sigma-rules

Files

T

Samirbous c254d0de8b [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783 )

* [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege

https://github.com/mpgn/BackupOperatorToDA
https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp

Detection mainly occurs on AD/DC side :
EQL

```
sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
 [iam where event.action == "logged-in-special"  and
  winlog.event_data.PrivilegeList : "SeBackupPrivilege"]
 [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
```

```
  "sequences" : [
      {
        "join_keys" : [
          "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
          "0x2a23a5"
        ],
        "events" : [
          {
            "_index" : ".ds-logs-system.security-default-2022.02.11-000001",
            "_id" : "L68HAn8BQQK22TUvoE_k",
            "_source" : {
              "agent" : {
                "name" : "01566s-win16-ir",
                "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
                "type" : "filebeat",
                "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
                "version" : "8.0.0"
              },
              "winlog" : {
                "computer_name" : "01566s-win16-ir.threebeesco.com",
                "process" : {
                  "pid" : 624,
                  "thread" : {
                    "id" : 756
                  }
                },
                "keywords" : [
                  "Audit Success"
                ],
                "logon" : {
                  "id" : "0x2a23a5"
                },
                "channel" : "Security",
                "event_data" : {
                  "SubjectUserName" : "samir",
                  "SubjectDomainName" : "3B",
                  "SubjectLogonId" : "0x2a23a5",
                  "PrivilegeList" : [
                    "SeBackupPrivilege",
                    "SeRestorePrivilege"
                  ],
                  "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
                },
                "opcode" : "Info",
                "record_id" : "2987813",
                "task" : "Special Logon",
                "event_id" : "4672",
                "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
                "api" : "wineventlog",
                "provider_name" : "Microsoft-Windows-Security-Auditing"
              },
              "log" : {
                "level" : "information"
              },
              "elastic_agent" : {
                "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
                "version" : "8.0.0",
                "snapshot" : false
              },
              "message" : """Special privileges assigned to new logon.

Subject:
	Security ID:		S-1-5-21-308926384-506822093-3341789130-220106
	Account Name:		samir
	Account Domain:		3B
	Logon ID:		0x2A23A5

Privileges:		SeBackupPrivilege
			SeRestorePrivilege""",
              "input" : {
                "type" : "winlog"
              },
              "@timestamp" : "2022-02-16T10:15:26.330Z",
              "ecs" : {
                "version" : "1.12.0"
              },
              "related" : {
                "user" : [
                  "samir"
                ]
              },
              "data_stream" : {
                "namespace" : "default",
                "type" : "logs",
                "dataset" : "system.security"
              },
              "host" : {
                "hostname" : "01566s-win16-ir",
                "os" : {
                  "build" : "14393.3659",
                  "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
                  "name" : "Windows Server 2016 Datacenter",
                  "type" : "windows",
                  "family" : "windows",
                  "version" : "10.0",
                  "platform" : "windows"
                },
                "ip" : [
                  "172.16.66.36",
                  "fe80::ffff:ffff:fffe",
                  "fe80::5efe:ac10:4224"
                ],
                "name" : "01566s-win16-ir.threebeesco.com",
                "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
                "mac" : [
                  "00:50:56:24:6c:d2",
                  "00:00:00:00:00:00:00:e0",
                  "00:00:00:00:00:00:00:e0"
                ],
                "architecture" : "x86_64"
              },
              "event" : {
                "agent_id_status" : "verified",
                "ingested" : "2022-02-16T10:15:28Z",
                "code" : "4672",
                "provider" : "Microsoft-Windows-Security-Auditing",
                "created" : "2022-02-16T10:15:27.675Z",
                "kind" : "event",
                "action" : "logged-in-special",
                "category" : [
                  "iam"
                ],
                "type" : [
                  "admin"
                ],
                "dataset" : "system.security",
                "outcome" : "success"
              },
              "user" : {
                "domain" : "3B",
                "name" : "samir",
                "id" : "S-1-5-21-308926384-506822093-3341789130-220106"
              }
            }
          },
          {
