sigma-rules

Author	SHA1	Message	Date
Samirbous	7fc5ba1646	[New Rule] Persistence via Cron Tasks (#867 ) * [New Rule] Persistence via Cron Tasks * Update persistence_cron_jobs_creation_and_runtime.toml * Update persistence_cron_jobs_creation_and_runtime.toml * excluded noisy procs and root user * moved to cross-platform * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * excluding root user * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 10:28:22 +01:00
Andrew Pease	ddddaf37dc	[New Rule] Sudo Heap-based Buffer Overflow Vulnerability Attempt (CVE-2021-3156) (#933 ) * initial commit * adjusted title * Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updates * optimized * added ""'s * typo around "-s" * added sudo reference * changed to threshold * Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml * re-lint Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-09 15:02:04 -06:00
Samirbous	769ced1001	[New Rule] Privilege Elevation via Sudoers File Modification (#917 ) * [New Rule] Privilege Elevation via Sudoers File Modification * Update privilege_escalation_echo_nopasswd_sudoers.toml * group args * Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 21:58:31 +01:00
Samirbous	2e6b353f5e	[New Rule] Potential Reverse Shell Activity via Terminal (#821 ) * [New Rule] Potential Reverse Shell Activity via Terminal * extra reference * adjusted process.args for coverage resilience * Update execution_revershell_via_shell_cmd.toml * Update rules/cross-platform/execution_revershell_via_shell_cmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/execution_revershell_via_shell_cmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * encoded ref url Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 22:57:55 +01:00
Samirbous	55272cc49e	[New Rule] EggShell Backdoor Execution (#845 ) * [New Rule] EgShell Backdoor Execution * Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:37:15 +01:00
Brent Murphy	0b568e5740	[New Rule] Suspicious JAR Child Process (#887 ) * Create execution_suspicious_jar_child_process.toml * pr review feedback and moved to cross platform * spacing * Add FP section	2021-02-08 09:48:48 -05:00
Samirbous	3fde3930f7	[New Rule] Modification of Standard Authentication Module or Configuration (#745 ) * [New Rule] Modification of Unix Standard Authentication Module * extra ref and added file creation event type * extra ref url * Update persistence_modify_authentication_module.toml * added pam.d conf files changes too * adjusted tactics and techniques * Update persistence_modify_authentication_module.toml * Update persistence_modify_authentication_module.toml * changed from linux to cross platfm * Update persistence_credential_access_modify_auth_module_or_config.toml * adjusted query * converted to kql and excluded FPs * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update persistence_credential_access_modify_auth_module_or_config.toml * Update persistence_credential_access_modify_auth_module_or_config.toml * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-05 21:23:58 +01:00
Samirbous	bec5211814	[Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod (#875 ) * [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod * Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml * relinted	2021-02-04 16:29:53 +01:00
Samirbous	4a5085ee54	[Rule Tuning] Sudoers File Modification (#873 ) * [Rule Tuning] Sudoers File Modification * 2021! * Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 17:57:40 +01:00
Justin Ibarra	a0e86e20d6	[Rule Tuning] Add windows integration index to rules (#923 )	2021-01-28 20:53:57 -09:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Samirbous	6029783721	[New Rule] Security Software Discovery using Grep (#743 ) * [New Rule] Security Software Discovery using Grep * fixed index * Update discovery_security_software_grep.toml * Update discovery_security_software_grep.toml * conv to kql and added few AVs * added more AV procs * Update rules/macos/discovery_security_software_grep.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * moved to cross-platform * Update discovery_security_software_grep.toml * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 19:57:26 +01:00
Samirbous	440a7fbdee	[New Rule] SSH Authorized Keys File Modification (#754 ) * [New Rule] SSH Authorized Keys File Modification * excluded some noisy procs * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update persistence_ssh_authorized_keys_modification.toml * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:45:38 +01:00
Samirbous	dd2f655367	[New Rule] Potential Cookies Theft via Browser Debugging (#741 ) * [New Rule] Potential Cookies Theft via Browser Debugging * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added auditbeat * fixed error * excluded a common FP * added MSEdge Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:21:45 +01:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Justin Ibarra	97ee8cc9ac	Refresh beats and ecs schemas and default to use latest to validate (#570 ) * Refresh beats and ecs schemas and default to use latest to validate * remove incorrect ecs_version from zoom rule * remove stale ecs_version from rules	2020-12-01 13:24:20 -09:00
Samirbous	61fe8a59ff	[New Rule] WebServer Access Logs Deleted (#457 ) * [New Rule] WebServer Access Logs Deleted * removed timeline_id * added drive letter for better perf * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update defense_evasion_deleting_websvr_access_logs.toml * changed severity from low to medium * fixed duplicate text in description * Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-01 10:48:55 +01:00
Justin Ibarra	fda1e7ef94	Bump zoom rule to production (#427 )	2020-10-29 11:02:29 -08:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Andrew Pease	0b745c5492	[New Rule] Zoom Meeting with no Passcode (#292 )	2020-09-30 21:44:45 -08:00
Justin Ibarra	2460333595	[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 )	2020-09-30 16:16:04 -08:00
Andrew Pease	d68e4ac7f0	[New Rule] Hosts File Modified (#25 )	2020-09-30 15:24:07 -08:00

1 2 3 4 5

222 Commits