security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,449 Commits 1 Branch 0 Tags
013dace20fcdc107e357cae080e48fd7fb40197e
Commit Graph

976 Commits

Author SHA1 Message Date
Jonhnathan 5ddca45adf [Rule Tuning] Windows Misc Tuning - 2 (#5758) 
* [Rule Tuning] Windows Misc Tuning - 2

* Apply suggestion from @w0rk3r
 2026-02-23 13:09:19 -03:00
Jonhnathan 3d647feb8c [Rule Tuning] Windows Misc Tunings (#5740) 
* [Rule Tuning] Windows Misc Tunings

* ++

* Update defense_evasion_wsl_child_process.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-02-20 14:11:35 -03:00
Samirbous 2605d38018 [New] Potential Notepad Markdown RCE Exploitation (#5729) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
 2026-02-18 16:19:56 +00:00
Jonhnathan 6d0471768f [Rule Tuning] PowerShell Rules Revamp - 9 (#5706) 
* [Rule Tuning] PowerShell Rules Revamp - 9

* .

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* update disclaimer

* update tags
 2026-02-18 12:22:24 -03:00
Jonhnathan 5d98a212fc [Rule Tuning] Potential Timestomp in Executable Files (#5727) 
* [Rule Tuning] Potential Timestomp in Executable Files

* Update defense_evasion_timestomp_sysmon.toml
 2026-02-18 11:14:54 -03:00
Samirbous 41a8256aa3 [tuning] LLM DNS queries (#5709) 
* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Apply suggestion from @w0rk3r

* Update command_and_control_common_llm_endpoint.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-13 13:54:52 +00:00
Jonhnathan 51cf7574a9 [Rule Deprecation] PowerShell Rules (#5707) 
* [Rule Deprecation] PowerShell Rules

* Update defense_evasion_posh_obfuscation_index_reversal.toml
 2026-02-11 16:49:33 -03:00
Jonhnathan 4980a3b50c [Rule Tuning] PowerShell Rules Revamp - 8 (#5705) 
* [Rule Tuning] PowerShell Rules Revamp - 8

* update disclaimer

* Apply suggestion from @w0rk3r

* Update rules/windows/execution_posh_psreflect.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 16:32:04 -03:00
Jonhnathan 3065b10f91 [Rule Tuning] PowerShell Rules Revamp - 7 (#5704) 
* [Rule Tuning] PowerShell Rules Revamp - 7

* update disclaimer
 2026-02-11 16:02:48 -03:00
Jonhnathan 9be58755ae [Rule Tuning] PowerShell Rules Revamp - 6 (#5700) 
* [Rule Tuning] PowerShell Rules Revamp - 6

* .

* [Rule Tuning] PowerShell Rules Revamp - 7

* Revert "[Rule Tuning] PowerShell Rules Revamp - 7"

This reverts commit 378f8c8b6409ea1e4bad0e86027c05e0a7db9950.

* update disclaimer
 2026-02-11 15:50:49 -03:00
Jonhnathan 20450660df [Rule Tuning] PowerShell Rules Revamp - 5 (#5699) 
* [Rule Tuning] PowerShell Rules Revamp - 5

* Update defense_evasion_posh_obfuscation_backtick.toml

* update disclaimer
 2026-02-11 15:36:48 -03:00
Jonhnathan 2d4d56bf21 [Rule Tuning] PowerShell Rules Revamp - 4 (#5698) 
* [Rule Tuning] PowerShell Rules Revamp - 4

* bump

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_posh_compressed.toml

* update disclaimer

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 15:26:05 -03:00
Jonhnathan 5489c107b0 [New Rule] Potential PowerShell Obfuscated Script via High Entropy (#5554) 
* [New Rule] Potential PowerShell Obfuscated Script via High Entropy

* Update defense_evasion_posh_high_entropy.toml

* Add investigation guide

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml
 2026-02-11 09:50:19 -03:00
Samirbous 2b5472a9b3 [Tuning/New] Solarwinds Post Exploit (#5696) 
* [Tuning/New] Solawrwinds Post Exploit

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and  supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.

* Update initial_access_potential_webhelpdesk_exploit.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-02-09 13:57:52 +00:00
Ruben Groenewoud 3cba3d7982 [Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* Few more deprecations

* ++

* Update unit test syntax fix

* Update bad bytes

* ++
 2026-02-05 13:24:21 +01:00
ailiffa e6fafc914e [Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion (#5592) 
* [Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion

- Add Downloads folder to the suspicious paths list
- Modify directory matching logic from endswith~ to startswith~ to detect DLLs loaded from subdirectories of the executable's location

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Swap back to "endswith" and add chrome_elf.dll coverage.