            "_index" : ".ds-logs-system.security-default-2022.02.11-000001",
            "_id" : "Mq8HAn8BQQK22TUvoE_k",
            "_source" : {
              "agent" : {
                "name" : "01566s-win16-ir",
                "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
                "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
                "type" : "filebeat",
                "version" : "8.0.0"
              },
              "winlog" : {
                "computer_name" : "01566s-win16-ir.threebeesco.com",
                "process" : {
                  "pid" : 4,
                  "thread" : {
                    "id" : 1176
                  }
                },
                "keywords" : [
                  "Audit Success"
                ],
                "logon" : {
                  "id" : "0x2a23a5"
                },
                "channel" : "Security",
                "event_data" : {
                  "ShareName" : """\\*\IPC$""",
                  "IpPort" : "50071",
                  "SubjectLogonId" : "0x2a23a5",
                  "AccessMask" : "0x12019f",
                  "ObjectType" : "File",
                  "SubjectUserName" : "samir",
                  "AccessReason" : "-",
                  "SubjectDomainName" : "3B",
                  "IpAddress" : "172.16.66.25",
                  "AccessMaskDescription" : [
                    "List Object",
                    "Read Property",
                    "Create Child",
                    "Control Access",
                    "Delete Child",
                    "List Contents",
                    "SELF",
                    "SYNCHRONIZE",
                    "READ_CONTROL"
                  ],
                  "RelativeTargetName" : "winreg",
                  "AccessList" : """%%1538
				%%1541
				%%4416
				%%4417
				%%4418
				%%4419
				%%4420
				%%4423
				%%4424
				""",
                  "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
                },
                "opcode" : "Info",
                "record_id" : "2987816",
                "event_id" : "5145",
                "task" : "Detailed File Share",
                "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
                "api" : "wineventlog",
                "provider_name" : "Microsoft-Windows-Security-Auditing"
              },
              "log" : {
                "level" : "information"
              },
              "elastic_agent" : {
                "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
                "version" : "8.0.0",
                "snapshot" : false
              },
              "message" : """A network share object was checked to see whether client can be granted desired access.

Subject:
	Security ID:		S-1-5-21-308926384-506822093-3341789130-220106
	Account Name:		samir
	Account Domain:		3B
	Logon ID:		0x2A23A5

Network Information:
	Object Type:		File
	Source Address:		172.16.66.25
	Source Port:		50071

Share Information:
	Share Name:		\\*\IPC$
	Share Path:
	Relative Target Name:	winreg

Access Request Information:
	Access Mask:		0x12019F
	Accesses:		READ_CONTROL
				SYNCHRONIZE
				ReadData (or ListDirectory)
				WriteData (or AddFile)
				AppendData (or AddSubdirectory or CreatePipeInstance)
				ReadEA
				WriteEA
				ReadAttributes
				WriteAttributes

Access Check Results:
	-""",
              "input" : {
                "type" : "winlog"
              },
              "@timestamp" : "2022-02-16T10:15:26.336Z",
              "ecs" : {
                "version" : "1.12.0"
              },
              "data_stream" : {
                "namespace" : "default",
                "type" : "logs",
                "dataset" : "system.security"
              },
              "host" : {
                "hostname" : "01566s-win16-ir",
                "os" : {
                  "build" : "14393.3659",
                  "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
                  "name" : "Windows Server 2016 Datacenter",
                  "family" : "windows",
                  "type" : "windows",
                  "version" : "10.0",
                  "platform" : "windows"
                },
                "ip" : [
                  "172.16.66.36",
                  "fe80::ffff:ffff:fffe",
                  "fe80::5efe:ac10:4224"
                ],
                "name" : "01566s-win16-ir.threebeesco.com",
                "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
                "mac" : [
                  "00:50:56:24:6c:d2",
                  "00:00:00:00:00:00:00:e0",
                  "00:00:00:00:00:00:00:e0"
                ],
                "architecture" : "x86_64"
              },
              "event" : {
                "agent_id_status" : "verified",
                "ingested" : "2022-02-16T10:15:28Z",
                "code" : "5145",
                "provider" : "Microsoft-Windows-Security-Auditing",
                "kind" : "event",
                "created" : "2022-02-16T10:15:27.675Z",
                "action" : "Detailed File Share",
                "dataset" : "system.security",
                "outcome" : "success"
              }
            }
          }
        ]
      },
```

