|
9 | 9 |
|
10 | 10 | import rule1 from './403_response_to_a_post.json'; |
11 | 11 | import rule2 from './405_response_method_not_allowed.json'; |
12 | | -import rule3 from './500_response_on_admin_page.json'; |
13 | | -import rule4 from './elastic_endpoint_security_adversary_behavior_detected.json'; |
14 | | -import rule5 from './elastic_endpoint_security_cred_dumping_detected.json'; |
15 | | -import rule6 from './elastic_endpoint_security_cred_dumping_prevented.json'; |
16 | | -import rule7 from './elastic_endpoint_security_cred_manipulation_detected.json'; |
17 | | -import rule8 from './elastic_endpoint_security_cred_manipulation_prevented.json'; |
18 | | -import rule9 from './elastic_endpoint_security_exploit_detected.json'; |
19 | | -import rule10 from './elastic_endpoint_security_exploit_prevented.json'; |
20 | | -import rule11 from './elastic_endpoint_security_malware_detected.json'; |
21 | | -import rule12 from './elastic_endpoint_security_malware_prevented.json'; |
22 | | -import rule13 from './elastic_endpoint_security_permission_theft_detected.json'; |
23 | | -import rule14 from './elastic_endpoint_security_permission_theft_prevented.json'; |
24 | | -import rule15 from './elastic_endpoint_security_process_injection_detected.json'; |
25 | | -import rule16 from './elastic_endpoint_security_process_injection_prevented.json'; |
26 | | -import rule17 from './elastic_endpoint_security_ransomware_detected.json'; |
27 | | -import rule18 from './elastic_endpoint_security_ransomware_prevented.json'; |
28 | | -import rule19 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; |
29 | | -import rule20 from './eql_adobe_hijack_persistence.json'; |
30 | | -import rule21 from './eql_audio_capture_via_powershell.json'; |
31 | | -import rule22 from './eql_audio_capture_via_soundrecorder.json'; |
32 | | -import rule23 from './eql_bypass_uac_event_viewer.json'; |
33 | | -import rule24 from './eql_bypass_uac_via_cmstp.json'; |
34 | | -import rule25 from './eql_bypass_uac_via_sdclt.json'; |
35 | | -import rule26 from './eql_clearing_windows_event_logs.json'; |
36 | | -import rule27 from './eql_delete_volume_usn_journal_with_fsutil.json'; |
37 | | -import rule28 from './eql_deleting_backup_catalogs_with_wbadmin.json'; |
38 | | -import rule29 from './eql_direct_outbound_smb_connection.json'; |
39 | | -import rule30 from './eql_disable_windows_firewall_rules_with_netsh.json'; |
40 | | -import rule31 from './eql_dll_search_order_hijack.json'; |
41 | | -import rule32 from './eql_encoding_or_decoding_files_via_certutil.json'; |
42 | | -import rule33 from './eql_local_scheduled_task_commands.json'; |
43 | | -import rule34 from './eql_local_service_commands.json'; |
44 | | -import rule35 from './eql_modification_of_boot_configuration.json'; |
45 | | -import rule36 from './eql_msbuild_making_network_connections.json'; |
46 | | -import rule37 from './eql_mshta_making_network_connections.json'; |
47 | | -import rule38 from './eql_msxsl_making_network_connections.json'; |
48 | | -import rule39 from './eql_psexec_lateral_movement_command.json'; |
49 | | -import rule40 from './eql_suspicious_ms_office_child_process.json'; |
50 | | -import rule41 from './eql_suspicious_ms_outlook_child_process.json'; |
51 | | -import rule42 from './eql_suspicious_pdf_reader_child_process.json'; |
52 | | -import rule43 from './eql_system_shells_via_services.json'; |
53 | | -import rule44 from './eql_unusual_network_connection_via_rundll32.json'; |
54 | | -import rule45 from './eql_unusual_parentchild_relationship.json'; |
55 | | -import rule46 from './eql_unusual_process_network_connection.json'; |
56 | | -import rule47 from './eql_user_account_creation.json'; |
57 | | -import rule48 from './eql_user_added_to_administrator_group.json'; |
58 | | -import rule49 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; |
59 | | -import rule50 from './eql_volume_shadow_copy_deletion_via_wmic.json'; |
60 | | -import rule51 from './eql_windows_script_executing_powershell.json'; |
61 | | -import rule52 from './eql_wmic_command_lateral_movement.json'; |
62 | | -import rule53 from './linux_hping_activity.json'; |
63 | | -import rule54 from './linux_iodine_activity.json'; |
64 | | -import rule55 from './linux_kernel_module_activity.json'; |
65 | | -import rule56 from './linux_ldso_process_activity.json'; |
66 | | -import rule57 from './linux_lzop_activity.json'; |
