sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Ruben Groenewoud	7d64dc2a87	[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838 ) * [Rule Tunings] Kernel Module Enumeration / Removal * [Rule Tunings] Kernel Module Enumeration and Removal * Deleted copy of wrong file * EQL Conversion and made the rule more resilient * Converted rules to EQL and made rules more resilient * Removed unwanted rule from PR * fixed unit tests * fixed unit testing, removed endgame support * Added a rule to detect kernel module enum via proc * Did some additional tuning, 0 hits in RedSector now	2023-06-22 10:11:52 +02:00

Author

SHA1

Message

Date

Ruben Groenewoud

a7ff449fbc

[Rule Tuning] Some Tunings of several 8.9 rules (#2985 )

* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml

2023-08-03 15:25:33 +02:00

Jonhnathan

b4c84e8a40

[Security Content] Tags Reform (#2725 )

* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

2023-06-22 18:38:56 -03:00

Ruben Groenewoud

7d64dc2a87

[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838 )

* [Rule Tunings] Kernel Module Enumeration / Removal

* [Rule Tunings] Kernel Module Enumeration and Removal

* Deleted copy of wrong file

* EQL Conversion and made the rule more resilient

* Converted rules to EQL and made rules more resilient

* Removed unwanted rule from PR

* fixed unit tests

* fixed unit testing, removed endgame support

* Added a rule to detect kernel module enum via proc

* Did some additional tuning, 0 hits in RedSector now

2023-06-22 10:11:52 +02:00

3 Commits