security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

10 Commits

Author SHA1 Message Date
Terrance DeJesus 2d6094e1e4 [Hunt Tuning] Entra ID Device Code Phishing / Update Drifted Docs (#5936) 
Fixes #5935

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-05-04 09:46:13 -04:00
Terrance DeJesus 0b98462cfe [New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458) 
* new hunting queries for SNS

* added KEEP to all queries; adjusted description in SNS rule
 2025-02-20 10:53:36 -05:00
Terrance DeJesus f1dee060b6 [Hunt Tuning] Fixing Sort Logic in Aviatrix Hunting Query (#4432) 
* fixing sort logic error

* Update hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-02-03 21:43:02 -05:00
Terrance DeJesus 4e95bc7891 [New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity (#4409) 
* new hunt 'unusual aviatrix default role activity'

* added additional investigation notes
 2025-01-28 12:09:29 -05:00
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
Terrance DeJesus 28ffebbf5c [New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User (#4280) 
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'

* updated version

* updating markdown

* bumping version

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-12 14:56:20 -05:00
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
Terrance DeJesus 4b4b2cc9c8 [Hunt Tuning] Enforce STATS or KEEP functions in ES|QL hunting queries (#4157) 
* enforcing aggregate or keep in ES|QL queries

* Update hunting/definitions.py

* Update hunting/definitions.py

* Update hunting/definitions.py

* updated capitalization of linting

* updated raise value error

* Update hunting/definitions.py

* added note about stats in best practices
 2024-10-16 09:16:28 -04:00
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-10-03 12:47:40 -04:00
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
 2024-09-04 10:08:44 -04:00