security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6582351b5f82f325810ffc4d0efa21411ad15dc
sigma-rules/rules/windows
T
History
Samirbous a6582351b5 [New Rule] Potential Remote Credential Access via Registry (#1804) 
* [New Rule] Potential Remote Credential Access via Registry

4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).

Example of data :

* Delete workspace.xml

* Update credential_access_remote_sam_secretsdump.toml

* Update credential_access_remote_sam_secretsdump.toml

* add non ecs field

* Update non-ecs-schema.json

* Update credential_access_remote_sam_secretsdump.toml

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-03-03 16:28:03 +01:00
..
collection_email_powershell_exchange_mailbox.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
collection_posh_audio_capture.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
collection_posh_keylogger.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
collection_posh_screen_grabber.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
collection_winrar_encryption.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_certutil_network_connection.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
command_and_control_common_webservices.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
command_and_control_dns_tunneling_nslookup.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_encrypted_channel_freesslcert.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
command_and_control_iexplore_via_com.toml
[Rule Tuning] Potential Command and Control via Internet Explorer (#1771)
2022-02-15 22:58:01 -03:00
command_and_control_port_forwarding_added_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
command_and_control_rdp_tunnel_plink.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
command_and_control_remote_file_copy_scripts.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
command_and_control_sunburst_c2_activity_detected.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_teamviewer_remote_file_copy.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
credential_access_cmdline_dump_tool.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_credential_dumping_msbuild.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_dcsync_replication_rights.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_disable_kerberos_preauth.toml
[New Rule] Kerberos Preauthentication Disabled for User (#1717)
2022-01-31 12:31:20 -03:00
credential_access_domain_backup_dpapi_private_keys.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_dump_registry_hives.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_iis_connectionstrings_dumping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_kerberoasting_unusual_process.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
credential_access_lsass_memdump_file_created.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_lsass_memdump_handle_access.toml
[New Rule] LSASS Memory Dump (#1784)
2022-02-24 08:14:01 -05:00
credential_access_mimikatz_memssp_default_logs.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_mimikatz_powershell_module.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
credential_access_mod_wdigest_security_provider.toml
Update credential_access_mod_wdigest_security_provider.toml (#1751)
2022-02-04 15:38:12 -03:00
credential_access_moving_registry_hive_via_smb.toml
[New Rule] Registry Hive File Creation via SMB (#1779)
2022-03-02 10:12:17 +01:00
credential_access_persistence_network_logon_provider_modification.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_posh_minidump.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_posh_request_ticket.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
credential_access_remote_sam_secretsdump.toml
[New Rule] Potential Remote Credential Access via Registry (#1804)
2022-03-03 16:28:03 +01:00
credential_access_saved_creds_vaultcmd.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_seenabledelegationprivilege_assigned_to_user.toml
[New Rule] SeEnableDelegationPrivilege assigned to User (#1737)
2022-01-31 12:22:54 -03:00
credential_access_shadow_credentials.toml
[New Rule] Potential Shadow Credentials added to AD Object (#1729)
2022-02-04 15:49:04 -03:00
credential_access_suspicious_comsvcs_imageload.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
credential_access_suspicious_lsass_access_memdump.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
credential_access_suspicious_lsass_access_via_snapshot.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
credential_access_via_snapshot_lsass_clone_creation.toml
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632)
2021-12-08 11:16:14 +01:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_amsienable_key_mod.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_clearing_windows_console_history.toml
[New Rule] Clearing Windows Console History (#1623)
2021-11-25 13:25:21 -03:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Add system index to Windows Event Logs Cleared (#1502)
2021-09-24 12:04:56 -05:00
defense_evasion_code_injection_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_create_mod_root_certificate.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_cve_2020_0601.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_defender_disabled_via_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_defender_exclusion_via_powershell.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_disable_posh_scriptblocklogging.toml
[New Rule] PowerShell Script Block Logging Disabled (#1749)
2022-02-04 15:44:27 -03:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_disabling_windows_defender_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_disabling_windows_logs.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_dns_over_https_enabled.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_dotnet_compiler_parent_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_network_discovery_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_control_panel_suspicious_args.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_execution_lolbas_wuauclt.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_execution_msbuild_started_by_office_app.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_by_script.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_execution_msbuild_started_by_system_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_windefend_unusual_path.toml
Update defense_evasion_execution_windefend_unusual_path.toml (#1492)
2021-10-05 16:38:01 -03:00
defense_evasion_file_creation_mult_extension.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_injection_msbuild.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_masquerading_renamed_autoit.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_masquerading_trusted_directory.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_microsoft_defender_tampering.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601)
2021-11-14 17:01:13 -09:00