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:16:14 -03:00
Samirbous 2b8fb44cb5 [New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665) 
* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.

https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

https://github.com/rapid7/metasploit-framework/pull/20917

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 16:09:55 +00:00
Samirbous d42ebdc3e6 [Tuning] Component Object Model Hijacking (#5651) 
* Update persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml
 2026-02-04 13:23:40 +00:00
Samirbous ed089d5d76 [Tuning] Svchost spawning Cmd (#5649) 
* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml
 2026-02-04 12:42:50 +00:00
Terrance DeJesus c75fc7e487 [Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663) 
Fixes #5662
 2026-02-03 09:38:14 -05:00
Jonhnathan 2f9dc7af53 [Rule Tuning] PowerShell Rules Revamp - 2 (#5623) 
* [Rule Tuning] PowerShell Rules Revamp - 2

* Update credential_access_mimikatz_powershell_module.toml

* Apply suggestions from code review
 2026-01-26 19:35:05 -03:00
Jonhnathan 6843d11b09 [Rule Tuning] PowerShell Rules Revamp - 3 (#5625) 
* [Rule Tuning] PowerShell Rules Revamp - 3

* Apply suggestion from @w0rk3r
 2026-01-26 19:11:29 -03:00
Jonhnathan fc55e8b308 [Rule Tuning] PowerShell Rules Revamp - 1 (#5619) 
* [Rule Tuning] PowerShell Rules Revamp - 1

* bump
 2026-01-26 19:01:48 -03:00
Samirbous 88e0b14709 [Tuning] ESQL Dynamic unique value fields (#5569) 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:34:16 +00:00
Samirbous 7221db6b36 [Tuning] Potential Ransomware Behavior - Note Files by System (#5595) 
* [Tuning] Potential Ransomware Behavior - Note Files by System

added host.id and removed noisy patterns (writes to non C drive)

* Update impact_high_freq_file_renames_by_kernel.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 13:15:54 +00:00
Samirbous 30c7833f08 [Tuning] Rare Connection to WebDAV Target (#5604) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-26 12:51:09 +00:00
Samirbous ccfb69244a [Tuning] Rare Connection to WebDAV Target (#5556) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-23 11:17:19 +00:00
Jonhnathan 9055d564f5 [Rule Tuning] Web Server Rules (#5581) 2026-01-20 15:30:57 -03:00
Samirbous 31de1789c4 [Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560) 
* [Tuning] Reduce NewTerm history_window_start for Windows Rules

Reduce Windows NewTerm rules history_window_start from 14d to 5d.

* Update execution_command_shell_started_by_svchost.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update persistence_scheduled_task_updated.toml
 2026-01-16 12:46:45 +00:00
G. Blue Team Detection 3ab961da42 Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547) 
* Docs: improve WinRAR/7-Zip encrypted archive rule guidance

Clarifies the rule description and expands investigation and false positive guidance
to help analysts distinguish data staging for exfiltration from common benign
administrative and backup workflows. No detection logic or query changes.

* Update rules/windows/collection_winrar_encryption.toml

* Change updated_date to 2026/01/12

Bump update_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-12 19:51:08 -03:00
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 5081735acc [New] Potential Persistence via Mandatory User Profile (#5530) 
* [New] Potential Persistence via Mandatory User Profile

https://deceptiq.com/blog/ntuser-man-registry-persistence

* Update persistence_suspicious_user_mandatory_profile_file.toml

* Update persistence_suspicious_user_mandatory_profile_file.toml
 2026-01-09 09:35:47 +00:00
Samirbous fde2fa972e [Tuning] Process Created with an Elevated Token (#5532) 
* [Tuning] Process Created with an Elevated Token

https://github.com/elastic/detection-rules/issues/5492

* Update privilege_escalation_via_token_theft.toml
 2026-01-09 09:23:37 +00:00
Samirbous f98f4e5a95 [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml
 2026-01-07 21:03:44 +00:00
Samirbous 08663dee79 Update persistence_webshell_detection.toml (#5524) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-02 12:45:50 -03:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Jonhnathan a9bdfaaea3 [Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486) 
* [Rule Tuning] PowerShell Misc Tuning/Severity Bump

* bump sev
 2025-12-18 03:30:22 -08:00
Jonhnathan 5ec8e3e500 [Rule Tuning] Communication App Rules (#5487) 
* [Rule Tuning] Communication App Rules

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-18 02:38:18 -08:00
Samirbous 2cc1a341de Update lateral_movement_credential_access_kerberos_correlation.toml (#5455) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-12 18:14:26 +00:00
Samirbous ef0ec1ac83 Update defense_evasion_suspicious_short_program_name.toml (#5454) 2025-12-12 17:25:00 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
Jonhnathan 56574c99c3 [Rule Tuning] Potential Masquerading as Svchost (#5439) 
* [Rule Tuning] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* to_lower

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-09 13:56:38 -08:00
theusername-sudo 3bcacdb4ee Update lateral_movement_scheduled_task_target.toml to fix null values (#5228) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-08 18:40:20 +05:30
Samirbous 8ddf8a838e Update defense_evasion_masquerading_as_svchost.toml (#5416) 2025-12-08 12:15:40 +00:00
Samirbous 896b6a214a [Tuning] Rare Connection to WebDAV Target (#5415) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2025-12-05 22:31:01 +00:00
Jonhnathan b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) 
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

* Update defense_evasion_posh_obfuscation_proportion_special_chars.toml

* ++, powershell.file.*

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 13:17:02 +01:00
Jonhnathan bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) 
* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml
 2025-12-02 08:30:54 -08:00
Jonhnathan 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) 2025-12-01 07:54:23 -08:00
Jonhnathan aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) 2025-12-01 07:45:03 -08:00