sigma-rules

Files

T

Samirbous 9792d967d7 [Rule Tuning] Convert to EQL 5 existing rules (#414 )

* [Rule Tuning] 5 rules

* [Rule Tuning] Converted two IIS CredAccess rules to EQL

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/evasion_rundll32_no_arguments.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* deleted. rule looks incompatible with endpoint

* fixing units testing error

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* desc

* fixed tags duplicate

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_rundll32_no_arguments.toml

* adjusted process args count to 1

adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs).

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

2020-12-08 21:07:26 +01:00

command_and_control_certutil_network_connection.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

command_and_control_common_webservices.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

command_and_control_dns_tunneling_nslookup.toml

[New Rule] Potential DNS Tunneling with Nslookup (#522 )

2020-12-07 20:16:17 +01:00

command_and_control_encrypted_channel_freesslcert.toml

[New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478 )

2020-12-08 16:16:11 +01:00

command_and_control_iexplore_via_com.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

command_and_control_remote_file_copy_desktopimgdownldr.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

command_and_control_remote_file_copy_mpcmdrun.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

command_and_control_remote_file_copy_scripts.toml

[New Rule] Remote File Download via Scripting (#647 )

2020-12-08 12:37:51 +01:00

command_and_control_teamviewer_remote_file_copy.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

credential_access_cmdline_dump_tool.toml

[New Rule] Potential Credential Access with LolBas (#620 )

2020-12-08 17:56:25 +01:00

credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

[New Rule] NTDS or SAM Database File Copied (#622 )

2020-12-08 16:55:35 +01:00

credential_access_credential_dumping_msbuild.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

credential_access_domain_backup_dpapi_private_keys.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

credential_access_dump_registry_hives.toml

[New Rule] Credential Acquisition via Registry Hive Dumping (#607 )

2020-12-02 20:31:22 +01:00

credential_access_iis_apppoolsa_pwd_appcmd.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

credential_access_iis_connectionstrings_dumping.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

credential_access_kerberoasting_unusual_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

credential_access_lsass_memdump_file_created.toml

[New Rule] Lsass Memory Dump Created (#618 )

2020-12-08 17:24:51 +01:00

credential_access_mimikatz_memssp_default_logs.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_clearing_windows_event_logs.toml

[Rule Tuning] Clearing or Disabling Windows Event Logs (#393 )

2020-12-02 20:35:35 +01:00

defense_evasion_code_injection_conhost.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_cve_2020_0601.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_delete_volume_usn_journal_with_fsutil.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_deleting_backup_catalogs_with_wbadmin.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_disable_windows_firewall_rules_with_netsh.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_dotnet_compiler_parent_process.toml

[New Rule] - Execution from Unusual Directory (#433 )

2020-12-08 18:46:56 +01:00

defense_evasion_enable_inbound_rdp_with_netsh.toml

[New Rule] Remote Desktop Enabled in Windows Firewall (#368 )

2020-12-02 21:27:18 +01:00

defense_evasion_encoding_or_decoding_files_via_certutil.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_execution_lolbas_wuauclt.toml

[New Rule] Lolbas ImageLoad via Windows Update Client (#366 )

2020-12-08 18:54:09 +01:00

defense_evasion_execution_msbuild_started_by_office_app.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_execution_msbuild_started_by_script.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_execution_msbuild_started_by_system_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_execution_msbuild_started_renamed.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

defense_evasion_execution_msbuild_started_unusal_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_execution_suspicious_explorer_winword.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

defense_evasion_execution_via_trusted_developer_utilities.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_hide_encoded_executable_registry.toml

[New Rule] Encoded Executable Stored in the Registry (#636 )

2020-12-08 20:51:14 +01:00

defense_evasion_iis_httplogging_disabled.toml

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667 )

2020-12-03 01:00:24 -09:00

defense_evasion_injection_msbuild.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_installutil_beacon.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_masquerading_as_elastic_endpoint_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_masquerading_renamed_autoit.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

defense_evasion_masquerading_suspicious_werfault_childproc.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_masquerading_trusted_directory.toml

[New Rule] Program Files Directory Masquerading (#581 )

2020-12-08 17:04:31 +01:00

defense_evasion_masquerading_werfault.toml

[Rule Tuning] Process Potentially Masquerading as WerFault (#653 )

2020-12-03 20:26:37 +01:00

defense_evasion_misc_lolbin_connecting_to_the_internet.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_modification_of_boot_config.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_msbuild_beacon_sequence.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_mshta_beacon.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_msxsl_beacon.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_network_connection_from_windows_binary.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_port_forwarding_added_registry.toml

[New Rule] New Port Forwarding Rule Added (#630 )

2020-12-08 17:32:08 +01:00

defense_evasion_potential_processherpaderping.toml

[New Rule] Potential ProcessHerpaderping Detected (#418 )