* Update non-ecs-schema.json

* Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

2022-03-23 19:42:03 +01:00

collection_email_powershell_exchange_mailbox.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

collection_posh_audio_capture.toml

[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 )

2022-03-03 07:37:25 -03:00

collection_posh_keylogger.toml

[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 )

2022-03-03 07:37:25 -03:00

collection_posh_screen_grabber.toml

[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 )

2022-03-03 07:37:25 -03:00

collection_winrar_encryption.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

command_and_control_certutil_network_connection.toml

[Rule Tuning] Update network rule address blocks (#1227 )

2021-06-15 09:22:59 -04:00

command_and_control_common_webservices.toml

[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773 )

2022-02-15 23:04:55 -03:00

command_and_control_dns_tunneling_nslookup.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

command_and_control_encrypted_channel_freesslcert.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

command_and_control_iexplore_via_com.toml

[Rule Tuning] Potential Command and Control via Internet Explorer (#1771 )

2022-02-15 22:58:01 -03:00

command_and_control_port_forwarding_added_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

command_and_control_rdp_tunnel_plink.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

command_and_control_remote_file_copy_desktopimgdownldr.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

command_and_control_remote_file_copy_mpcmdrun.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

command_and_control_remote_file_copy_powershell.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

command_and_control_remote_file_copy_scripts.toml

[Rule Tuning] Update network.direction (#1547 )

2021-10-13 21:46:36 -03:00

command_and_control_sunburst_c2_activity_detected.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

command_and_control_teamviewer_remote_file_copy.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

credential_access_cmdline_dump_tool.toml

Add min_stack_comments to metadata schema (#1573 )

2021-10-19 20:52:53 -08:00

credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

Additional Att&ck Mappings for credential access Rules (#1495 )

2021-09-21 11:04:16 -05:00

credential_access_credential_dumping_msbuild.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

credential_access_dcsync_replication_rights.toml

[New Rule] AdminSDHolder SDProp Exclusion Added (#1795 )

2022-03-10 14:17:01 -03:00

credential_access_disable_kerberos_preauth.toml

[New Rule] Kerberos Preauthentication Disabled for User (#1717 )

2022-01-31 12:31:20 -03:00

credential_access_domain_backup_dpapi_private_keys.toml

Additional Att&ck Mappings for credential access Rules (#1495 )

2021-09-21 11:04:16 -05:00

credential_access_dump_registry_hives.toml

Additional Att&ck Mappings for credential access Rules (#1495 )

2021-09-21 11:04:16 -05:00

credential_access_iis_apppoolsa_pwd_appcmd.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

credential_access_iis_connectionstrings_dumping.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

credential_access_kerberoasting_unusual_process.toml

[Rule Tuning] Update rules based on docs review (#1778 )

2022-02-16 07:42:06 -09:00

credential_access_lsass_memdump_file_created.toml

Additional Att&ck Mappings for credential access Rules (#1495 )

2021-09-21 11:04:16 -05:00

credential_access_lsass_memdump_handle_access.toml

[New Rule] LSASS Memory Dump (#1784 )

2022-02-24 08:14:01 -05:00

credential_access_mimikatz_memssp_default_logs.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

credential_access_mimikatz_powershell_module.toml

[Rule tuning] Update rules based on docs review (#1663 )

2022-01-28 10:41:22 -09:00

credential_access_mod_wdigest_security_provider.toml

Update credential_access_mod_wdigest_security_provider.toml (#1751 )

