security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,413 Commits 1 Branch 0 Tags
09ea35f33a6ebf3e6255a7d8e2bb3d72fcdafb76
Commit Graph

1704 Commits

Author SHA1 Message Date
Isai 09ea35f33a [New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210) 
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device

New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"

* add serialNumber to non-ecs schema file

* fixed misspelled toml file name

* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-11-05 02:09:05 -05:00
Jonhnathan 2b6116e0ce [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222) 2024-11-04 11:55:04 -03:00
Jonhnathan 80841b5619 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 (#4221) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2

* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-11-04 11:47:43 -03:00
Jonhnathan 81292aee8a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 (#4220) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1

* Update Integrations unit tests

* Update test_all_rules.py
 2024-11-04 11:32:22 -03:00
Isai b6847c7a48 [New Rule] AWS STS Role Chaining (#4209) 
* [New Rule] AWS STS Role Chaining

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.

* adding metadata query fields

* removing index field
 2024-10-30 12:18:04 -04:00
shashank-elastic 123e090e7d Fix Minstack version for windows integration - Pahse 2 (#4216) 2024-10-28 20:25:02 +05:30
shashank-elastic 92fe46b8ff Fix Minstack version for windows integration (#4214) 2024-10-28 19:28:10 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
shashank-elastic be656ae740 Tune Bedrock rule to accept multivalued column (#4205) 2024-10-23 20:48:56 +05:30
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud 09bd4cef16 [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) 
* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml
 2024-10-18 16:38:14 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00
Ruben Groenewoud af9f9e2456 [Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 1

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-10-18 15:59:51 +02:00
Terrance DeJesus 61b731c300 [Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145) 
* tuning

* added note about whitelisting user agent

* removed extra new line
 2024-10-16 11:41:50 -04:00
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Samirbous 8f56b7de5e Update privilege_escalation_gpo_schtask_service_creation.toml (#4152) 2024-10-15 18:36:35 +05:30
Samirbous a98161ad2a [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-15 10:49:01 +01:00
Samirbous 8404d41cca [New] Untrusted DLL Loaded by Azure AD Sync Service (#4151) 
* Create credential_access_imageload_azureadconnectauthsvc.toml

* Update credential_access_imageload_azureadconnectauthsvc.toml

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-14 18:04:46 +01:00
Jonhnathan e1addc6a8f [Rule Tuning] 3rd Party EDR Compatibility - 18 (#4056) 
* [Rule Tuning] 3rd Party EDR Compatibility - 18

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* min_stack for merge, bump updated_date

* Update persistence_browser_extension_install.toml
 2024-10-13 20:25:17 -03:00
Jonhnathan 6f69b33529 [Rule Tuning] 3rd Party EDR Compatibility - 17 (#4042) 
* [Rule Tuning] 3rd Party EDR Compatibility - 17

* Update rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:34:22 -03:00
Jonhnathan 7385f9dd2e [Rule Tuning] 3rd Party EDR Compatibility - 16 (#4041) 
* [Rule Tuning] 3rd Party EDR Compatibility - 16

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:14:24 -03:00
Jonhnathan 080a891c79 [Rule Tuning] 3rd Party EDR Compatibility - 15 (#4040) 
* [Rule Tuning] 3rd Party EDR Compatibility - 15

* min_stack for merge, bump updated_date
 2024-10-11 18:33:22 -03:00
Jonhnathan 10a8cef21f [Rule Tuning] 3rd Party EDR Compatibility - 14 (#4039) 
* [Rule Tuning] 3rd Party EDR Compatibility - 14

* min_stack for merge, bump updated_date
 2024-10-11 17:22:53 -03:00
Jonhnathan 07c4535871 [Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038) 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
 2024-10-11 16:55:02 -03:00
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan 1d9cb6a195 [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#4117) 
* [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
 2024-10-11 13:46:57 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Terrance DeJesus 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) 
* fixed existing rules;added query checks

* fixed flake errors

* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules

* removed valueError and replaced ValidationError

* adjusted validation error output based on feedback

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added space for failure

* updated to use re.compile

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-09 15:25:36 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Terrance DeJesus 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-02 15:50:22 -04:00
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Ruben Groenewoud 5b41bbd5e9 [Tuning] Updated references (#4114) 2024-10-01 08:43:14 -03:00