security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3b76b7cf70ce2009a402e8b20c7a486a53df84a
sigma-rules/rules/windows
T
History
Samirbous e3b76b7cf7 [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632) 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url
2021-12-08 11:16:14 +01:00
..
collection_email_powershell_exchange_mailbox.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
collection_posh_audio_capture.toml
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)
2021-12-07 21:32:39 -09:00
collection_posh_keylogger.toml
[New Rule] PowerShell Keylogging Script (#1561)
2021-11-17 19:36:40 -03:00
collection_winrar_encryption.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_certutil_network_connection.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
command_and_control_common_webservices.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_dns_tunneling_nslookup.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_encrypted_channel_freesslcert.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
command_and_control_iexplore_via_com.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_port_forwarding_added_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_rdp_tunnel_plink.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
command_and_control_remote_file_copy_scripts.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
command_and_control_sunburst_c2_activity_detected.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
command_and_control_teamviewer_remote_file_copy.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
credential_access_cmdline_dump_tool.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_credential_dumping_msbuild.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_domain_backup_dpapi_private_keys.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_dump_registry_hives.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_iis_connectionstrings_dumping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_kerberoasting_unusual_process.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
credential_access_lsass_memdump_file_created.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_mimikatz_memssp_default_logs.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
credential_access_mimikatz_powershell_module.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_mod_wdigest_security_provider.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_persistence_network_logon_provider_modification.toml
[New Rule] Network Logon Providers Registry Modification (#1053)
2021-04-14 16:31:46 +02:00
credential_access_posh_minidump.toml
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)
2021-12-07 21:32:39 -09:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
credential_access_saved_creds_vaultcmd.toml
Additional Att&ck Mappings for credential access Rules (#1495)
2021-09-21 11:04:16 -05:00
credential_access_suspicious_comsvcs_imageload.toml
[New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569)
2021-11-18 10:27:42 +01:00
credential_access_suspicious_lsass_access_memdump.toml
[New Rule] Potential Credential Access via LSASS Memory Dump (#1533)
2021-11-17 08:36:26 +01:00
credential_access_suspicious_lsass_access_via_snapshot.toml
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550)
2021-11-17 08:45:38 +01:00
credential_access_via_snapshot_lsass_clone_creation.toml
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632)
2021-12-08 11:16:14 +01:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_amsienable_key_mod.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_clearing_windows_console_history.toml
[New Rule] Clearing Windows Console History (#1623)
2021-11-25 13:25:21 -03:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Add system index to Windows Event Logs Cleared (#1502)
2021-09-24 12:04:56 -05:00
defense_evasion_code_injection_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_create_mod_root_certificate.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_cve_2020_0601.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_defender_disabled_via_registry.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_defender_exclusion_via_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_disabling_windows_defender_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_disabling_windows_logs.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_dns_over_https_enabled.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_dotnet_compiler_parent_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_enable_network_discovery_with_netsh.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_control_panel_suspicious_args.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_execution_lolbas_wuauclt.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_execution_msbuild_started_by_office_app.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_by_script.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_execution_msbuild_started_by_system_process.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_execution_windefend_unusual_path.toml
Update defense_evasion_execution_windefend_unusual_path.toml (#1492)
2021-10-05 16:38:01 -03:00
defense_evasion_file_creation_mult_extension.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_injection_msbuild.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_masquerading_renamed_autoit.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_masquerading_trusted_directory.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601)
2021-11-14 17:01:13 -09:00
defense_evasion_msbuild_beacon_sequence.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_msbuild_making_network_connections.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_mshta_beacon.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
defense_evasion_msxsl_beacon.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_network_connection_from_windows_binary.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_parent_process_pid_spoofing.toml
[New Rule] Parent Process PID Spoofing (#1338)
2021-07-15 22:55:46 +02:00
defense_evasion_posh_process_injection.toml
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)
2021-12-07 21:32:39 -09:00
defense_evasion_potential_processherpaderping.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_powershell_windows_firewall_disabled.toml
[New Rule] Windows Firewall Disabled (#1565)
2021-11-24 18:34:12 -03:00