2022-02-04 15:38:12 -03:00

credential_access_moving_registry_hive_via_smb.toml

[New Rule] Registry Hive File Creation via SMB (#1779 )

2022-03-02 10:12:17 +01:00

credential_access_persistence_network_logon_provider_modification.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

credential_access_posh_minidump.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

credential_access_posh_request_ticket.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

credential_access_potential_lsa_memdump_via_mirrordump.toml

[Rule Tuning] updates from documentation review for 7.16 (#1645 )

2021-12-07 15:42:58 -09:00

credential_access_remote_sam_secretsdump.toml

[New Rule] Potential Remote Credential Access via Registry (#1804 )

2022-03-03 16:28:03 +01:00

credential_access_saved_creds_vaultcmd.toml

Additional Att&ck Mappings for credential access Rules (#1495 )

2021-09-21 11:04:16 -05:00

credential_access_seenabledelegationprivilege_assigned_to_user.toml

[New Rule] SeEnableDelegationPrivilege assigned to User (#1737 )

2022-01-31 12:22:54 -03:00

credential_access_shadow_credentials.toml

[New Rule] Potential Shadow Credentials added to AD Object (#1729 )

2022-02-04 15:49:04 -03:00

credential_access_suspicious_comsvcs_imageload.toml

[Rule Tuning] Update rules based on docs review (#1778 )

2022-02-16 07:42:06 -09:00

credential_access_suspicious_lsass_access_memdump.toml

[Rule Tuning] Update rules based on docs review (#1778 )

2022-02-16 07:42:06 -09:00

credential_access_suspicious_lsass_access_via_snapshot.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

credential_access_suspicious_winreg_access_via_sebackup_priv.toml

[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783 )

2022-03-23 19:42:03 +01:00

credential_access_symbolic_link_to_shadow_copy_created.toml

[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 )

2022-03-18 11:08:29 -04:00

credential_access_via_snapshot_lsass_clone_creation.toml

[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632 )

2021-12-08 11:16:14 +01:00

defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_amsienable_key_mod.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

defense_evasion_clearing_windows_console_history.toml

[New Rule] Clearing Windows Console History (#1623 )

2021-11-25 13:25:21 -03:00

defense_evasion_clearing_windows_event_logs.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

defense_evasion_clearing_windows_security_logs.toml

[Rule Tuning] Add system index to Windows Event Logs Cleared (#1502 )

2021-09-24 12:04:56 -05:00

defense_evasion_code_injection_conhost.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_create_mod_root_certificate.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_cve_2020_0601.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_defender_disabled_via_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

defense_evasion_defender_exclusion_via_powershell.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

defense_evasion_delete_volume_usn_journal_with_fsutil.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_disable_posh_scriptblocklogging.toml

[New Rule] PowerShell Script Block Logging Disabled (#1749 )

2022-02-04 15:44:27 -03:00

defense_evasion_disable_windows_firewall_rules_with_netsh.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_disabling_windows_defender_powershell.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

defense_evasion_disabling_windows_logs.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_dns_over_https_enabled.toml

[Rule Tuning] updates from documentation review for 7.16 (#1645 )

2021-12-07 15:42:58 -09:00

defense_evasion_dotnet_compiler_parent_process.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_enable_inbound_rdp_with_netsh.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_enable_network_discovery_with_netsh.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_execution_control_panel_suspicious_args.toml

[Rule Tuning] updates from documentation review for 7.16 (#1645 )

2021-12-07 15:42:58 -09:00

defense_evasion_execution_lolbas_wuauclt.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_execution_msbuild_started_by_office_app.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_execution_msbuild_started_by_script.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

defense_evasion_execution_msbuild_started_by_system_process.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_execution_msbuild_started_renamed.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_execution_msbuild_started_unusal_process.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_execution_suspicious_explorer_winword.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_execution_windefend_unusual_path.toml

Update defense_evasion_execution_windefend_unusual_path.toml (#1492 )

2021-10-05 16:38:01 -03:00

defense_evasion_file_creation_mult_extension.toml

Add min_stack_comments to metadata schema (#1573 )

