security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

1014 Commits

Author SHA1 Message Date
Jonhnathan d95919b7e3 [Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules (#6042) 
* checkpoint

* ++

* Update credential_access_dcsync_user_backdoor.toml

* Update defense_evasion_posh_high_entropy.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
 2026-05-04 11:17:05 -03:00
shashank-elastic a6fba3c728 Monthly Manifest and Schema Updation (#6036) 2026-05-04 18:01:56 +05:30
Jonhnathan 748ee85339 [Rule Tuning] Windows High-Severity Rules Revamp - 7 (#6013) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 7

* Apply suggestion from @w0rk3r
 2026-05-01 19:13:37 -03:00
Jonhnathan c503e550b8 [Rule Tuning] Misc Windows Tuning (#5990) 
* [Rule Tuning] Misc Windows Tuning

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_msbuild_making_network_connections.toml

* Update defense_evasion_msbuild_making_network_connections.toml
 2026-05-01 18:40:27 -03:00
Jonhnathan ab7f9d7296 [Rule Tuning] Windows High-Severity Rules Revamp - 3 (#5969) 2026-05-01 18:23:53 -03:00
Jonhnathan 61ee9caf8a [Rule Tuning] Windows High-Severity Rules Revamp - 5 (#6004) 2026-05-01 17:02:56 -03:00
Jonhnathan 771be70c38 [Rule Tuning] Windows High-Severity Rules Revamp - 6 (#6010) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 6

* ++
 2026-05-01 16:14:44 -03:00
Jonhnathan 2cb5e1860a [Rule Tuning] Windows High-Severity Rules Revamp - 8 (#6019) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 8

* Delete measure_note_size.py
 2026-05-01 15:52:50 -03:00
Jonhnathan 8982ff9032 [Rule Tuning] Windows High-Severity Rules Revamp - 9 (#6022) 2026-05-01 15:32:43 -03:00
Jonhnathan 920910c485 [Rule Tuning] Windows High-Severity Rules Revamp - 4 (#5981) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 4

* Apply suggestion from @w0rk3r
 2026-05-01 14:31:25 -03:00
Jonhnathan eb32e7a242 [Rule Tuning] Veeam Backup Library Loaded by Unusual Process (#5985) 2026-04-30 18:15:40 -03:00
Jonhnathan b9065e0689 [Rule Tuning] Add Lunixar to RMM rules, fix new_terms condition (#5986) 2026-04-30 07:59:46 -03:00
shashank-elastic 7a54f8be99 Prep for Release 9.4 (#5965) 2026-04-23 00:13:05 +05:30
Jonhnathan ebcd05f879 [Rule Tuning] Misc Windows Tunings (#5955) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2026-04-22 15:10:05 -03:00
Jonhnathan 8d25a7ddce [Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927) 
* [Rule Tuning] Fix MS Defender XDR tag

* bump upodated_date
 2026-04-20 18:38:09 -03:00
Terrance DeJesus deab1c0161 [Rule Tuning] Change event.dataset to data_stream.dataset (#5943) 
* [Rule Tuning] Change event.dataset to data_stream.dataset

* updating ESQL field names
 2026-04-10 12:27:52 -04:00
Jonhnathan a9d0d79a5b [Rule Tuning] Process Created with an Elevated Token (#5934) 2026-04-10 11:47:27 -03:00
Samirbous 7fcbec380b Update command_and_control_rmm_after_msi_install.toml (#5901) 2026-04-08 08:01:10 -05:00
Jonhnathan 09e5bf04f4 [Rule Deprecation] SUNBURST Command and Control Activity (#5928) 2026-04-08 07:25:05 -05:00
Jonhnathan a950f4738e [Rule Tuning] Windows High-Severity Rules Revamp - 2 (#5900) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 2

* ++

* Compress guides

* ++

* ++
 2026-04-06 13:06:24 -03:00
Jonhnathan 2c42c12c26 [Rule Tuning] Windows High-Severity Rules Revamp - 1 (#5899) 
* [Rule Tuning] Windows High-Severity Rules Revamp - 1