67 | | -import rule58 from './linux_mknod_activity.json'; |
68 | | -import rule59 from './linux_netcat_network_connection.json'; |
69 | | -import rule60 from './linux_network_anomalous_process_using_https_ports.json'; |
70 | | -import rule61 from './linux_nmap_activity.json'; |
71 | | -import rule62 from './linux_nping_activity.json'; |
72 | | -import rule63 from './linux_process_started_in_temp_directory.json'; |
73 | | -import rule64 from './linux_ptrace_activity.json'; |
74 | | -import rule65 from './linux_rawshark_activity.json'; |
75 | | -import rule66 from './linux_shell_activity_by_web_server.json'; |
76 | | -import rule67 from './linux_socat_activity.json'; |
77 | | -import rule68 from './linux_ssh_forwarding.json'; |
78 | | -import rule69 from './linux_strace_activity.json'; |
79 | | -import rule70 from './linux_tcpdump_activity.json'; |
80 | | -import rule71 from './linux_web_download.json'; |
81 | | -import rule72 from './linux_whoami_commmand.json'; |
82 | | -import rule73 from './network_dns_directly_to_the_internet.json'; |
83 | | -import rule74 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; |
84 | | -import rule75 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; |
85 | | -import rule76 from './network_nat_traversal_port_activity.json'; |
86 | | -import rule77 from './network_port_26_activity.json'; |
87 | | -import rule78 from './network_port_8000_activity.json'; |
88 | | -import rule79 from './network_port_8000_activity_to_the_internet.json'; |
89 | | -import rule80 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; |
90 | | -import rule81 from './network_proxy_port_activity_to_the_internet.json'; |
91 | | -import rule82 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; |
92 | | -import rule83 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; |
93 | | -import rule84 from './network_rpc_remote_procedure_call_from_the_internet.json'; |
94 | | -import rule85 from './network_rpc_remote_procedure_call_to_the_internet.json'; |
95 | | -import rule86 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; |
96 | | -import rule87 from './network_smtp_to_the_internet.json'; |
97 | | -import rule88 from './network_sql_server_port_activity_to_the_internet.json'; |
98 | | -import rule89 from './network_ssh_secure_shell_from_the_internet.json'; |
99 | | -import rule90 from './network_ssh_secure_shell_to_the_internet.json'; |
100 | | -import rule91 from './network_telnet_port_activity.json'; |
101 | | -import rule92 from './network_tor_activity_to_the_internet.json'; |
102 | | -import rule93 from './network_vnc_virtual_network_computing_from_the_internet.json'; |
103 | | -import rule94 from './network_vnc_virtual_network_computing_to_the_internet.json'; |
104 | | -import rule95 from './null_user_agent.json'; |
105 | | -import rule96 from './sqlmap_user_agent.json'; |
106 | | -import rule97 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; |
107 | | -import rule98 from './windows_burp_ce_activity.json'; |
108 | | -import rule99 from './windows_certutil_connecting_to_the_internet.json'; |
109 | | -import rule100 from './windows_command_prompt_connecting_to_the_internet.json'; |
110 | | -import rule101 from './windows_command_shell_started_by_internet_explorer.json'; |
111 | | -import rule102 from './windows_command_shell_started_by_powershell.json'; |
112 | | -import rule103 from './windows_command_shell_started_by_svchost.json'; |
113 | | -import rule104 from './windows_credential_dumping_commands.json'; |
114 | | -import rule105 from './windows_credential_dumping_via_imageload.json'; |
115 | | -import rule106 from './windows_credential_dumping_via_registry_save.json'; |
116 | | -import rule107 from './windows_data_compression_using_powershell.json'; |
117 | | -import rule108 from './windows_defense_evasion_decoding_using_certutil.json'; |
118 | | -import rule109 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; |
119 | | -import rule110 from './windows_defense_evasion_via_filter_manager.json'; |
120 | | -import rule111 from './windows_defense_evasion_via_windows_event_log_tools.json'; |
121 | | -import rule112 from './windows_execution_via_compiled_html_file.json'; |
122 | | -import rule113 from './windows_execution_via_connection_manager.json'; |
123 | | -import rule114 from './windows_execution_via_microsoft_html_application_hta.json'; |
