sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Terrance DeJesus	70411664cf	[Bug] Normalize Hunting Index Link Generation (#3872 ) * normalizing hunting link generation * replacing header * adjusting quotes in f-strings * added source file to metadata * removed os dependency * address bug in source file links * reverting TOML loading * change all List type hinting to list * change all List type hinting to list * fixed accented characters in queries * reverted accent character removal; moved macos query and MD to macos folder	2024-07-10 11:01:59 -04:00
Terrance DeJesus	f0b2cb7c87	[New Hunt] Add Initial Linux Hunting Files (#3847 ) * added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-07-05 20:01:12 +02:00
Terrance DeJesus	632e169f7a	[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) * add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-06-25 09:35:36 -04:00

Author

SHA1

Message

Date

Terrance DeJesus

70411664cf

[Bug] Normalize Hunting Index Link Generation (#3872 )

* normalizing hunting link generation

* replacing header

* adjusting quotes in f-strings

* added source file to metadata

* removed os dependency

* address bug in source file links

* reverting TOML loading

* change all List type hinting to list

* change all List type hinting to list

* fixed accented characters in queries

* reverted accent character removal; moved macos query and MD to macos folder

2024-07-10 11:01:59 -04:00

Terrance DeJesus

f0b2cb7c87

[New Hunt] Add Initial Linux Hunting Files (#3847 )

* added 'Uncommon Process Execution from Suspicious Directory' hunt

* adds all linux hunting files

* moves linux hunting files to queries folder

* adds generated docs

* fixing windows hunts

* fixing windows hunts

* updated README

* Removed 2, updated a few, changed some names/descriptions and added list of str

* updated windows for language schema changes, regenerated docs; updated README and index

* changed UUIDs to hex only with standard hyphen format

* removing unecessary docs

* Fixed queries based on Samir feedback

* ++

* regenerating linux docs

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* Update

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* regenerating linux docs

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2024-07-05 20:01:12 +02:00

Terrance DeJesus

632e169f7a

[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 )

* add description to hunting schema; change queries to be a list

* update createremotethreat by process hunt

* update dll hijack and masquerading as MSFT library

* remove sysmon specific dDLL hijack via masquerading MSFT library

* updated Masquerading Attempts as Native Windows Binaries

* updates Rare DLL Side-Loading by Occurrence

* updates Rare LSASS Process Access Attempts

* update DNS Queries via LOLBins with Low Occurence Frequency

* updated Low Occurrence of Drivers Loaded on Unique Hosts

* updates Excessive RDP Network Activity by Host and User

* updates Excessive SMB Network Activity by Process ID

* updated Executable File Creation by an Unusual Microsoft Binary

* Frequency of Process Execution and Network Logon by Source Address

* updates Frequency of Process Execution and Network Logon by Source Address

* updated Execution via Remote Services by Client Address

* updated Startup Execution with Low Occurrence Frequency by Unique Host

* updated Low Frequency of Process Execution via WMI by Unique Agent

* updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent

* updated Low Occurence of Process Execution via Windows Services with Unique Agent

* Updated High Count of Network Connection Over Extended Period by Process

* update Libraries Loaded by svchost with Low Occurrence Frequency

* updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent

* updated Network Discovery via Sensitive Ports by Unusual Process

* updated PE File Transfer via SMB_Admin Shares by Agent or User

* updated Persistence via Run Key with Low Occurrence Frequency

* updates Persistence via Startup with Low Occurrence Frequency by Unique Host

* updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source

* updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon"

* updates "Egress Network Connections with Total Bytes Greater than Threshold"

* updates "Rundll32 Execution Aggregated by Command Line"

* updates "Scheduled tasks Creation by Action via Registry"

* updates "Scheduled Tasks Creation for Unique Hosts by Task Command"

* updates "Suspicious Base64 Encoded Powershell Command"

* updates "Suspicious DNS TXT Record Lookups by Process"

* updates "Unique Windows Services Creation by Service File Name"

* Updates "Unique Windows Services Creation by Service File Name"

* updates "Windows Command and Scripting Interpreter from Unusual Parent Process"

* updates "Windows Logon Activity by Source IP"

* updates "Suspicious Network Connections by Unsigned Mach-O"

* updates LLM hunting queries

* re-generated markdown files; updated generate markdown py file

* updated test_hunt_data

* Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* updated missing integrations

* updated MD docs according to recent hunting changes

* Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added enrichment policy link to rule

* Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/index.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2024-06-25 09:35:36 -04:00

3 Commits