security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Review & Fix Invalid References (#1936)

Browse Source 
(cherry picked from commit 20d2e92cfe)
This commit is contained in:
Jonhnathan
2022-04-26 17:57:15 -03:00
committed by github-actions[bot]
parent 781043991a
commit e3c8981b63
15 changed files with 28 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/initial_access_password_recovery.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/07/02"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/04/20"
integration = "aws"
[rule]
@@ -26,7 +26,7 @@ name = "AWS IAM Password Recovery Requested"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"]
references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
rules/integrations/aws/persistence_route_table_created.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/06/05"
maturity = "production"
updated_date = "2021/10/15"
updated_date = "2022/04/20"
integration = "aws"
[rule]
@@ -25,7 +25,7 @@ note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/",
"https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable",
]
rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/06/05"
maturity = "production"
updated_date = "2021/10/05"
updated_date = "2022/04/20"
integration = "aws"
[rule]
@@ -26,7 +26,7 @@ note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://github.com/easttimor/aws-incident-response#network-routing",
"https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
"https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/11"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ license = "Elastic License v2"
name = "Attempt to Disable Gatekeeper"
references = [
"https://support.apple.com/en-us/HT202491",
"https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/",
"https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397",
]
risk_score = 47
rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9"
rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/01/11"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ note = """## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/",
"https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html",
]
risk_score = 73
rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d"
rules/windows/credential_access_disable_kerberos_preauth.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/24"
maturity = "production"
updated_date = "2022/04/13"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ Audit User Account Management (Success,Failure)
```
"""
references = [
"https://www.harmj0y.net/blog/activedirectory/roasting-as-reps",
"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"
]
rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/08/13"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
"https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
]
risk_score = 73
rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd"
rules/windows/credential_access_saved_creds_vaultcmd.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/19"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
"https://rastamouse.me/blog/rdp-jump-boxes/",
"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
]
risk_score = 47
rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
rules/windows/defense_evasion_clearing_windows_console_history.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/11/22"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Austin Songer"]
@@ -19,7 +19,7 @@ note = """## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
"https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/",
"https://www.shellhacks.com/clear-history-powershell/",
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
]
rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/14"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
"https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
]
risk_score = 47
rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/14"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
"https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
]
risk_score = 47
rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
rules/windows/privilege_escalation_group_policy_scheduled_task.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/11/08"
maturity = "production"
updated_date = "2022/03/02"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -80,7 +80,7 @@ references = [
"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
"https://labs.f-secure.com/tools/sharpgpoabuse",
"https://twitter.com/menasec1/status/1106899890377052160",
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml"
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"
]
risk_score = 47
rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e"
rules/windows/privilege_escalation_persistence_phantom_dll.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/01/07"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
"https://itm4n.github.io/windows-dll-hijacking-clarified/",
"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
"https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
"https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html",
"https://windows-internals.com/faxing-your-way-to-system/",
"http://waleedassar.blogspot.com/2013/01/wow64logdll.html",
]
rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
+1 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/06"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -26,7 +26,6 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare",
]
risk_score = 47
rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799"
rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
+1 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2021/07/06"
maturity = "production"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
updated_date = "2022/04/20"
[rule]
author = ["Elastic"]
@@ -28,7 +28,6 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
"""
references = [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/afwu/PrintNightmare",
]
risk_score = 47
rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"