defense_evasion_process_termination_followed_by_deletion.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_sdelete_like_filename_rename.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
defense_evasion_sip_provider_mod.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_suspicious_certutil_commands.toml
[Rule Tuning] Suspicious CertUtil Commands (#1564)
2021-11-17 11:41:07 -09:00
defense_evasion_suspicious_execution_from_mounted_device.toml
[New Rule] Suspicious Execution from a Mounted Device (#1230)
2021-05-28 14:44:07 -04:00
defense_evasion_suspicious_managedcode_host_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_suspicious_process_access_direct_syscall.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
defense_evasion_suspicious_process_creation_calltrace.toml
[New Rule] Suspicious Process Creation CallTrace (#1588)
2021-11-30 21:35:43 +01:00
defense_evasion_suspicious_scrobj_load.toml
[Rule Tuning] Windows Suspicious Script Object Execution (#1081)
2021-04-14 23:54:39 +02:00
defense_evasion_suspicious_wmi_script.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_suspicious_zoom_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_unusual_ads_file_creation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[New Rule] Unusual Network Connection via DllHost (#1232)
2021-05-28 15:09:09 -04:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
defense_evasion_unusual_process_network_connection.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
defense_evasion_unusual_system_vp_child_program.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
defense_evasion_whitespace_padding_in_command_line.toml
Add issue to min_stack_comment (#1652)
2021-12-07 15:52:38 -09:00
discovery_adfind_command_activity.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_admin_recon.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_file_dir_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_net_command_system_account.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_net_view.toml
Fix typos discovered by codespell (#1430)
2021-08-14 20:29:10 -08:00
discovery_peripheral_device.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_posh_suspicious_api_functions.toml
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)
2021-12-07 21:32:39 -09:00
discovery_post_exploitation_external_ip_lookup.toml
Fix typos discovered by codespell (#1430)
2021-08-14 20:29:10 -08:00
discovery_remote_system_discovery_commands_windows.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_security_software_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
discovery_whoami_command_activity.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_com_object_xwizard.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_command_shell_started_by_svchost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_started_by_unusual_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_command_shell_via_rundll32.toml
[Rule Tuning] Command Shell Activity Started via RunDLL32 (#996)
2021-03-18 15:14:22 +01:00
execution_downloaded_shortcut_files.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_downloaded_url_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_enumeration_via_wmiprvse.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_from_unusual_directory.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_from_unusual_path_cmdline.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
execution_ms_office_written_file.toml
[Rule Tuning] Rule description tweaks (#1388)
2021-07-29 10:56:13 -08:00
execution_pdf_written_file.toml
[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)
2021-07-22 09:08:58 -08:00
execution_posh_portable_executable.toml
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)
2021-12-07 21:32:39 -09:00
execution_psexec_lateral_movement_command.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_register_server_program_connecting_to_the_internet.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
execution_scheduled_task_powershell_source.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_shared_modules_local_sxs_dll.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
execution_suspicious_cmd_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
execution_suspicious_image_load_wmi_ms_office.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 13:07:47 -08:00
execution_suspicious_pdf_reader.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_suspicious_powershell_imgload.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
execution_suspicious_psexesvc.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_suspicious_short_program_name.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_via_compiled_html_file.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
execution_via_hidden_shell_conhost.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
impact_backup_file_deletion.toml
[Rule Tuning] updates from documentation review for 7.16 (#1645)
2021-12-07 15:42:58 -09:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_modification_of_boot_config.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_stop_process_service_threshold.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
[Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524)
2021-10-04 16:00:35 -03:00
impact_volume_shadow_copy_deletion_via_powershell.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
impact_volume_shadow_copy_deletion_via_wmic.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
initial_access_script_executing_powershell.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_scripts_process_started_via_wmi.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_files.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_suspicious_ms_exchange_process.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
initial_access_suspicious_ms_office_child_process.toml
Adding control.exe (#1477)
2021-09-08 13:30:46 -05:00
initial_access_suspicious_ms_outlook_child_process.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
initial_access_unusual_dns_service_children.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_unusual_dns_service_file_writes.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
initial_access_via_explorer_suspicious_child_parent_args.toml
[Rule Tuning] Suspicious Explorer Child Process (#1035)
2021-04-14 00:10:29 +02:00
lateral_movement_cmd_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_dcom_hta.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_dcom_mmc20.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[New Rule] NullSessionPipe Registry Modification (#1058)