124 | | -import rule115 from './windows_execution_via_net_com_assemblies.json'; |
125 | | -import rule116 from './windows_execution_via_regsvr32.json'; |
126 | | -import rule117 from './windows_execution_via_trusted_developer_utilities.json'; |
127 | | -import rule118 from './windows_html_help_executable_program_connecting_to_the_internet.json'; |
128 | | -import rule119 from './windows_image_load_from_a_temp_directory.json'; |
129 | | -import rule120 from './windows_indirect_command_execution.json'; |
130 | | -import rule121 from './windows_iodine_activity.json'; |
131 | | -import rule122 from './windows_management_instrumentation_wmi_execution.json'; |
132 | | -import rule123 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; |
133 | | -import rule124 from './windows_mimikatz_activity.json'; |
134 | | -import rule125 from './windows_misc_lolbin_connecting_to_the_internet.json'; |
135 | | -import rule126 from './windows_net_command_activity_by_the_system_account.json'; |
136 | | -import rule127 from './windows_net_user_command_activity.json'; |
137 | | -import rule128 from './windows_netcat_activity.json'; |
138 | | -import rule129 from './windows_netcat_network_activity.json'; |
139 | | -import rule130 from './windows_network_anomalous_windows_process_using_https_ports.json'; |
140 | | -import rule131 from './windows_nmap_activity.json'; |
141 | | -import rule132 from './windows_nmap_scan_activity.json'; |
142 | | -import rule133 from './windows_payload_obfuscation_via_certutil.json'; |
143 | | -import rule134 from './windows_persistence_or_priv_escalation_via_hooking.json'; |
144 | | -import rule135 from './windows_persistence_via_application_shimming.json'; |
145 | | -import rule136 from './windows_persistence_via_bits_jobs.json'; |
146 | | -import rule137 from './windows_persistence_via_modification_of_existing_service.json'; |
147 | | -import rule138 from './windows_persistence_via_netshell_helper_dll.json'; |
148 | | -import rule139 from './windows_powershell_connecting_to_the_internet.json'; |
149 | | -import rule140 from './windows_priv_escalation_via_accessibility_features.json'; |
150 | | -import rule141 from './windows_process_discovery_via_tasklist_command.json'; |
151 | | -import rule142 from './windows_process_execution_via_wmi.json'; |
152 | | -import rule143 from './windows_process_started_by_acrobat_reader_possible_payload.json'; |
153 | | -import rule144 from './windows_process_started_by_ms_office_program_possible_payload.json'; |
154 | | -import rule145 from './windows_process_started_by_the_java_runtime.json'; |
155 | | -import rule146 from './windows_psexec_activity.json'; |
156 | | -import rule147 from './windows_register_server_program_connecting_to_the_internet.json'; |
157 | | -import rule148 from './windows_registry_query_local.json'; |
158 | | -import rule149 from './windows_registry_query_network.json'; |
159 | | -import rule150 from './windows_remote_management_execution.json'; |
160 | | -import rule151 from './windows_scheduled_task_activity.json'; |
161 | | -import rule152 from './windows_script_interpreter_connecting_to_the_internet.json'; |
162 | | -import rule153 from './windows_signed_binary_proxy_execution.json'; |
163 | | -import rule154 from './windows_signed_binary_proxy_execution_download.json'; |
164 | | -import rule155 from './windows_suspicious_process_started_by_a_script.json'; |
165 | | -import rule156 from './windows_whoami_command_activity.json'; |
166 | | -import rule157 from './windows_windump_activity.json'; |
167 | | -import rule158 from './windows_wireshark_activity.json'; |
| 12 | +import rule3 from './elastic_endpoint_security_adversary_behavior_detected.json'; |
| 13 | +import rule4 from './elastic_endpoint_security_cred_dumping_detected.json'; |
| 14 | +import rule5 from './elastic_endpoint_security_cred_dumping_prevented.json'; |
| 15 | +import rule6 from './elastic_endpoint_security_cred_manipulation_detected.json'; |
| 16 | +import rule7 from './elastic_endpoint_security_cred_manipulation_prevented.json'; |
| 17 | +import rule8 from './elastic_endpoint_security_exploit_detected.json'; |
| 18 | +import rule9 from './elastic_endpoint_security_exploit_prevented.json'; |
| 19 | +import rule10 from './elastic_endpoint_security_malware_detected.json'; |
| 20 | +import rule11 from './elastic_endpoint_security_malware_prevented.json'; |
| 21 | +import rule12 from './elastic_endpoint_security_permission_theft_detected.json'; |