* ++

* Guide compression

* ++

* revert unit test removal

* Apply suggestion from @w0rk3r

* Update command_and_control_headless_browser.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2026-04-06 12:30:43 -03:00
Jonhnathan 0a8c89d3f5 [Rule Tuning] Misc Windows (#5906) 2026-04-06 09:42:29 -03:00
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
Terrance DeJesus a8033e14aa rule tuning add ICP blockchain indicator (#5887) 2026-03-26 11:09:51 -05:00
Samirbous 057fe30199 [New] RMM Rules (#5848) 2026-03-23 22:11:52 +05:30
Jonhnathan 3ce89a3ccf [Rule Tuning] Sensitive Audit Policy Sub-Category Disabled (#5859) 
* [Rule Tuning] Sensitive Audit Policy Sub-Category Disabled

* ++

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-03-23 13:25:35 -03:00
Jonhnathan 38e1456eca [Rule Tuning] Misc Rule Tuning (#5858) 
* [Rule Tuning] Misc Rule Tuning

* Update defense_evasion_elastic_agent_service_terminated.toml
 2026-03-23 13:01:06 -03:00
Samirbous 062a065722 [Tuning] Add Missing executable file extensions (#5857) 
Add Missing executable file extensions such as execution_windows_script_from_internet.toml didn't cover wsf and sct.
 2026-03-23 12:23:51 +00:00
Samirbous e788ab7e73 [New/tuning] WarLock coverage (#5846) 
* [New/tuning] WarLock coverage

Improve coverage for https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html

* ++

* Update command_and_control_velociraptor_shell_execution.toml

* Update command_and_control_tunnel_cloudflared.toml

* Update command_and_control_tunnel_yuze.toml

* Update command_and_control_velociraptor_shell_execution.toml

* Update exfiltration_rclone_cloud_upload.toml

* Update rules/windows/exfiltration_rclone_cloud_upload.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_velociraptor_shell_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_yuze.toml

* Update command_and_control_tunnel_yuze.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-23 11:01:12 +00:00
Samirbous 7bde0a9d2d [Tuning] Mis Rules Tuning (#5817) 
* [Tuning] Mis Rules Tuning

tuning of recently created or tuned rules.

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update credential_access_bruteforce_admin_account.toml

* ++

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-03-23 10:49:23 +00:00
Samirbous 02adbfb2b0 [New / Tuning] LeakNet cov (#5850) 
* [Tuning] LeakNet cov

https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat

* Update execution_susp_javascript_via_deno.toml

* Update execution_susp_javascript_via_deno.toml

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_susp_javascript_via_deno.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-20 21:11:26 +00:00
Samirbous 7bd2e2911c Update command_and_control_common_webservices.toml (#5831) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-18 09:38:29 -03:00
Samirbous 2d6172e9c2 Update command_and_control_dns_rmm_domains_non_browser.toml (#5819) 
minor change to unblock release.
 2026-03-10 12:07:39 +00:00
Samirbous afcb342c55 [Tuning/New] RMM Rules (#5810) 
* [Tuning/New] RMM Rules

- replaced RAT by RMM (RMM != RAT)
- added extra RMM processes, added process.parent.name and parent code signature too (GoToHTTP, tacticalrmm and more).
- added more references
- new term rule based on dns.question.name

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* ++

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* ++

* ++

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update rules/windows/command_and_control_dns_rmm_domains_non_browser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-09 16:33:47 +00:00
Samirbous ec4a0e58e4 [New] Suspicious Execution from VS Code Extension (#5786) 
* [New] Suspicious Execution from VS Code Extension

Detects suspicious process execution launched from a VS Code extension context (parent command line contains
.vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like
ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and
recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot
extension that installed ScreenConnect RAT.

