security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,957 Commits 1 Branch 0 Tags
0e2eb5a84ceed252b5fafebf64fd5eb97d3074de
Commit Graph

1957 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
shashank-elastic 0e2eb5a84c Fix minstack version for O365 prod rules (#3565) 2024-04-02 21:33:18 +05:30
Jonhnathan 4ab7c9b178 [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution (#3545) 
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-02 11:06:08 -03:00
Samirbous 69173872da [Tuning] Connection to Commonly Abused Web Services (#3425) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-02 14:41:10 +01:00
Samirbous f025616cbd [New Rule] Suspicious Access to LDAP Attributes (#2504) 
* Create discovery_high_number_ad_properties.toml

* Update discovery_high_number_ad_properties.toml

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed tags; moved note to setup, updated date

* Update discovery_high_number_ad_properties.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2024-04-02 13:57:38 +01:00
Jonhnathan c781376188 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-02 06:35:14 -03:00
Samirbous f2490007e8 [New] Potential Execution via XZBackdoor (#3555) 
* [New] Potential Execution via XZBackdoor

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-02 05:15:04 +01:00
Jonhnathan b47b91b9ec [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-01 20:45:12 -03:00
Jonhnathan 67ca13c1ce [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-01 17:44:50 -03:00
Susan 400a84628e Update setup guide for ML integration packages (#3475) 
* Add more detail to ingest pipeline install

* Add more info to anomaly detection setup

* Update draft

* Fix typo

* Bulk add doc updates

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Address Kseniia feedback

* Update updated_date per review feedback

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-01 15:02:32 -04:00
Mika Ayenson bb907a4d76 [FR] Add support for investigation_fields (#3550) 2024-04-01 11:52:46 -05:00
shashank-elastic 8b215eac41 Fix create PR in release workflow (#3528) 2024-04-01 21:17:10 +05:30
Terrance DeJesus d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) 
* deprecating

* adjusted matury tag; updated dates
 2024-04-01 11:01:20 -04:00
Mika Ayenson b6a7e7ebda [FR] Add required-fields option to import-rules (#3546) 2024-03-28 18:29:47 -05:00
Jonhnathan 218c3bead6 [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) 
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script

* Update credential_access_posh_relay_tools.toml

* Update execution_posh_hacktool_functions.toml

* Update credential_access_posh_relay_tools.toml

* Update credential_access_posh_relay_tools.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-03-28 07:05:35 -03:00
Jonhnathan 954a93c3b4 [New Rule] Creation of a DNS-Named Record (#3539) 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml
 2024-03-27 18:21:07 -03:00
Jonhnathan 67e9ebf8e1 [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) 
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation

* Update credential_access_adidns_wildcard.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-03-27 10:07:23 -03:00
Samirbous d7aff43621 [New] Suspicious Execution via ScreenConnect (#3541) 
* [New] Suspicious Execution via ScreenConnect

- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)

* Update command_and_control_screenconnect_childproc.toml

* Update rules/windows/initial_access_webshell_screenconnect_server.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_screenconnect_childproc.toml

* Update command_and_control_screenconnect_childproc.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-03-27 11:52:47 +00:00
ALEXANDER MA COTE 138447221f fix typo in lateral_movement_remote_services.toml (#3538) 2024-03-27 11:38:57 +01:00
Ruben Groenewoud 760b99bcc1 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) 2024-03-26 14:45:04 +01:00
Samirbous fc76a8bcb5 [New] Suspicious JetBrains TeamCity Child Process (#3532) 
* [New] Suspicious JetBrains TeamCity  Child Process

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml
 2024-03-25 16:32:56 +00:00
Eric Forte 3503786154 Update sort parameter (#3531) 2024-03-25 11:46:30 -04:00
github-actions[bot] eaf4658620 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-03-21 20:30:46 +05:30
Mika Ayenson fc7cc2c06a [Bug] Update lock versions dependencies (#3525) 2024-03-21 19:05:24 +05:30
Jonhnathan 779fa7710d [New Rules] Veeam Credential Access DRs (#3516) 
* [New Rules] Veeam Credential Access DRs

* bump

* Update credential_access_veeam_commands.toml

* Update credential_access_veeam_backup_dll_imageload.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_veeam_commands.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-21 10:00:48 -03:00
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00
Mika Ayenson e37bc6f781 Update README.md (#3524) 2024-03-20 13:32:26 -05:00
Mika Ayenson 07abc19932 [Rule Tuning] SMTP on Port 26/TCP (#3521) 2024-03-19 15:55:25 -05:00
Mika Ayenson 5c3523954e [FR] Update Python Dependency Versions (#3515) 2024-03-19 14:07:16 -05:00
Terrance DeJesus f6e79944f2 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) 
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'