2021-10-19 20:52:53 -08:00

defense_evasion_hide_encoded_executable_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

defense_evasion_iis_httplogging_disabled.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_injection_msbuild.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_installutil_beacon.toml

[Rule Tuning] Update network.direction (#1547 )

2021-10-13 21:46:36 -03:00

defense_evasion_masquerading_as_elastic_endpoint_process.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_masquerading_renamed_autoit.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_masquerading_suspicious_werfault_childproc.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_masquerading_trusted_directory.toml

[Rule tuning] Update rules based on docs review (#1663 )

2022-01-28 10:41:22 -09:00

defense_evasion_masquerading_werfault.toml

[Rule Tuning] Update network.direction (#1547 )

2021-10-13 21:46:36 -03:00

defense_evasion_microsoft_defender_tampering.toml

Update defense_evasion_microsoft_defender_tampering.toml (#1837 )

2022-03-14 20:07:39 -03:00

defense_evasion_misc_lolbin_connecting_to_the_internet.toml

[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601 )

2021-11-14 17:01:13 -09:00

defense_evasion_ms_office_suspicious_regmod.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

defense_evasion_msbuild_beacon_sequence.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_msbuild_making_network_connections.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_mshta_beacon.toml

[Rule tuning] Revise rule description and other text (#1398 )

2021-08-03 13:07:47 -08:00

defense_evasion_msxsl_beacon.toml

[Rule Tuning] Update network.direction (#1547 )

2021-10-13 21:46:36 -03:00

defense_evasion_msxsl_network.toml

[Rule Tuning] Update network rule address blocks (#1227 )

2021-06-15 09:22:59 -04:00

defense_evasion_network_connection_from_windows_binary.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_parent_process_pid_spoofing.toml

[New Rule] Parent Process PID Spoofing (#1338 )

2021-07-15 22:55:46 +02:00

defense_evasion_posh_assembly_load.toml

[Rule Tuning] Update rules based on docs review (#1778 )

2022-02-16 07:42:06 -09:00

defense_evasion_posh_compressed.toml

[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 )

2022-03-03 07:37:25 -03:00

defense_evasion_posh_process_injection.toml

Update defense_evasion_posh_process_injection.toml (#1838 )

2022-03-17 19:37:42 -03:00

defense_evasion_potential_processherpaderping.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_powershell_windows_firewall_disabled.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

defense_evasion_process_termination_followed_by_deletion.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_rundll32_no_arguments.toml

[Rule Tuning] Update EQL rules with lookback < maxspan (#1362 )

2021-07-22 09:08:58 -08:00

defense_evasion_scheduledjobs_at_protocol_enabled.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

defense_evasion_sdelete_like_filename_rename.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

defense_evasion_sip_provider_mod.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

defense_evasion_suspicious_certutil_commands.toml

[Rule Tuning] Suspicious CertUtil Commands (#1564 )

2021-11-17 11:41:07 -09:00

defense_evasion_suspicious_execution_from_mounted_device.toml

[New Rule] Suspicious Execution from a Mounted Device (#1230 )

2021-05-28 14:44:07 -04:00

defense_evasion_suspicious_managedcode_host_process.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_suspicious_process_access_direct_syscall.toml

[Rule Tuning] updates from documentation review for 7.16 (#1645 )

2021-12-07 15:42:58 -09:00

defense_evasion_suspicious_process_creation_calltrace.toml

[New Rule] Suspicious Process Creation CallTrace (#1588 )

2021-11-30 21:35:43 +01:00

defense_evasion_suspicious_scrobj_load.toml

[Rule Tuning] Windows Suspicious Script Object Execution (#1081 )

2021-04-14 23:54:39 +02:00

defense_evasion_suspicious_wmi_script.toml

[Rule tuning] Update rules based on docs review (#1663 )