2020-12-07 20:08:12 +01:00

defense_evasion_reg_beacon.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_rundll32_no_arguments.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

defense_evasion_scheduledjobs_at_protocol_enabled.toml

[New Rule] Scheduled Jobs AT Protocol Enabled (#609 )

2020-12-08 16:52:17 +01:00

defense_evasion_sdelete_like_filename_rename.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

defense_evasion_suspicious_managedcode_host_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_suspicious_powershell_imgload.toml

[New Rule] Suspicious PowerShell Engine ImageLoad (#559 )

2020-12-04 16:48:01 +01:00

defense_evasion_suspicious_scrobj_load.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_suspicious_wmi_script.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_suspicious_zoom_child_process.toml

[Rule Tuning] Convert to EQL 5 existing rules (#414 )

2020-12-08 21:07:26 +01:00

defense_evasion_system_critical_proc_abnormal_file_activity.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_unusual_system_vp_child_program.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_via_filter_manager.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

defense_evasion_volume_shadow_copy_deletion_via_wmic.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

discovery_net_command_system_account.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

discovery_peripheral_device.toml

[New Rule] Peripheral Device Discovery (#446 )

2020-12-04 20:55:19 +01:00

discovery_process_discovery_via_tasklist_command.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

discovery_security_software_wmic.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

discovery_whoami_command_activity.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_command_prompt_connecting_to_the_internet.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_command_shell_started_by_powershell.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_command_shell_started_by_svchost.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_command_shell_started_by_unusual_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_command_shell_via_rundll32.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_downloaded_shortcut_files.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_downloaded_url_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_from_unusual_directory.toml

[New Rule] - Execution from Unusual Directory (#433 )

2020-12-08 18:46:56 +01:00

execution_from_unusual_path_cmdline.toml

[New Rule] Execution from unusual directory - CommandLine (#435 )

2020-12-08 16:13:52 +01:00

execution_html_help_executable_program_connecting_to_the_internet.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_local_service_commands.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_ms_office_written_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_msbuild_making_network_connections.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_mshta_making_network_connections.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_msxsl_network.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_pdf_written_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_psexec_lateral_movement_command.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_register_server_program_connecting_to_the_internet.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_script_executing_powershell.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_scripts_process_started_via_wmi.toml

[New Rule] Windows Script Executing a Process via WMI (#643 )

2020-12-08 19:23:48 +01:00

execution_shared_modules_local_sxs_dll.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_suspicious_image_load_wmi_ms_office.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_suspicious_ms_office_child_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_suspicious_ms_outlook_child_process.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_suspicious_pdf_reader.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_suspicious_psexesvc.toml

[Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502 )

2020-12-08 17:27:16 +01:00

execution_suspicious_short_program_name.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_unusual_dns_service_children.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_unusual_dns_service_file_writes.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_unusual_network_connection_via_rundll32.toml

[Rule Tuning] Unusual Network Connection via RunDLL32 (#693 )

2020-12-08 12:01:17 +01:00

execution_unusual_process_network_connection.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_via_compiled_html_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_via_explorer_suspicious_child_parent_args.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_via_hidden_shell_conhost.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_via_net_com_assemblies.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_via_xp_cmdshell_mssql_stored_procedure.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

execution_wpad_exploitation.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_cmd_service.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_dcom_hta.toml

[New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459 )

2020-12-04 20:49:54 +01:00

lateral_movement_dcom_mmc20.toml

[New Rule] Incoming DCOM Lateral Movement with MMC (#488 )

2020-12-08 16:19:26 +01:00

lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

[New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486 )

2020-12-04 17:37:31 +01:00

lateral_movement_direct_outbound_smb_connection.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_dns_server_overflow.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_executable_tool_transfer_smb.toml

[New Rule] Lateral Executable Transfer Over SMB (#517 )

2020-12-02 21:03:31 +01:00

lateral_movement_execution_from_tsclient_mup.toml

[New Rule] Execution from TSClient Mountpoint (#524 )

2020-12-08 16:30:10 +01:00

lateral_movement_execution_via_file_shares_sequence.toml

[New Rule] Remote Execution via File Shares (#455 )

2020-12-02 21:20:13 +01:00

lateral_movement_incoming_winrm_shell_execution.toml

[New Rule] Incoming Execution with WinRM Remote Shell (#616 )

2020-12-08 11:28:37 +01:00

lateral_movement_incoming_wmi.toml

[New Rule] WMI Incoming Lateral Movement (#532 )

2020-12-08 16:57:41 +01:00

lateral_movement_mount_hidden_or_webdav_share_net.toml

[New Rule] Mounting Hidden or WebDav Remote Shares (#444 )

