security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
3,633 Commits 1 Branch 0 Tags
main
Commit Graph

29 Commits

Author SHA1 Message Date
Jonhnathan d95919b7e3 [Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules (#6042) 
* checkpoint

* ++

* Update credential_access_dcsync_user_backdoor.toml

* Update defense_evasion_posh_high_entropy.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
 2026-05-04 11:17:05 -03:00
Jonhnathan 8d25a7ddce [Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927) 
* [Rule Tuning] Fix MS Defender XDR tag

* bump upodated_date
 2026-04-20 18:38:09 -03:00
Jonhnathan 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_suspicious_powershell_imgload.toml

* I need some coffee
 2025-12-01 07:28:25 -08:00
Jonhnathan ba354ceff9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) 2025-09-01 08:25:52 -07:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan b47b91b9ec [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-01 20:45:12 -03:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Jonhnathan 92804343bc [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml
 2024-01-23 16:48:31 -03:00
sbousseaden 27262a585b [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-17 13:49:59 +00:00
shashank-elastic a568c56bc1 Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 2023-10-30 16:53:04 +05:30
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Jonhnathan 20d2e92cfe Review & Fix Invalid References (#1936) 2022-04-26 17:57:15 -03:00
Jonhnathan 49074ddeaa [Rule Tuning] Add EQL optional field syntax (#1910) 
* Add optional EQL syntax

* Add min_stack_version
 2022-04-05 16:32:37 -03:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Jonhnathan fd678dc5cb Modified to use Integrity fields instead of user.id (#1772) 2022-02-15 15:22:49 -09:00
Ross Wolf 7b62fe296d [Rule Tuning] Remove \Program Files*\ style wildcards (#1369) 
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
 2021-07-22 11:55:22 -06:00
Samirbous 89420ae976 [New Rule] Potential PrintNightmare Exploitation rules (#1326) 
* [New Rule] Potential PrintNightmare Exploitation rules

* added Potential PrintNightmare File Modification

* added spoolsv as process name to narrow more the scope

* added Suspicious Print Spooler File Deletion

* removed Suspicious Print Driver Registry Modification cuz of potential noise

* Update privilege_escalation_printspooler_malicious_registry_modification.toml

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted description and added a comment for sysmon compatibility

* added FP note and relinted all files

* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-07-07 18:56:39 +02:00