2022-01-28 10:41:22 -09:00

defense_evasion_suspicious_zoom_child_process.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

defense_evasion_system_critical_proc_abnormal_file_activity.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_unusual_ads_file_creation.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

defense_evasion_unusual_dir_ads.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_unusual_network_connection_via_dllhost.toml

[New Rule] Unusual Network Connection via DllHost (#1232 )

2021-05-28 15:09:09 -04:00

defense_evasion_unusual_network_connection_via_rundll32.toml

[Rule Tuning] Update network rule address blocks (#1227 )

2021-06-15 09:22:59 -04:00

defense_evasion_unusual_process_network_connection.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

defense_evasion_unusual_system_vp_child_program.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

defense_evasion_via_filter_manager.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

defense_evasion_whitespace_padding_in_command_line.toml

Add issue to min_stack_comment (#1652 )

2021-12-07 15:52:38 -09:00

defense_evasion_workfolders_control_execution.toml

[New Rule] Execution control.exe via WorkFolders.exe (#1806 )

2022-03-03 09:21:40 -05:00

discovery_adfind_command_activity.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

discovery_admin_recon.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

discovery_file_dir_discovery.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

discovery_net_command_system_account.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

discovery_net_view.toml

Fix typos discovered by codespell (#1430 )

2021-08-14 20:29:10 -08:00

discovery_peripheral_device.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

discovery_posh_suspicious_api_functions.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

discovery_post_exploitation_external_ip_lookup.toml

[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773 )

2022-02-15 23:04:55 -03:00

discovery_privileged_localgroup_membership.toml

[Rule Tuning] Update rules based on docs review (#1778 )

2022-02-16 07:42:06 -09:00

discovery_remote_system_discovery_commands_windows.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

discovery_security_software_wmic.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

discovery_whoami_command_activity.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_apt_solarwinds_backdoor_unusual_child_processes.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_com_object_xwizard.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_command_prompt_connecting_to_the_internet.toml

[Rule Tuning] Update network rule address blocks (#1227 )

2021-06-15 09:22:59 -04:00

execution_command_shell_started_by_svchost.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

execution_command_shell_started_by_unusual_process.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

execution_command_shell_via_rundll32.toml

[Rule Tuning] Command Shell Activity Started via RunDLL32 (#996 )

2021-03-18 15:14:22 +01:00

execution_downloaded_shortcut_files.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

execution_downloaded_url_file.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_enumeration_via_wmiprvse.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

execution_from_unusual_directory.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_from_unusual_path_cmdline.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

execution_html_help_executable_program_connecting_to_the_internet.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

execution_ms_office_written_file.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

execution_pdf_written_file.toml

[Rule Tuning] Update EQL rules with lookback < maxspan (#1362 )

2021-07-22 09:08:58 -08:00

execution_posh_portable_executable.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

execution_posh_psreflect.toml

[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 )

2022-03-03 07:37:25 -03:00

execution_psexec_lateral_movement_command.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_register_server_program_connecting_to_the_internet.toml

Modified to use Integrity fields instead of user.id (#1772 )

2022-02-15 15:22:49 -09:00

execution_scheduled_task_powershell_source.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

execution_shared_modules_local_sxs_dll.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

execution_suspicious_cmd_wmi.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

execution_suspicious_image_load_wmi_ms_office.toml

[Rule tuning] Revise rule description and other text (#1398 )

2021-08-03 13:07:47 -08:00

execution_suspicious_pdf_reader.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

execution_suspicious_powershell_imgload.toml

Add min_stack_comments to metadata schema (#1573 )

2021-10-19 20:52:53 -08:00

execution_suspicious_psexesvc.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_suspicious_short_program_name.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

execution_via_compiled_html_file.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

execution_via_hidden_shell_conhost.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

execution_via_xp_cmdshell_mssql_stored_procedure.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

impact_backup_file_deletion.toml

[Rule Tuning] updates from documentation review for 7.16 (#1645 )

2021-12-07 15:42:58 -09:00

impact_deleting_backup_catalogs_with_wbadmin.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

impact_modification_of_boot_config.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

impact_stop_process_service_threshold.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757 )