| 22 | +import rule13 from './elastic_endpoint_security_permission_theft_prevented.json'; |
| 23 | +import rule14 from './elastic_endpoint_security_process_injection_detected.json'; |
| 24 | +import rule15 from './elastic_endpoint_security_process_injection_prevented.json'; |
| 25 | +import rule16 from './elastic_endpoint_security_ransomware_detected.json'; |
| 26 | +import rule17 from './elastic_endpoint_security_ransomware_prevented.json'; |
| 27 | +import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; |
| 28 | +import rule19 from './eql_adobe_hijack_persistence.json'; |
| 29 | +import rule20 from './eql_audio_capture_via_powershell.json'; |
| 30 | +import rule21 from './eql_audio_capture_via_soundrecorder.json'; |
| 31 | +import rule22 from './eql_bypass_uac_event_viewer.json'; |
| 32 | +import rule23 from './eql_bypass_uac_via_cmstp.json'; |
| 33 | +import rule24 from './eql_bypass_uac_via_sdclt.json'; |
| 34 | +import rule25 from './eql_clearing_windows_event_logs.json'; |
| 35 | +import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; |
| 36 | +import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; |
| 37 | +import rule28 from './eql_direct_outbound_smb_connection.json'; |
| 38 | +import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; |
| 39 | +import rule30 from './eql_dll_search_order_hijack.json'; |
| 40 | +import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; |
| 41 | +import rule32 from './eql_local_scheduled_task_commands.json'; |
| 42 | +import rule33 from './eql_local_service_commands.json'; |
| 43 | +import rule34 from './eql_modification_of_boot_configuration.json'; |
| 44 | +import rule35 from './eql_msbuild_making_network_connections.json'; |
| 45 | +import rule36 from './eql_mshta_making_network_connections.json'; |
| 46 | +import rule37 from './eql_msxsl_making_network_connections.json'; |
| 47 | +import rule38 from './eql_psexec_lateral_movement_command.json'; |
| 48 | +import rule39 from './eql_suspicious_ms_office_child_process.json'; |
| 49 | +import rule40 from './eql_suspicious_ms_outlook_child_process.json'; |
| 50 | +import rule41 from './eql_suspicious_pdf_reader_child_process.json'; |
| 51 | +import rule42 from './eql_system_shells_via_services.json'; |
| 52 | +import rule43 from './eql_unusual_network_connection_via_rundll32.json'; |
| 53 | +import rule44 from './eql_unusual_parentchild_relationship.json'; |
| 54 | +import rule45 from './eql_unusual_process_network_connection.json'; |
| 55 | +import rule46 from './eql_user_account_creation.json'; |
| 56 | +import rule47 from './eql_user_added_to_administrator_group.json'; |
| 57 | +import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; |
| 58 | +import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; |
| 59 | +import rule50 from './eql_windows_script_executing_powershell.json'; |
| 60 | +import rule51 from './eql_wmic_command_lateral_movement.json'; |
| 61 | +import rule52 from './linux_hping_activity.json'; |
| 62 | +import rule53 from './linux_iodine_activity.json'; |
| 63 | +import rule54 from './linux_kernel_module_activity.json'; |
| 64 | +import rule55 from './linux_ldso_process_activity.json'; |
| 65 | +import rule56 from './linux_mknod_activity.json'; |
| 66 | +import rule57 from './linux_netcat_network_connection.json'; |
| 67 | +import rule58 from './linux_nmap_activity.json'; |
| 68 | +import rule59 from './linux_nping_activity.json'; |
| 69 | +import rule60 from './linux_process_started_in_temp_directory.json'; |
| 70 | +import rule61 from './linux_shell_activity_by_web_server.json'; |
| 71 | +import rule62 from './linux_socat_activity.json'; |
| 72 | +import rule63 from './linux_ssh_forwarding.json'; |
| 73 | +import rule64 from './linux_strace_activity.json'; |
| 74 | +import rule65 from './linux_tcpdump_activity.json'; |
| 75 | +import rule66 from './linux_whoami_commmand.json'; |
| 76 | +import rule67 from './network_dns_directly_to_the_internet.json'; |
| 77 | +import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; |
| 78 | +import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; |
| 79 | +import rule70 from './network_nat_traversal_port_activity.json'; |
| 80 | +import rule71 from './network_port_26_activity.json'; |
| 81 | +import rule72 from './network_port_8000_activity_to_the_internet.json'; |