* reverting lookback window

* missing word in description
 2024-03-15 19:08:28 -04:00
Mika Ayenson d26981f712 [FR] Independently package kql / kibana and bump to py3.12 (#3514) 2024-03-14 20:18:32 -05:00
Mika Ayenson 3d2a36be32 Revert "[FR] Independently package kql / kibana and bump to py3.12 (#3492)" 
This reverts commit fc139fc3c2.
 2024-03-14 19:48:50 -05:00
Mika Ayenson fc139fc3c2 [FR] Independently package kql / kibana and bump to py3.12 (#3492) 2024-03-14 19:14:25 -05:00
Mika Ayenson 8724077a0e [FR] Add support for dataviews in the rule schema (#3510) 2024-03-14 17:43:27 -05:00
Susan a4ecfe3ccf Beaconing - Add whitelist to rules, with some more processes (#3497) 
* Add whitelist to rules, with some more processes

* Update rules exceptionlist

* Update exceptions

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 15:51:02 -04:00
Jonhnathan c610e19114 [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 10:59:31 -03:00
Ruben Groenewoud 4179180fcb [New Rules] mprotect() RWX Binary Execution (#3507) 
* [New Rules] mprotect() RWX Binary Execution

* Added rule names

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml
 2024-03-13 22:11:44 +01:00
Jonhnathan f5254f3b5e [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump
 2024-03-13 10:27:44 -03:00
Ruben Groenewoud 9f8638a004 [Tuning] event.action and event.type change (#3495) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-13 10:11:21 +01:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Jonhnathan edf4da8526 [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-03-11 08:50:42 -03:00
Leandro Maciel 709cfddcbe fix: correct the provider for the create, delete and modify routes in EC2 VPCs (#3500) 2024-03-08 16:01:27 -03:00
Ruben Groenewoud a438052ff3 [Tuning] Linux Cross-Platform Tuning - Part 1 (#3468) 
* [Tuning] Linux Cross-Platform Tuning - Part 1

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:20:55 +01:00
Ruben Groenewoud 9c4ba4559d [Tuning] Linux DR Tuning - Part 12 (#3464) 
* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:09:38 +01:00
Ruben Groenewoud 3fd0358b73 [Tuning] Linux BBR Tuning - Part 1 (#3469) 
* [Tuning] Linux BBR Tuning - Part 1

* [Tuning] Linux BBR Tuning - Part 1

* Update defense_evasion_processes_with_trailing_spaces.toml

* Update defense_evasion_processes_with_trailing_spaces.toml

* One more tuning

* Update collection_linux_suspicious_clipboard_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 17:19:12 +01:00
Ruben Groenewoud ed4a7fc15b [Tuning] Linux DR Tuning - Part 14 (#3467) 
* [Tuning] Linux DR Tuning - Part 14

* Update privilege_escalation_sudo_cve_2019_14287.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 16:45:47 +01:00
Ruben Groenewoud 60fda8d756 [Tuning] Linux DR Tuning - Part 13 (#3465) 
* [Tuning] Linux DR Tuning - Part 13

* updated date bump

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update privilege_escalation_netcon_via_sudo_binary.toml

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update rules/linux/privilege_escalation_shadow_file_read.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-03-07 16:28:06 +01:00
Ruben Groenewoud 7a0967924c [Tuning] Linux BBR Tuning - Part 2 (#3470) 
* [Tuning] Linux BBR Tuning - Part 2

* Update discovery_of_accounts_or_groups_via_builtin_tools.toml

* Update discovery_process_discovery_via_builtin_tools.toml

* Update discovery_hosts_file_access.toml

* Update discovery_system_network_connections.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 12:35:33 +01:00
Ruben Groenewoud ef66c57030 [Tuning] Linux DR Tuning - Part 11 (#3463) 
* [Tuning] Linux DR Tuning - Part 11

* Update persistence_message_of_the_day_creation.toml

* Update persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update persistence_linux_user_added_to_privileged_group.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 12:20:31 +01:00
Ruben Groenewoud a76a3755d9 [Tuning] Linux DR Tuning - Part 10 (#3462) 
* [Tuning] Linux DR Tuning - Part 10

* updated_date bump

* Update persistence_kworker_file_creation.toml

* Update persistence_linux_backdoor_user_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:45:17 +01:00
Ruben Groenewoud fd84573212 [Tuning] Linux DR Tuning - Part 9 (#3461) 
* [Tuning] Linux DR Tuning - Part 9

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update lateral_movement_ssh_it_worm_download.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:33:28 +01:00