2022-02-11 08:15:49 -09:00

impact_volume_shadow_copy_deletion_via_powershell.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

impact_volume_shadow_copy_deletion_via_wmic.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

initial_access_script_executing_powershell.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

initial_access_scripts_process_started_via_wmi.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

initial_access_suspicious_ms_exchange_files.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

initial_access_suspicious_ms_exchange_process.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

initial_access_suspicious_ms_exchange_worker_child_process.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

initial_access_suspicious_ms_office_child_process.toml

Adding control.exe (#1477 )

2021-09-08 13:30:46 -05:00

initial_access_suspicious_ms_outlook_child_process.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

initial_access_unusual_dns_service_children.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

initial_access_unusual_dns_service_file_writes.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

initial_access_via_explorer_suspicious_child_parent_args.toml

[Rule Tuning] Suspicious Explorer Child Process (#1035 )

2021-04-14 00:10:29 +02:00

lateral_movement_cmd_service.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_dcom_hta.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

lateral_movement_dcom_mmc20.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

lateral_movement_direct_outbound_smb_connection.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

lateral_movement_dns_server_overflow.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

lateral_movement_evasion_rdp_shadowing.toml

[New Rule] Potential Remote Desktop Shadowing Activity (#1101 )

2021-04-14 22:09:49 +02:00

lateral_movement_executable_tool_transfer_smb.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_execution_from_tsclient_mup.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_execution_via_file_shares_sequence.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_incoming_winrm_shell_execution.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_incoming_wmi.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_mount_hidden_or_webdav_share_net.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_powershell_remoting_target.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

lateral_movement_rdp_enabled_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

lateral_movement_rdp_sharprdp_target.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

lateral_movement_remote_file_copy_hidden_share.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_remote_services.toml

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704 )

2022-01-13 16:40:10 -03:00

lateral_movement_scheduled_task_target.toml

[Rule tuning] Update rules based on docs review (#1663 )

2022-01-28 10:41:22 -09:00

lateral_movement_service_control_spawned_script_int.toml

[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773 )

2022-02-15 23:04:55 -03:00

lateral_movement_suspicious_rdp_client_imageload.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

lateral_movement_via_startup_folder_rdp_smb.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_ad_adminsdholder.toml

[New Rule] AdminSDHolder Backdoor (#1745 )

2022-02-01 10:14:39 -03:00

persistence_adobe_hijack_persistence.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

persistence_app_compat_shim.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_appcertdlls_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_appinitdlls_registry.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_evasion_hidden_local_account_creation.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_evasion_registry_ifeo_injection.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_evasion_registry_startup_shell_folder_modified.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

persistence_gpo_schtask_service_creation.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_local_scheduled_job_creation.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_local_scheduled_task_creation.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

persistence_local_scheduled_task_scripting.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

persistence_ms_office_addins_file.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_ms_outlook_vba_template.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_msds_alloweddelegateto_krbtgt.toml

[New Rule] KRBTGT Delegation Backdoor (#1743 )

2022-02-01 10:08:54 -03:00

persistence_powershell_exch_mailbox_activesync_add_device.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

persistence_priv_escalation_via_accessibility_features.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_registry_uncommon.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

persistence_remote_password_reset.toml

Update source.ip condition (#1712 )

2022-01-27 09:24:55 -03:00

persistence_run_key_and_startup_broad.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_runtime_run_key_startup_susp_procs.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_sdprop_exclusion_dsheuristics.toml

[New Rule] AdminSDHolder SDProp Exclusion Added (#1795 )

2022-03-10 14:17:01 -03:00

persistence_services_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_startup_folder_file_written_by_suspicious_process.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_startup_folder_file_written_by_unsigned_process.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_startup_folder_scripts.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_suspicious_com_hijack_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_suspicious_image_load_scheduled_task_ms_office.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

persistence_suspicious_scheduled_task_runtime.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_suspicious_service_created_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_system_shells_via_services.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

persistence_time_provider_mod.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

persistence_user_account_added_to_privileged_group_ad.toml

Update persistence_user_account_added_to_privileged_group_ad.toml (#1845 )

