security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

4 Commits

Author SHA1 Message Date
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
Jonhnathan 3d647feb8c [Rule Tuning] Windows Misc Tunings (#5740) 
* [Rule Tuning] Windows Misc Tunings

* ++

* Update defense_evasion_wsl_child_process.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-02-20 14:11:35 -03:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Samirbous bb63887741 [New] BadSuccessor dMSA Abuse Detections (#4745) 
* [New] BadSuccessor dMSA Abuse Detections

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

using new term rule type with events 5136/5137 by winlog.event_data.SubjectUserName to detect unusual accounts performing dMSA changes (creation of a new dMSA account or the modification of the `msDS-ManagedAccountPrecededByLink` attribute to take over a target account)

* Update privilege_escalation_dmsa_creation_by_unusual_user.toml
 2025-05-25 09:38:15 +01:00