sigma-rules

Files

T

Terrance DeJesus faaa026094 [New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193 )

* adding new LotL rules

* added endpoint tags; updated technique mapping

* added missing data source tag

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* updated note, references and date

* changed ATT&CK technique to binary proxy execution

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 835be9b245)