security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
445 Commits 1 Branch 0 Tags
06d352d59ee7522f4607ac2fc66703bf2c8ccdd3
Commit Graph

12 Commits

Author SHA1 Message Date
brokensound77 bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main 
# Conflicts:
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
 2021-01-28 10:41:39 -09:00
Samirbous 6029783721 [New Rule] Security Software Discovery using Grep (#743) 
* [New Rule] Security Software Discovery using Grep

* fixed index

* Update discovery_security_software_grep.toml

* Update discovery_security_software_grep.toml

* conv to kql and added few AVs

* added more AV procs

* Update rules/macos/discovery_security_software_grep.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* moved to cross-platform

* Update discovery_security_software_grep.toml

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 19:57:26 +01:00
Samirbous 440a7fbdee [New Rule] SSH Authorized Keys File Modification (#754) 
* [New Rule] SSH Authorized Keys File Modification

* excluded some noisy procs

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update persistence_ssh_authorized_keys_modification.toml

* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 08:45:38 +01:00
Samirbous dd2f655367 [New Rule] Potential Cookies Theft via Browser Debugging (#741) 
* [New Rule] Potential Cookies Theft via Browser Debugging

* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added auditbeat

* fixed error

* excluded a common FP

* added MSEdge

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:21:45 +01:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Samirbous 61fe8a59ff [New Rule] WebServer Access Logs Deleted (#457) 
* [New Rule] WebServer Access Logs Deleted

* removed timeline_id

* added drive letter for better perf

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update defense_evasion_deleting_websvr_access_logs.toml

* changed severity from low to medium

* fixed duplicate text in description

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-01 10:48:55 +01:00
Justin Ibarra fda1e7ef94 Bump zoom rule to production (#427) 2020-10-29 11:02:29 -08:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Andrew Pease 0b745c5492 [New Rule] Zoom Meeting with no Passcode (#292) 2020-09-30 21:44:45 -08:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Andrew Pease d68e4ac7f0 [New Rule] Hosts File Modified (#25) 2020-09-30 15:24:07 -08:00