security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

4 Commits

Author SHA1 Message Date
Samirbous 83406d8ce1 [New/Tuning] Direct Kubelet API Access rules (#5996) 
* [New/Tuning] Direct Kubelet API Access rules

- tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url.
- duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec.
- added a new one using network event vs process argument for more resilience.

* ++

* Update discovery_potential_direct_kubelet_access_via_process_args.toml

* Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml

* Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/discovery_potential_kubeletctl_execution.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update discovery_potential_kubeletctl_execution.toml

* Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-05-04 22:18:23 +01:00
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
shashank-elastic 70d7f2b6b1 Monthly Manifest and Schema Updation (#5697) 2026-02-10 09:17:04 +05:30
Ruben Groenewoud 7c03840737 [New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. D4C Rules related to (un)authenticated API Access

* Apply suggestion from @Aegrah

* [New Rule] Kubelet Certificate File Access Detected via Defend for Containers

* [New Rule] Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected

* [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request

* [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers

* Apply suggestion from @Aegrah

* Update execution_kubeletctl_execution.toml
 2026-02-04 09:58:42 +01:00