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* ++

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml
 2026-03-09 16:22:41 +00:00
Samirbous a7c34ebf3b [New] Potential Account Takeover - Logon from New Source IP (#5770) 
* [New] Potential Account Takeover - Logon from New Source IP

* Update credential_access_account_takeover_new_source_ip.toml

* Update credential_access_account_takeover_new_source_ip.toml

* Update privilege_escalation_takeover_new_source_ip.toml

* ++

* Update privilege_escalation_account_takeover_mixed_logon_types.toml

* Update privilege_escalation_account_takeover_mixed_logon_types.toml

* Update rules/windows/privilege_escalation_takeover_new_source_ip.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2026-03-09 15:33:57 +00:00
Eric Forte 94c73e3ad7 [FR] Minor Typo Fixes (#5784) 2026-03-06 16:12:45 -06:00
Samirbous dc7d8960de [Tuning] LSASS Process Access via Windows API (#5807) 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
 2026-03-03 19:05:47 +00:00
Jonhnathan 5ddca45adf [Rule Tuning] Windows Misc Tuning - 2 (#5758) 
* [Rule Tuning] Windows Misc Tuning - 2

* Apply suggestion from @w0rk3r
 2026-02-23 13:09:19 -03:00
Jonhnathan 3d647feb8c [Rule Tuning] Windows Misc Tunings (#5740) 
* [Rule Tuning] Windows Misc Tunings

* ++

* Update defense_evasion_wsl_child_process.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-02-20 14:11:35 -03:00
Samirbous 2605d38018 [New] Potential Notepad Markdown RCE Exploitation (#5729) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
 2026-02-18 16:19:56 +00:00
Jonhnathan 6d0471768f [Rule Tuning] PowerShell Rules Revamp - 9 (#5706) 
* [Rule Tuning] PowerShell Rules Revamp - 9

* .

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* update disclaimer

* update tags
 2026-02-18 12:22:24 -03:00
Jonhnathan 5d98a212fc [Rule Tuning] Potential Timestomp in Executable Files (#5727) 
* [Rule Tuning] Potential Timestomp in Executable Files

* Update defense_evasion_timestomp_sysmon.toml
 2026-02-18 11:14:54 -03:00
Samirbous 41a8256aa3 [tuning] LLM DNS queries (#5709) 
* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Apply suggestion from @w0rk3r

* Update command_and_control_common_llm_endpoint.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-13 13:54:52 +00:00
Jonhnathan 51cf7574a9 [Rule Deprecation] PowerShell Rules (#5707) 
* [Rule Deprecation] PowerShell Rules

* Update defense_evasion_posh_obfuscation_index_reversal.toml
 2026-02-11 16:49:33 -03:00
Jonhnathan 4980a3b50c [Rule Tuning] PowerShell Rules Revamp - 8 (#5705) 
* [Rule Tuning] PowerShell Rules Revamp - 8

* update disclaimer

* Apply suggestion from @w0rk3r

* Update rules/windows/execution_posh_psreflect.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 16:32:04 -03:00
Jonhnathan 3065b10f91 [Rule Tuning] PowerShell Rules Revamp - 7 (#5704) 
* [Rule Tuning] PowerShell Rules Revamp - 7

* update disclaimer
 2026-02-11 16:02:48 -03:00
Jonhnathan 9be58755ae [Rule Tuning] PowerShell Rules Revamp - 6 (#5700) 
* [Rule Tuning] PowerShell Rules Revamp - 6

* .

* [Rule Tuning] PowerShell Rules Revamp - 7

* Revert "[Rule Tuning] PowerShell Rules Revamp - 7"

This reverts commit 378f8c8b6409ea1e4bad0e86027c05e0a7db9950.

* update disclaimer
 2026-02-11 15:50:49 -03:00
Jonhnathan 20450660df [Rule Tuning] PowerShell Rules Revamp - 5 (#5699) 
* [Rule Tuning] PowerShell Rules Revamp - 5

* Update defense_evasion_posh_obfuscation_backtick.toml

* update disclaimer
 2026-02-11 15:36:48 -03:00
Jonhnathan 2d4d56bf21 [Rule Tuning] PowerShell Rules Revamp - 4 (#5698) 
* [Rule Tuning] PowerShell Rules Revamp - 4

* bump

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_posh_compressed.toml

* update disclaimer

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 15:26:05 -03:00