security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,413 Commits 1 Branch 0 Tags
09ea35f33a6ebf3e6255a7d8e2bb3d72fcdafb76
Commit Graph

2413 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Isai 09ea35f33a [New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210) 
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device

New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"

* add serialNumber to non-ecs schema file

* fixed misspelled toml file name

* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-11-05 02:09:05 -05:00
Jonhnathan 2b6116e0ce [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222) 2024-11-04 11:55:04 -03:00
Jonhnathan 80841b5619 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 (#4221) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2

* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-11-04 11:47:43 -03:00
Jonhnathan 81292aee8a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 (#4220) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1

* Update Integrations unit tests

* Update test_all_rules.py
 2024-11-04 11:32:22 -03:00
Eric Forte 581ef73bc0 [FR] [DAC] Add id support (#4208) 2024-11-01 07:47:34 -04:00
Isai b6847c7a48 [New Rule] AWS STS Role Chaining (#4209) 
* [New Rule] AWS STS Role Chaining

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.

* adding metadata query fields

* removing index field
 2024-10-30 12:18:04 -04:00
protections machine 1278c27967 Sync RTA Attempt to Fix Sensor Regex Error (#4213) 2024-10-28 22:50:12 +05:30
github-actions[bot] 5d2940fa7c Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4217) 2024-10-28 21:07:46 +05:30
shashank-elastic 123e090e7d Fix Minstack version for windows integration - Pahse 2 (#4216) 2024-10-28 20:25:02 +05:30
shashank-elastic 92fe46b8ff Fix Minstack version for windows integration (#4214) 2024-10-28 19:28:10 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
protections machine 5d9b295bb6 Sync RTA Potential Mining Pool Command Detection (#4204) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 21:47:17 +05:30
protections machine ae2adc766d Sync RTA Renice or Ulimit Execution from Unusual Parent (#4203) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 21:38:49 +05:30
protections machine 4d41496e1d Sync RTA Linux Powershell Egress Network Connection (#4202) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 20:35:15 +05:30
protections machine 933020a5c1 Sync RTA Suspicious Execution from Foomatic-rip or Cupsd Parent (#4201) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 19:49:15 +05:30
protections machine 6ec5c5b04b Sync RTA Foomatic-rip Shell Execution (#4200) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 19:13:38 +05:30
shashank-elastic be656ae740 Tune Bedrock rule to accept multivalued column (#4205) 2024-10-23 20:48:56 +05:30
protections machine 77f0ee85d9 react_sync_rta_updates_4215 Network Connection by Foomatic-rip Child (#4196) 2024-10-23 19:18:36 +05:30
protections machine a54f83981e Sync RTA File Downloaded via Curl or Wget to Hidden Directory (#4197) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 19:01:17 +05:30
protections machine 0ef122632e Sync RTA Shared Object Load via LoLBin (#4198) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 18:48:11 +05:30
protections machine f8d08f92f3 Sync RTA Suspicious Kernel Feature Activity (#4199) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 18:40:21 +05:30
protections machine faafc4f19d Sync RTA Potential Proxy Execution via PHP (#4195) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 16:07:32 +05:30
protections machine c336e30dee Sync RTA Suspicious Download and Redirect by Web Server (#4194) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:55:10 +05:30
protections machine 6a740a6a61 Sync RTA File Downloaded and Piped to Interpreter by Web Server (#4193) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:45:45 +05:30
protections machine c5b108400c Sync RTA File Downloaded from Suspicious Source by Web Server (#4192) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:15:56 +05:30
protections machine 91fbc39084 Sync RTA MSR Write Access Enabled (#4189) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 14:13:47 +05:30
protections machine 21c45f97fe Sync RTA Reverse or Bind Shell via Suspicious Utility (#4187) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 13:37:44 +05:30
protections machine 9cb2974e70 Sync RTA Potential Gsocket Activity (#4186) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 13:21:33 +05:30
protections machine fe6459d784 Sync RTA Bind Shell via Socket (#4185) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 12:10:45 +05:30
protections machine 08fc5a5e35 Sync RTA Bind Shell via Node (#4184) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:43:10 +05:30
protections machine fb963628f2 Sync RTA Potential Proxy Execution via Sed (#4183) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:31:10 +05:30
protections machine 6d430be209 Sync RTA Bind Shell via Netcat Traditional (#4182) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:23:12 +05:30
protections machine 2e1daeeaa0 Sync RTA Base64 Shebang Payload Decoded via Built-in Utility (#4181) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:12:43 +05:30
protections machine 31d3b6417b Sync RTA Potential Proxy Execution via Tcpdump (#4180) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:00:09 +05:30
protections machine 3e1fe91a1c Sync RTA Potential Proxy Execution via Sysctl (#4179) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:52:28 +05:30
protections machine 519a3688c8 Sync RTA Potential Proxy Execution via Split (#4178) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:37:38 +05:30
protections machine fff957c0f5 Sync RTA Potential Proxy Execution via Pidstat (#4177) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:27:11 +05:30
protections machine bc821f56e1 Sync RTA System Binary Proxy Execution via ld.so (#4176) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:12:44 +05:30
protections machine fb4bc72607 Sync RTA Potential Proxy Execution via Crash (#4175) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-22 21:49:13 +05:30
protections machine d1f44270e1 Sync RTA Potential Process Masquerading via Exec 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-22 21:41:27 +05:30
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud 592ad0fe9a [Rule Tuning] Q2 Linux DR Tuning - BBR (#4171) 
* [Rule Tuning] Q2 Linux DR Tuning - BBR

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update discovery_linux_sysctl_enumeration.toml

* Update discovery_potential_memory_seeking_activity.toml

* Update discovery_potential_memory_seeking_activity.toml
 2024-10-18 16:45:23 +02:00
Ruben Groenewoud 09bd4cef16 [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) 
* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml
 2024-10-18 16:38:14 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00