2021-04-14 00:50:31 +02:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_dns_server_overflow.toml
[rule-tuning] Adding more context with triage/investigation (#1481)
2021-09-15 20:07:21 -05:00
lateral_movement_evasion_rdp_shadowing.toml
[New Rule] Potential Remote Desktop Shadowing Activity (#1101)
2021-04-14 22:09:49 +02:00
lateral_movement_executable_tool_transfer_smb.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_execution_from_tsclient_mup.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_execution_via_file_shares_sequence.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_incoming_wmi.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_powershell_remoting_target.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_rdp_enabled_registry.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
lateral_movement_rdp_sharprdp_target.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_remote_file_copy_hidden_share.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_remote_services.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_scheduled_task_target.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00
lateral_movement_service_control_spawned_script_int.toml
[Rule Tuning] Local Service Commands (#1044)
2021-04-13 12:31:45 -04:00
lateral_movement_suspicious_rdp_client_imageload.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_via_startup_folder_rdp_smb.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_adobe_hijack_persistence.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_app_compat_shim.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appcertdlls_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_appinitdlls_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_evasion_registry_ifeo_injection.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[rule-tuning] Adding more context with triage/investigation (#1481)
2021-09-15 20:07:21 -05:00
persistence_gpo_schtask_service_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_job_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_local_scheduled_task_creation.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_local_scheduled_task_scripting.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_ms_office_addins_file.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_ms_outlook_vba_template.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_priv_escalation_via_accessibility_features.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_registry_uncommon.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_remote_password_reset.toml
[New Rule] Account Password Reset Remotely (#1571)
2021-11-18 10:25:50 +01:00
persistence_run_key_and_startup_broad.toml
[Rule Tuning] Startup or Run Key Registry Modification (#1086)
2021-04-14 16:38:00 +02:00
persistence_runtime_run_key_startup_susp_procs.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_services_registry.toml
[Rule Tuning] Unusual Persistence via Services Registry (#1077)
2021-04-14 16:09:46 +02:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_file_written_by_unsigned_process.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_startup_folder_scripts.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Component Object Model Hijacking (#1491)
2021-11-24 08:57:43 -03:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
persistence_suspicious_scheduled_task_runtime.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_suspicious_service_created_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_system_shells_via_services.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
persistence_time_provider_mod.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_user_account_creation_event_logs.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_user_account_creation.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_application_shimming.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
persistence_via_bits_job_notify_command.toml
[New Rule] Persistence via BITS Job Notify Cmdline (#1096)
2021-04-13 23:25:30 +02:00
persistence_via_hidden_run_key_valuename.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_lsa_security_support_provider_registry.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_update_orchestrator_service_hijack.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_via_windows_management_instrumentation_event_subscription.toml
[Rule Tuning] Update threat mappings for Windows rules (#1497)
2021-09-23 12:08:38 -05:00
persistence_via_wmi_stdregprov_run_services.toml
[New Rule] Persistence via WMI Standard Registry Provider (#1040)
2021-04-06 17:50:02 +02:00
persistence_webshell_detection.toml
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566)
2021-10-26 12:16:31 -03:00
privilege_escalation_disable_uac_registry.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_lsa_auth_package.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_named_pipe_impersonation.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_persistence_phantom_dll.toml
Update privilege_escalation_persistence_phantom_dll.toml (#1228)
2021-06-01 09:29:09 -04:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_printspooler_malicious_driver_file_changes.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_malicious_registry_modification.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_registry_copyfiles.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_printspooler_service_suspicious_file.toml
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
[New Rule] Potential PrintNightmare Exploitation rules (#1326)
2021-07-07 18:56:39 +02:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00
privilege_escalation_rogue_windir_environment_var.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_uac_bypass_com_clipup.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_event_viewer.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_mock_windir.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_uac_sdclt.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 12:54:15 -08:00
privilege_escalation_unusual_printspooler_childprocess.toml
[Rule Tuning] Remove \Program Files*\ style wildcards (#1369)
2021-07-22 11:55:22 -06:00
privilege_escalation_unusual_svchost_childproc_childless.toml
[Rule tuning] Correct tags with associated threat mappings (#1003)
2021-03-08 14:12:29 -09:00
privilege_escalation_wpad_exploitation.toml
[Rule Tuning] Update network.direction (#1547)
2021-10-13 21:46:36 -03:00