security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,347 Commits 1 Branch 0 Tags
0cbbae4f83fe320e299d2f318413686972df7606
Commit Graph

2347 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan 1d9cb6a195 [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#4117) 
* [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
 2024-10-11 13:46:57 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
shashank-elastic acb01cf9ee Refresh to fetch latest ECS & Beats schemas, Integration manifests & schemas. (#4140) 2024-10-10 11:30:00 +05:30
github-actions[bot] afbca3ee75 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4147) 2024-10-09 20:56:57 -05:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Eric Forte 4edef2ea80 [FR][DAC] Import Rules Verbose Message (#4093) 
* Draft Verbose Message

* Fix Linting

* Made more descriptive

* Updated for readability
 2024-10-09 17:19:59 -04:00
Terrance DeJesus 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) 
* fixed existing rules;added query checks

* fixed flake errors

* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules

* removed valueError and replaced ValidationError

* adjusted validation error output based on feedback

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added space for failure

* updated to use re.compile

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-09 15:25:36 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-10-03 12:47:40 -04:00
Terrance DeJesus 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-02 15:50:22 -04:00
protections machine 51859e57f3 Sync RTA Base64 or Xxd Decode Argument Evasion (#4113) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 23:10:34 +05:30
protections machine e6646790d5 Sync RTA Suspicious Echo Execution (#4110) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:57:13 +05:30
protections machine 264938236c Sync RTA Hexadecimal Payload Execution (#4109) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:47:04 +05:30
protections machine 9e539e82f4 Sync RTA Potential Process Injection via dd (#4108) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:36:56 +05:30
protections machine 37ba89bc3e Sync RTA Linux Telegram API Request (#4107) 2024-10-01 22:28:29 +05:30
github-actions[bot] 80143b23b2 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4116) 2024-10-01 18:14:03 +05:30
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Ruben Groenewoud 5b41bbd5e9 [Tuning] Updated references (#4114) 2024-10-01 08:43:14 -03:00
Terrance DeJesus ef4e433d97 [Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules (#4105) 
* tuning M365 impossible travel activity rules

* added additional filters for user type logins

* adjusted updated date
 2024-09-28 18:13:03 -04:00
Samirbous 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) 2024-09-28 11:46:46 +01:00
shashank-elastic ef95a541f4 Fix GenAI Request Model ID Field (#4111) 2024-09-27 21:59:02 +05:30
Ruben Groenewoud a3e89a7fab [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) (#4106) 
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)

* Description update

* Investigation Guide Update
 2024-09-27 14:48:03 +02:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Isai 0ed6b3f0a2 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4094) 
Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.
 2024-09-24 09:32:12 -04:00
github-actions[bot] fab842b414 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4091) 
* Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md

* Update docs/ATT&CK-coverage.md

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-09-19 23:25:32 +05:30
shashank-elastic e2f1fcefa8 Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) (#4077) 2024-09-19 23:12:01 +05:30
Samirbous 5e0fb4a63e [Tuning] Add logs-panw.panos index to Network rules (#4089) 
* [Tuning] Add logs-panw.panos index to Network rules

https://github.com/elastic/detection-rules/issues/3998

This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.

* add tag and integration

* Update command_and_control_fin7_c2_behavior.toml

* Build Manifest and Schema for panw integration

* Update definitions.py

* Update definitions.py

* Fix definitions declaration

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-09-19 08:01:44 +01:00
Mika Ayenson df31c002ca [Bug] Handle formatting empty list (#4086) 2024-09-17 13:25:17 -05:00
Samirbous def2a9ef09 [New] ROT encoded Python Script Execution (#4084) 
* [New] ROT encoded Python Script Execution

* Update defense_evasion_encoding_rot13_python_script.toml

* ++

* Update defense_evasion_encoding_rot13_python_script.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-17 16:52:46 +01:00
Terrance DeJesus 9181c00586 [New Hunt] Add Initial Okta Hunting Queries (#4064) 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs
 2024-09-16 14:36:44 -04:00
github-actions[bot] 574064272d Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4082) 2024-09-16 21:43:16 +05:30
shashank-elastic 814130bf34 min_stack New Rules that use the S1 Integration (#4081) 2024-09-16 20:12:09 +05:30
Jonhnathan 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) 
* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml
 2024-09-16 11:02:46 -03:00
Samirbous 31ca246ea7 [New] Potential Foxmail Exploitation (#4044) 
* Create execution_initial_access_foxmail_exploit.toml

* Update execution_initial_access_foxmail_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 12:29:40 +01:00
Samirbous 41a7a5f049 [New] Execution via Windows Command Debugging Utility (#3918) 
* [New] Execution via Windows Command Debugging Utility

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

* Update defense_evasion_lolbas_win_cdb_utility.toml

* ++

* Update defense_evasion_lolbas_win_cdb_utility.toml
 2024-09-16 09:14:39 +01:00
Samirbous f26d7fc81b [New] Persistence via a Windows Installer (#4055) 
* Create persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 07:50:57 +01:00
Samirbous b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) 
* [New] Attempt to establish VScode Remote Tunnel

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update rules/windows/command_and_control_tunnel_vscode.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-09-16 07:39:39 +01:00
Samirbous 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) 
* [New] MsiExec Service Child Process With Network Connection

converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 20:22:44 +01:00
Samirbous 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 19:51:21 +01:00