certutil_network_connection.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
command_and_control_remote_file_copy_mpcmdrun.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
command_and_control_teamviewer_remote_file_copy.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
credential_access_credential_dumping_msbuild.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
credential_access_domain_backup_dpapi_private_keys.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
credential_access_iis_connectionstrings_dumping.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
credential_access_mimikatz_memssp_default_logs.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_clearing_windows_event_logs.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_code_injection_conhost.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_cve_2020_0601.toml
[Rule Tuning] Tag Categorization Updates (#380)
2020-10-26 13:50:45 -05:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_dotnet_compiler_parent_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_encoding_or_decoding_files_via_certutil.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_msbuild_started_by_script.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_msbuild_started_renamed.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_suspicious_explorer_winword.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_execution_via_trusted_developer_utilities.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_iis_httplogging_disabled.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_injection_msbuild.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_installutil_beacon.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_masquerading_renamed_autoit.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_masquerading_werfault.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_modification_of_boot_config.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_msbuild_beacon_sequence.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_mshta_beacon.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_msxsl_beacon.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_network_connection_from_windows_binary.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_reg_beacon.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_rundll32_no_arguments.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_rundll32_sequence.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_sdelete_like_filename_rename.toml
[Rule Tuning] Tag Categorization Updates (#380)
2020-10-26 13:50:45 -05:00
defense_evasion_suspicious_managedcode_host_process.toml
[Rule Tuning] Tag Categorization Updates (#380)
2020-10-26 13:50:45 -05:00
defense_evasion_suspicious_scrobj_load.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_suspicious_wmi_script.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_suspicious_zoom_child_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_unusual_system_vp_child_program.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_via_filter_manager.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
discovery_net_command_system_account.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
discovery_process_discovery_via_tasklist_command.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
discovery_whoami_command_activity.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_command_prompt_connecting_to_the_internet.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_command_shell_started_by_powershell.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_command_shell_started_by_svchost.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_command_shell_started_by_unusual_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_downloaded_shortcut_files.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_downloaded_url_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_html_help_executable_program_connecting_to_the_internet.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_local_service_commands.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_ms_office_written_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_msbuild_making_network_connections.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_mshta_making_network_connections.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_msxsl_network.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_pdf_written_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_psexec_lateral_movement_command.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_register_server_program_connecting_to_the_internet.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_script_executing_powershell.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_suspicious_ms_office_child_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_suspicious_ms_outlook_child_process.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_suspicious_pdf_reader.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_suspicious_psexesvc.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_unusual_dns_service_children.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_unusual_dns_service_file_writes.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_unusual_network_connection_via_rundll32.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_unusual_process_network_connection.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_via_compiled_html_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_via_hidden_shell_conhost.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_via_net_com_assemblies.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
execution_wpad_exploitation.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
lateral_movement_cmd_service.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
lateral_movement_direct_outbound_smb_connection.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
lateral_movement_dns_server_overflow.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_adobe_hijack_persistence.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_app_compat_shim.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_gpo_schtask_service_creation.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_local_scheduled_task_commands.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_priv_escalation_via_accessibility_features.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_system_shells_via_services.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_user_account_creation.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_via_application_shimming.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
persistence_via_update_orchestrator_service_hijack.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_printspooler_service_suspicious_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_uac_bypass_event_viewer.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_uac_sdclt.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00
privilege_escalation_unusual_parentchild_relationship.toml
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00