| 82 | +import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; |
| 83 | +import rule74 from './network_proxy_port_activity_to_the_internet.json'; |
| 84 | +import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; |
| 85 | +import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; |
| 86 | +import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json'; |
| 87 | +import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json'; |
| 88 | +import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; |
| 89 | +import rule80 from './network_smtp_to_the_internet.json'; |
| 90 | +import rule81 from './network_sql_server_port_activity_to_the_internet.json'; |
| 91 | +import rule82 from './network_ssh_secure_shell_from_the_internet.json'; |
| 92 | +import rule83 from './network_ssh_secure_shell_to_the_internet.json'; |
| 93 | +import rule84 from './network_telnet_port_activity.json'; |
| 94 | +import rule85 from './network_tor_activity_to_the_internet.json'; |
| 95 | +import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json'; |
| 96 | +import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json'; |
| 97 | +import rule88 from './null_user_agent.json'; |
| 98 | +import rule89 from './sqlmap_user_agent.json'; |
| 99 | +import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; |
| 100 | +import rule91 from './windows_certutil_connecting_to_the_internet.json'; |
| 101 | +import rule92 from './windows_command_prompt_connecting_to_the_internet.json'; |
| 102 | +import rule93 from './windows_command_shell_started_by_internet_explorer.json'; |
| 103 | +import rule94 from './windows_command_shell_started_by_powershell.json'; |
| 104 | +import rule95 from './windows_command_shell_started_by_svchost.json'; |
| 105 | +import rule96 from './windows_defense_evasion_via_filter_manager.json'; |
| 106 | +import rule97 from './windows_execution_via_compiled_html_file.json'; |
| 107 | +import rule98 from './windows_execution_via_connection_manager.json'; |
| 108 | +import rule99 from './windows_execution_via_net_com_assemblies.json'; |
| 109 | +import rule100 from './windows_execution_via_regsvr32.json'; |
| 110 | +import rule101 from './windows_execution_via_trusted_developer_utilities.json'; |
| 111 | +import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json'; |
| 112 | +import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json'; |
| 113 | +import rule104 from './windows_net_command_activity_by_the_system_account.json'; |
| 114 | +import rule105 from './windows_persistence_via_application_shimming.json'; |
| 115 | +import rule106 from './windows_priv_escalation_via_accessibility_features.json'; |
| 116 | +import rule107 from './windows_process_discovery_via_tasklist_command.json'; |
| 117 | +import rule108 from './windows_process_execution_via_wmi.json'; |
| 118 | +import rule109 from './windows_register_server_program_connecting_to_the_internet.json'; |
| 119 | +import rule110 from './windows_signed_binary_proxy_execution.json'; |
| 120 | +import rule111 from './windows_signed_binary_proxy_execution_download.json'; |
| 121 | +import rule112 from './windows_suspicious_process_started_by_a_script.json'; |
| 122 | +import rule113 from './windows_whoami_command_activity.json'; |
168 | 123 | export const rawRules = [ |
169 | 124 | rule1, |
170 | 125 | rule2, |
@@ -279,49 +234,4 @@ export const rawRules = [ |
279 | 234 | rule111, |
280 | 235 | rule112, |
281 | 236 | rule113, |
282 | | - rule114, |
283 | | - rule115, |
284 | | - rule116, |
285 | | - rule117, |
286 | | - rule118, |
287 | | - rule119, |
288 | | - rule120, |
289 | | - rule121, |
290 | | - rule122, |
291 | | - rule123, |
292 | | - rule124, |
293 | | - rule125, |
294 | | - rule126, |
295 | | - rule127, |
296 | | - rule128, |
297 | | - rule129, |
298 | | - rule130, |
299 | | - rule131, |
300 | | - rule132, |
301 | | - rule133, |
302 | | - rule134, |
303 | | - rule135, |
304 | | - rule136, |
305 | | - rule137, |
306 | | - rule138, |
307 | | - rule139, |
308 | | - rule140, |
309 | | - rule141, |
310 | | - rule142, |
311 | | - rule143, |
312 | | - rule144, |
313 | | - rule145, |
314 | | - rule146, |
315 | | - rule147, |
316 | | - rule148, |
317 | | - rule149, |
318 | | - rule150, |
319 | | - rule151, |
320 | | - rule152, |
321 | | - rule153, |
322 | | - rule154, |
323 | | - rule155, |
324 | | - rule156, |
325 | | - rule157, |
326 | | - rule158, |
327 | 237 | ]; |
0 commit comments