Nasreddine Bencherchali
e052677142
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C: fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition fix: Credential Manager Access By Uncommon Application - Enhance FP filters fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost" fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location. fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters new: Communication To Uncommon Destination Ports new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension remove: Credential Dumping Tools Service Execution remove: New Service Uses Double Ampersand in Path remove: Powershell File and Directory Discovery remove: PowerShell Scripts Run by a Services remove: Security Event Log Cleared remove: Suspicious Get-WmiObject remove: Windows Defender Threat Detection Disabled update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage update: Failed Code Integrity Checks - Reduce level to informational update: HH.EXE Execution - Reduce level to low update: Locked Workstation - Reduce level to informational update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports update: PUA - Nmap/Zenmap Execution - Reduce level to medium update: PUA - Process Hacker Execution - Reduce level to medium update: PUA - Radmin Viewer Utility Execution - Reduce level to medium update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:" update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition update: Suspicious Schtasks From Env Var Folder - Reduce level to medium update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium update: Whoami Utility Execution - Reduce level to low update: Whoami.EXE Execution With Output Option - Reduce level to medium update: Windows Defender Malware Detection History Deletion - Reduce level to informational update: WMI Event Consumer Created Named Pipe - Reduce leve to medium --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Thanks: @Blackmore-Robert Thanks: @swachchhanda000 Thanks: @celalettin-turgut Thanks: @AaronS97
Sigma - Generic Signature Format for SIEM Systems
Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
Currently the repository offers three types of rules:
- Generic Detection Rules - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
- Threat Hunting Rules - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
- Emerging Threat Rules - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
Explore Sigma
To start exploring the Sigma ecosystem, please visit the official website sigmahq.io
What is Sigma
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.
The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what Snort is for network traffic and YARA is for files.
Why Sigma
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
🌟 Key Features
- A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
- Vendor agnostic detection rules.
- Easily shareable across communities and reports
🏗️ Rule Creation
To start writing Sigma rules please check the following guides:
🔎 Contributing & Making PRs
Please refer to the CONTRIBUTING guide for detailed instructions on how you can start contributing new rules.
📦 Rule Packages
You can download the latest rule packages from the release page and start leveraging Sigma rules today.
🧬 Rule Usage and Conversion
-
You can start converting Sigma rules today using Sigma CLI or sigconverter.io the GUI interface
-
To integrate Sigma rules in your own toolchain or products use pySigma.
🚨 Reporting False Positives or New Rule Ideas
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the GitHub repository by selecting one of the available templates.
📚 Resources & Further Reading
- Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke
- MITRE ATT&CK® and Sigma Alerting SANS Webcast Recording
- Sigma - Generic Signatures for SIEM Systems by Florian Roth
Projects or Products that use or integrate Sigma rules
- Atomic Threat Coverage (Since December 2018)
- Confluent Sigma - Kafka Streams supported Sigma rules
- IBM QRadar
- Joe Sandbox
- MISP (Since Version 2.4.70, March 2017)
- Nextron's Aurora Agent
- Nextron's THOR Scanner - Scan with Sigma rules on endpoints
- RANK VASA
- Sekoia.io XDR - XDR supporting Sigma and Sigma Correlation rules languages
- SIΣGMA - SIEM consumable generator that utilizes Sigma for query conversion
- sigma2stix - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.
- SOC Prime
- TA-Sigma-Searches (Splunk App)
- TimeSketch
- ypsilon - Automated Use Case Testing
- alterix - Converts Sigma rules to the query language of CRYPTTECH's SIEM
📜 Maintainers
- Nasreddine Bencherchali (@nas_bench)
- Florian Roth (@cyb3rops)
- Christian Burkard (@phantinuss)
- François Hubaut (@frack113)
- Thomas Patzke (@blubbfiction)
Credits
This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
Licenses
The content of this repository is released under the Detection Rule License (DRL) 1.1.