defense_evasion_ms_office_suspicious_regmod.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_msbuild_beacon_sequence.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_mshta_beacon.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_msxsl_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_network_connection_from_windows_binary.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_parent_process_pid_spoofing.toml
[New Rule] Parent Process PID Spoofing (#1338)
2021-07-15 22:55:46 +02:00
defense_evasion_posh_assembly_load.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
defense_evasion_posh_compressed.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
defense_evasion_posh_process_injection.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_potential_processherpaderping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_powershell_windows_firewall_disabled.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
defense_evasion_process_termination_followed_by_deletion.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_sdelete_like_filename_rename.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
defense_evasion_sip_provider_mod.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
defense_evasion_suspicious_certutil_commands.toml
[Rule Tuning] Suspicious CertUtil Commands (#1564)
2021-11-17 11:41:07 -09:00
defense_evasion_suspicious_execution_from_mounted_device.toml
[New Rule] Suspicious Execution from a Mounted Device (#1230)
2021-05-28 14:44:07 -04:00
defense_evasion_suspicious_managedcode_host_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_suspicious_process_access_direct_syscall.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_suspicious_process_creation_calltrace.toml
[New Rule] Suspicious Process Creation CallTrace (#1588)
2021-11-30 21:35:43 +01:00
defense_evasion_suspicious_scrobj_load.toml
[Rule Tuning] Windows Suspicious Script Object Execution (#1081)
2021-04-14 23:54:39 +02:00
defense_evasion_suspicious_wmi_script.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
defense_evasion_suspicious_zoom_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_unusual_ads_file_creation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[New Rule] Unusual Network Connection via DllHost (#1232)
2021-05-28 15:09:09 -04:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_unusual_process_network_connection.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
defense_evasion_unusual_system_vp_child_program.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_whitespace_padding_in_command_line.toml
Add issue to min_stack_comment (#1652)
2021-12-07 15:52:38 -09:00
defense_evasion_workfolders_control_execution.toml
[New Rule] Execution control.exe via WorkFolders.exe (#1806)
2022-03-03 09:21:40 -05:00
discovery_adfind_command_activity.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
discovery_admin_recon.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_file_dir_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_net_command_system_account.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
discovery_net_view.toml
Fix typos discovered by codespell (#1430)
2021-08-14 20:29:10 -08:00
discovery_peripheral_device.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_posh_suspicious_api_functions.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
discovery_post_exploitation_external_ip_lookup.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
discovery_privileged_localgroup_membership.toml
[Rule Tuning] Update rules based on docs review (#1778)
2022-02-16 07:42:06 -09:00
discovery_remote_system_discovery_commands_windows.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_security_software_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_whoami_command_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_com_object_xwizard.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_command_shell_started_by_svchost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_started_by_unusual_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_via_rundll32.toml
[Rule Tuning] Command Shell Activity Started via RunDLL32 (#996)
2021-03-18 15:14:22 +01:00
execution_downloaded_shortcut_files.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_downloaded_url_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_enumeration_via_wmiprvse.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_from_unusual_directory.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_from_unusual_path_cmdline.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_ms_office_written_file.toml
[Rule Tuning] Rule description tweaks (#1388)
2021-07-29 10:56:13 -08:00
execution_pdf_written_file.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
execution_posh_portable_executable.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
execution_posh_psreflect.toml
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807)
2022-03-03 07:37:25 -03:00
execution_psexec_lateral_movement_command.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_register_server_program_connecting_to_the_internet.toml
Modified to use Integrity fields instead of user.id (#1772)
2022-02-15 15:22:49 -09:00
execution_scheduled_task_powershell_source.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_shared_modules_local_sxs_dll.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_suspicious_cmd_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
execution_suspicious_image_load_wmi_ms_office.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
execution_suspicious_pdf_reader.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_suspicious_powershell_imgload.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
execution_suspicious_psexesvc.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_suspicious_short_program_name.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_via_compiled_html_file.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_via_hidden_shell_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
impact_backup_file_deletion.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_modification_of_boot_config.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_stop_process_service_threshold.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757)
2022-02-11 08:15:49 -09:00
impact_volume_shadow_copy_deletion_via_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
impact_volume_shadow_copy_deletion_via_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
initial_access_script_executing_powershell.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_scripts_process_started_via_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_files.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_suspicious_ms_exchange_process.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
initial_access_suspicious_ms_office_child_process.toml
Adding control.exe (#1477)
2021-09-08 13:30:46 -05:00
initial_access_suspicious_ms_outlook_child_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_unusual_dns_service_children.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_unusual_dns_service_file_writes.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_via_explorer_suspicious_child_parent_args.toml
