-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Tuning] Add logs-system. index where applicable #3390
Conversation
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Show resolved
Hide resolved
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Show resolved
Hide resolved
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Show resolved
Hide resolved
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Removed changes from: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/lateral_movement_alternate_creds_pth.toml (selectively cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Removed changes from: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Removed changes from: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit 27262a5)
process.name.caseless is a Fleet mapping issue, can you add it? If process.pe.original_file_name is causing a problem can you remove the field from the rule or add related.process_name ? |
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)
@mbudge |
@mbudge yes we are aware of this, when a rule is expected to use logs-system.security* better be explicit with the index to improve overall performance and reduce lookups on other sub indexes of the logs-system.* index (a.k.a the more specific the better for performance). We will need to duplicate this effort to other rules (like the Lsass 4656 one you showed in the example to be specific too). |
Hi, I've spent all afternoon reviewing the elastic rules for OS: Windows It would be a lot easier if the rule management page filtering was improved so we can include/exclude tags, index patterns, integrations and required fields. logs-system.security* The following security rules have the data to work with logs-system.security* Accessing Outlook Data Files Missing logs-system.security and logs-windows. and winlogbeat-*** These rules have logs-endpoint.events.* but will work with winlogbeat-, logs-windows. and logs-system.security* Discovery of Internet Capabilities via Built-in Tools logs-system.* This rule might work with logs-system.* as the Windows System event channel was moved to the Elastic System integration. Account Discovery Command via SYSTEM Account Add ? to make fields like process.pe.original_file_name optional I've highlighted rules which will work with logs-system.* or logs-system.security* if you add ? to the query here. Encrypting Files with WinRar or 7z Missing sysmon tag Adding the Sysmon or powershell tag will make it easier to exclude rules during each review. Command Prompt Network Connection Need process.name.caseless adding to mappings Discovery of Internet Capabilities via Built-in Tools Rule will work with crowdstrike FDR intergration Unusual Process Network Connection Please can you add the missing index patterns as we're about to replace Beats with Elastic-Agent? A good chunk of the security rules will stop working when this happens. Thanks |
adding
logs-system.*
index where applicable. 60 rules identified that are compatible with 4688 (process winlog) :