security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,614 Commits 1 Branch 0 Tags
0c3b251208ed9b955e2a8eee38b7d48aec002367
Commit Graph

552 Commits

Author SHA1 Message Date
Jonhnathan 0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) 2023-08-22 07:45:00 -03:00
Samirbous 5e801b2edf [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-21 16:23:34 +01:00
Jonhnathan 72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-20 17:29:16 -03:00
Joe Desimone b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-17 13:52:26 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Eric df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) 
* Tune WMI Incoming Lateral Movement

* Tune WMI Incoming Lateral Movement

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 17:12:05 -04:00
Eric f78de8c9d4 Add MS Office exceptions to query (#2836) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 16:09:17 -04:00
Eric 35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) 2023-06-30 18:01:35 -04:00
Samirbous 7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) 
* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 18:57:00 +01:00
Jonhnathan d5dddae0ef [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) 
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-30 10:56:13 -03:00
Samirbous 2a4749d3d0 [New Rule] New Term Rule for USB Devices (#2644) 
* Create

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-30 10:41:38 -03:00
Jonhnathan a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) 
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823

* Add exception to unit test

* fixed linting

* proper linting fix

* updated to add to definitions.py

* fix linting

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-06-28 15:55:43 -03:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Eric 1e404cde34 [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions (#2831) 
* Add Ssms.exe to query exceptions

* Changed updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-12 16:15:47 -03:00
Jonhnathan 665bf03ec0 [Rule Tuning] Remote System Discovery Commands (#2834) 2023-06-07 14:24:53 -03:00
Eric 601788c4df Added Outlook.exe as a query exception (#2814) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-06 17:47:25 +01:00
Eric 221e756b48 Adjusted exceptions to rule for Nessus (#2774) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-06 17:39:34 +01:00
Jonhnathan 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678) 
* [Security Content] Add Investigation Guides to Windows rules

* Update privilege_escalation_service_control_spawned_script_int.toml

* Update execution_reverse_shell_via_named_pipe.toml

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_command_prompt_connecting_to_the_internet.toml

---------

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-05-26 10:25:41 -03:00
Jonhnathan 0b3f603179 [Rule Tuning] Adding Hidden File Attribute via Attrib (#2726) 
* [New Rule] Adding Hidden File Attribute via Attrib

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-17 10:23:11 -03:00
Jonhnathan 9f734c2c1f [Rule Tuning] System Information Discovery via Windows Command Shell (#2741) 2023-05-17 09:58:21 -03:00
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-15 20:31:59 -03:00
Jonhnathan 6655932190 [Rule Tuning] Startup or Run Key Registry Modification (#2766) 
* [Rule Tuning] Startup or Run Key Registry Modification

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-04 09:42:12 -03:00
Terrance DeJesus d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) 
* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-02 23:09:17 -04:00
Samirbous 2eda02c10e [Rule Tuning] Multiple Logon Failure from the same Source Address (#2588) 
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-24 09:16:17 -03:00
Jonhnathan 84acf004da [Rule Tuning] Component Object Model Hijacking (#2730) 2023-04-21 18:43:02 -03:00
Jonhnathan 12d6b49a24 [Rule Tuning] Potential Credential Access via Windows Utilities (#2727) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Add system integration index

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-21 18:27:44 -03:00
Jonhnathan 255c53cff0 [Rule Tuning] Connection to Commonly Abused Web Services (#2728) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-20 18:26:00 -03:00
Jonhnathan b1e3215cd5 [Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729) 2023-04-20 12:37:06 -03:00
Jonhnathan fb09208132 [Rule Tuning] Connection to Commonly Abused Web Services (#2717) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2023-04-18 09:15:47 -03:00
Jonhnathan 16749e45ae [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process (#2704) 
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process

* Update impact_backup_file_deletion.toml
 2023-04-11 13:47:52 -03:00
Eric d1aadde671 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#2671) (#2672) 
* --amend

* --amend

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-04-06 15:15:57 -03:00
Jonhnathan 1a9b0e732c [Rule Tuning] Potential PowerShell HackTool Script by Function Names (#2692) 2023-04-05 16:48:33 -03:00
Jonhnathan eafe54c2cc [Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot (#2691) 2023-04-05 13:28:57 -03:00
Jonhnathan 5aaac84f3a [Rule Tuning] Suspicious service was installed in the system (#2693) 
* [Rule Tuning] Suspicious service was installed in the system

* Update persistence_service_windows_service_winlog.toml
 2023-04-05 13:23:47 -03:00
Samirbous 0c8d0bfd3d [New Rule] Suspicious Execution via Microsoft Office Add-Ins (#2651) 
* Create

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update rules/windows/initial_access_execution_via_office_addins.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-05 17:02:04 +01:00
Samirbous 51d50b7d8a [New Rule] Lsass Process Access - Generic (#2613) 
* Create credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-04-03 14:34:30 +01:00
Samirbous 892757f4a4 [New Rule] Potential Pass The Hash (#2670) 
* Create lateral_movement_alternate_creds_pth.toml

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-29 19:37:27 +01:00
Jonhnathan 5ed2120e3f [Rule Tuning] Potential Credential Access via Windows Utilities (#2659) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Update credential_access_cmdline_dump_tool.toml
 2023-03-29 09:32:36 -03:00
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Jonhnathan 192047f46d [Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell (#2663) 2023-03-27 11:50:53 -03:00
Ruben Groenewoud 3bfe3060a2 [Rule Tuning] Uncommon Registry Persistence Change (#2538) 
* [Rule Tuning] Uncommon Registry Persistence Change

* updated updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-26 00:35:23 +01:00