[Rule Tuning] Suspicious Explorer Child Process (#1035)
2021-04-14 00:10:29 +02:00
lateral_movement_cmd_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_dcom_hta.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
lateral_movement_dcom_mmc20.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_dns_server_overflow.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
lateral_movement_evasion_rdp_shadowing.toml
[New Rule] Potential Remote Desktop Shadowing Activity (#1101)
2021-04-14 22:09:49 +02:00
lateral_movement_executable_tool_transfer_smb.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_execution_from_tsclient_mup.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_execution_via_file_shares_sequence.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_incoming_wmi.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_powershell_remoting_target.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
lateral_movement_rdp_enabled_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
lateral_movement_rdp_sharprdp_target.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
lateral_movement_remote_file_copy_hidden_share.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_remote_services.toml
[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)
2022-01-13 16:40:10 -03:00
lateral_movement_scheduled_task_target.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
lateral_movement_service_control_spawned_script_int.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
lateral_movement_suspicious_rdp_client_imageload.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_via_startup_folder_rdp_smb.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_ad_adminsdholder.toml
[New Rule] AdminSDHolder Backdoor (#1745)
2022-02-01 10:14:39 -03:00
persistence_adobe_hijack_persistence.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_app_compat_shim.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appcertdlls_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_appinitdlls_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_evasion_registry_ifeo_injection.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
persistence_gpo_schtask_service_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_job_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_task_creation.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
persistence_local_scheduled_task_scripting.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_ms_office_addins_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_ms_outlook_vba_template.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_msds_alloweddelegateto_krbtgt.toml
[New Rule] KRBTGT Delegation Backdoor (#1743)
2022-02-01 10:08:54 -03:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_priv_escalation_via_accessibility_features.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_registry_uncommon.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
persistence_remote_password_reset.toml
Update source.ip condition (#1712)
2022-01-27 09:24:55 -03:00
persistence_run_key_and_startup_broad.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_runtime_run_key_startup_susp_procs.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_services_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_file_written_by_unsigned_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_scripts.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
persistence_suspicious_scheduled_task_runtime.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_suspicious_service_created_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_system_shells_via_services.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_time_provider_mod.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_user_account_creation_event_logs.toml
[Rule tuning] Update rules based on docs review (#1663)
2022-01-28 10:41:22 -09:00
persistence_user_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_application_shimming.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_via_bits_job_notify_command.toml
[New Rule] Persistence via BITS Job Notify Cmdline (#1096)
2021-04-13 23:25:30 +02:00
persistence_via_hidden_run_key_valuename.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_via_lsa_security_support_provider_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_update_orchestrator_service_hijack.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_windows_management_instrumentation_event_subscription.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_wmi_stdregprov_run_services.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
persistence_webshell_detection.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
privilege_escalation_disable_uac_registry.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_group_policy_iniscript.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
privilege_escalation_group_policy_privileged_groups.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
privilege_escalation_group_policy_scheduled_task.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
privilege_escalation_installertakeover.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00
privilege_escalation_lsa_auth_package.toml
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)
2022-02-15 23:04:55 -03:00
privilege_escalation_named_pipe_impersonation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_persistence_phantom_dll.toml
Update privilege_escalation_persistence_phantom_dll.toml (#1228)
2021-06-01 09:29:09 -04:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_printspooler_malicious_driver_file_changes.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_malicious_registry_modification.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_printspooler_registry_copyfiles.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_printspooler_service_suspicious_file.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
privilege_escalation_rogue_windir_environment_var.toml
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
2022-02-15 09:56:37 -03:00
privilege_escalation_samaccountname_spoofing_attack.toml
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660)
2022-01-27 15:46:27 +01:00
privilege_escalation_uac_bypass_com_clipup.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_event_viewer.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_mock_windir.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_sdclt.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 12:54:15 -08:00
privilege_escalation_unusual_printspooler_childprocess.toml
Modified to use Integrity fields instead of user.id (#1772)
2022-02-15 15:22:49 -09:00
privilege_escalation_unusual_svchost_childproc_childless.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
privilege_escalation_via_rogue_named_pipe.toml
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544)
2021-12-08 11:21:04 +01:00
privilege_escalation_windows_service_via_unusual_client.toml
[New Rule] Windows Service Installed via an Unusual Client (#1759)
2022-02-11 21:56:59 +01:00
privilege_escalation_wpad_exploitation.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00