2022-03-16 13:06:04 -03:00

persistence_user_account_creation_event_logs.toml

[Rule tuning] Update rules based on docs review (#1663 )

2022-01-28 10:41:22 -09:00

persistence_user_account_creation.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_via_application_shimming.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

persistence_via_bits_job_notify_command.toml

[New Rule] Persistence via BITS Job Notify Cmdline (#1096 )

2021-04-13 23:25:30 +02:00

persistence_via_hidden_run_key_valuename.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_via_lsa_security_support_provider_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_via_telemetrycontroller_scheduledtask_hijack.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_via_update_orchestrator_service_hijack.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

persistence_via_windows_management_instrumentation_event_subscription.toml

[Rule Tuning] Update threat mappings for Windows rules (#1497 )

2021-09-23 12:08:38 -05:00

persistence_via_wmi_stdregprov_run_services.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

persistence_webshell_detection.toml

[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 )

2021-10-26 12:16:31 -03:00

privilege_escalation_disable_uac_registry.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

privilege_escalation_group_policy_iniscript.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

privilege_escalation_group_policy_privileged_groups.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

privilege_escalation_group_policy_scheduled_task.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

privilege_escalation_installertakeover.toml

[Security Content] Update rules based on docs review (#1803 )

2022-03-01 21:39:30 -03:00

privilege_escalation_lsa_auth_package.toml

[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773 )

2022-02-15 23:04:55 -03:00

privilege_escalation_named_pipe_impersonation.toml

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

privilege_escalation_persistence_phantom_dll.toml

Update privilege_escalation_persistence_phantom_dll.toml (#1228 )

2021-06-01 09:29:09 -04:00

privilege_escalation_port_monitor_print_pocessor_abuse.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

privilege_escalation_printspooler_registry_copyfiles.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

privilege_escalation_printspooler_service_suspicious_file.toml

Convert windows rules from KQL to EQL (#1114 )

2021-04-30 11:21:12 -08:00

privilege_escalation_printspooler_suspicious_file_deletion.toml

[New Rule] Potential PrintNightmare Exploitation rules (#1326 )

2021-07-07 18:56:39 +02:00

privilege_escalation_printspooler_suspicious_spl_file.toml

Cleanup note field in rules (#1194 )

2021-05-10 13:40:56 -08:00

privilege_escalation_rogue_windir_environment_var.toml

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775 )

2022-02-15 09:56:37 -03:00

privilege_escalation_samaccountname_spoofing_attack.toml

[New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660 )

2022-01-27 15:46:27 +01:00

privilege_escalation_uac_bypass_com_clipup.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_com_ieinstal.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_dll_sideloading.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_event_viewer.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_mock_windir.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_uac_sdclt.toml

Refresh ATT&CK mappings to v9.0 (#1401 )

2021-08-04 14:16:10 -08:00

privilege_escalation_unusual_parentchild_relationship.toml

[Rule Tuning] Small update on rule descriptions (#1508 )

2021-09-30 12:54:15 -08:00

privilege_escalation_unusual_printspooler_childprocess.toml

Modified to use Integrity fields instead of user.id (#1772 )

2022-02-15 15:22:49 -09:00

privilege_escalation_unusual_svchost_childproc_childless.toml

[Rule tuning] Correct tags with associated threat mappings (#1003 )

2021-03-08 14:12:29 -09:00

privilege_escalation_via_rogue_named_pipe.toml

[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544 )

2021-12-08 11:21:04 +01:00

privilege_escalation_windows_service_via_unusual_client.toml

[New Rule] Windows Service Installed via an Unusual Client (#1759 )

2022-02-11 21:56:59 +01:00

privilege_escalation_wpad_exploitation.toml

[Rule Tuning] Update network.direction (#1547 )

2021-10-13 21:46:36 -03:00