2020-12-08 16:50:09 +01:00

lateral_movement_powershell_remoting_target.toml

[New Rule] Incoming Execution via PowerShell Remoting (#624 )

2020-12-08 17:16:10 +01:00

lateral_movement_rdp_enabled_registry.toml

[New Rule] Enable RDP Through Registry (#632 )

2020-12-08 16:32:24 +01:00

lateral_movement_rdp_sharprdp_target.toml

[New Rule] Potential SharpRdp Detected (#527 )

2020-12-08 17:00:51 +01:00

lateral_movement_rdp_tunnel_plink.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_remote_file_copy_hidden_share.toml

[New Rule] Remote File Copy to a Hidden Share (#474 )

2020-12-08 16:07:18 +01:00

lateral_movement_remote_services.toml

[New Rule] Remotely Started Services (#542 )

2020-12-08 11:31:03 +01:00

lateral_movement_scheduled_task_target.toml

[New Rule] Remote Scheduled Task Creation (#598 )

2020-12-08 16:40:48 +01:00

lateral_movement_suspicious_cmd_wmi.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_suspicious_rdp_client_imageload.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

lateral_movement_via_startup_folder_rdp_smb.toml

[New Rule] Lateral Movement via Startup Folder (#663 )

2020-12-02 21:22:43 +01:00

persistence_adobe_hijack_persistence.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_app_compat_shim.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_appcertdlls_registry.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_appinitdlls_registry.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_evasion_registry_ifeo_injection.toml

[New Rule] Image File Execution Options Injection (#550 )

2020-12-08 17:13:00 +01:00

persistence_gpo_schtask_service_creation.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_local_scheduled_task_commands.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_local_scheduled_task_scripting.toml

[New Rule] Scheduled Task Created by a Windows Script (#649 )

2020-12-03 23:10:51 +01:00

persistence_ms_office_addins_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_ms_outlook_vba_template.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_priv_escalation_via_accessibility_features.toml

[Rule Tuning] Potential Modification of Accessibility Binaries (#546 )

2020-12-08 12:42:34 +01:00

persistence_registry_uncommon.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_run_key_and_startup_broad.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_runtime_run_key_startup_susp_procs.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_services_registry.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_startup_folder_file_written_by_suspicious_process.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_startup_folder_file_written_by_unsigned_process.toml

[New Rule] Persistence with Startup Folder by Unsigned Process (#651 )

2020-12-08 12:39:44 +01:00

persistence_startup_folder_scripts.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_suspicious_com_hijack_registry.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_suspicious_image_load_scheduled_task_ms_office.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_suspicious_scheduled_task_runtime.toml

[New Rule] Suspicious Execution via Scheduled Task (#584 )

2020-12-08 17:20:21 +01:00

persistence_suspicious_service_created_registry.toml

[New Rule] Suspicious Service ImagePath Created (#603 )

2020-12-04 17:14:54 +01:00

persistence_system_shells_via_services.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_user_account_creation.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_via_application_shimming.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

persistence_via_hidden_run_key_valuename.toml

[New Rule] Persistence via Hidden Run Key ValName (#534 )

2020-12-08 16:38:23 +01:00

persistence_via_lsa_security_support_provider_registry.toml

[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 )

2020-12-08 20:35:18 +01:00

persistence_via_telemetrycontroller_scheduledtask_hijack.toml

[Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655 )

2020-12-03 22:59:46 +01:00

persistence_via_update_orchestrator_service_hijack.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_named_pipe_impersonation.toml

[New Rule] Privilege Escalation via Named Pipe Impersonation (#605 )

2020-12-04 17:05:30 +01:00

privilege_escalation_printspooler_registry_copyfiles.toml

[New Rule] Suspicious PrintSpooler Point and Print DLL (#641 )

2020-12-08 15:07:26 +01:00

privilege_escalation_printspooler_service_suspicious_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_printspooler_suspicious_spl_file.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_rogue_windir_environment_var.toml

[New Rule] Privilege Escalation via Windir Environment Variable (#638 )

2020-12-08 16:21:42 +01:00

privilege_escalation_uac_bypass_com_clipup.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_uac_bypass_com_ieinstal.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_uac_bypass_diskcleanup_hijack.toml

[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499 )

2020-12-08 16:34:36 +01:00

privilege_escalation_uac_bypass_dll_sideloading.toml

[New Rule] UAC Bypass via privileged IFileOperation (#416 )

2020-12-03 20:43:57 +01:00

privilege_escalation_uac_bypass_event_viewer.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_uac_bypass_mock_windir.toml

[New Rule] UAC Bypass via Mocking Windir (#411 )

2020-12-08 15:55:36 +01:00

privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_uac_sdclt.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_unusual_parentchild_relationship.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

privilege_escalation_unusual_svchost_childproc_childless.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00