security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

178 Commits

Author SHA1 Message Date
Mika Ayenson cdafe17ffb [Rule Tuning] Authorization Plugin Modification (#2156) 
* exclude files altered by shove processes
 2022-07-27 08:34:23 -04:00
Mika Ayenson e6bab063dc [Rule Tuning] LaunchDaemon Creation or Modification and Immediate Loading (#2154) 
* update query
 2022-07-27 08:24:57 -04:00
Mika Ayenson b44714c83f filter Bitdefender FPs (#2109) 2022-07-25 10:12:30 -04:00
Mika Ayenson 286941cb8e [Rule Tuning] Attempt to Unload Elastic Endpoint Security Kernel Extension (#2134) 
* add subtechnique T1547/006/
 2022-07-23 11:22:27 -04:00
Mika Ayenson 1dc0fcec47 add CVE to tag (#2127) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-07-22 20:44:14 -04:00
Mika Ayenson f07c72254d update description (#2149) 2022-07-22 17:12:41 -04:00
Mika Ayenson b3334941f9 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#2147) 
* exclude jamf fp and add ssh subtechnique
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-07-22 17:10:09 -04:00
Mika Ayenson 84104773a6 exclude google drive FP (#2145) 2022-07-22 17:00:00 -04:00
Mika Ayenson 44ae72d054 [Rule Tuning] Suspicious Automator Workflows Execution (#2142) 
* add subtechnique

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-07-22 16:50:45 -04:00
Mika Ayenson f176b5ef57 update tags to include C2 tactic (#2140) 2022-07-22 16:39:25 -04:00
Colson Wilhoit d6527afd51 [Rule Tuning] Remove File Quarantine Attribute (#2129) 2022-07-22 15:25:12 -05:00
Mika Ayenson 1e28385ea4 [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#2136) 
* fix parens and exclude parent process FPs and update description
 2022-07-22 16:16:27 -04:00
Mika Ayenson d2be29b226 [Rule Tuning] Potential Privacy Control Bypass via TCCDB Modification (#2121) 
* add exception for Bitdefender
 2022-07-22 16:07:41 -04:00
Mika Ayenson cefb84ae15 [Rule Tuning] Modification of Environment Variable via Launchctl (#2119) 
* add exception for vmoptions
 2022-07-22 16:03:46 -04:00
Terrance DeJesus e8c39d19a7 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-07-22 14:30:34 -04:00
Mika Ayenson cd11001fe8 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#2117) 
* Add exceptions for browser FPs
 2022-07-22 14:26:48 -04:00
Mika Ayenson c1c83a536c [Rule Tuning] Kerberos Cached Credentials Dumping (#2103) 
* Updated description to include threat actor utilization
 2022-07-22 14:19:04 -04:00
Mika Ayenson a9de227cfa [Rule Tuning] Access to Keychain Credentials Directories (#2101) 
* rule tune to remove noisy FPs
 2022-07-22 14:14:12 -04:00
Mika Ayenson aaf9a708ae [Rule Tuning] Access of Stored Browser Credentials (#2098) 
* audit update : added technique T1539 and excluded additional cookies path
 2022-07-22 13:57:59 -04:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Mika Ayenson 92640f517a [Rule tuning] check for anything found in the emondClient directory (#1977) 
* check for anything found in the emondClient directory and add reference
 2022-05-18 12:33:23 -04:00
shashank-elastic 88f71233c9 Detection of suspicious crontab creation or modification (#1938) 
* Detection of suspicious crontab creation or modification

* Update rules/macos/persistence_crontab_creation.toml

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-04-27 12:08:32 +05:30
Jonhnathan 20d2e92cfe Review & Fix Invalid References (#1936) 2022-04-26 17:57:15 -03:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Damià Poquet Femenia 9ad3d39a32 Add Jamf Connect exception for macOS users enumeration rule (#1891) 
* Update discovery_users_domain_built_in_commands.toml

Jamf Connect uses ldapsearch to synchronize user passwords.

* change rule update date
 2022-03-28 13:13:28 -03:00
Stijn Holzhauer 3d4eaf4caf Adding path as stated in #1812 (#1889) 
* Adding path as stated in #1812

* Bumping updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-27 08:07:38 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Colson Wilhoit b564fa13fb MacOS FolderActionScripts Process List Update (#1723) 
* update and expand process list

* fix query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-25 14:27:27 -06:00
Colson Wilhoit cfd4d431dd MacOS Launch Daemon Creation Rule - Query Fix (#1722) 
* launch daemon creation syntax fix

* change updated date
 2022-01-25 12:47:51 -06:00
David French cdbd5a6515 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 08:22:58 -06:00
Jonhnathan f6421d8c53 Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs
 2021-09-21 11:04:16 -05:00
Justin Ibarra 655f7d91d0 [Rule tuning] Fix spacing in reference URLs (#1455) 2021-08-31 15:59:06 -08:00
Justin Ibarra d31ea6253e Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
 2021-08-04 14:16:10 -08:00
Ross Wolf 31f63e728e Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
 2021-06-22 09:10:28 -06:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
David French a7bb15eaf7 [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#1046) 
* Update discovery_users_domain_built_in_commands.toml

* tweak whitespace in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-13 11:31:47 -06:00
Samirbous 31daa7b36a [Rule Tuning] Keychain Password Retrieval via Command Line (#992) 
* [Rule Tuning] Keychain Password Retrieval via Command Line

* removed duplicate tactic

* Update credential_access_keychain_pwd_retrieval_security_cmd.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-13 18:16:43 +02:00
Samirbous 687c9feba3 [Rule Tuning] Persistence via Login or Logout Hook (#1020) 
* [Rule Tuning] Persistence via Login or Logout Hook

* update date

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-19 10:32:51 +01:00
Samirbous dd1214627a [Rule Tuning] Modification of Environment Variable via Launchctl (#1010) 
* [Rule Tuning] Modification of Environment Variable via Launchctl

* update date
 2021-03-19 10:20:04 +01:00
Samirbous be3c7eaf45 [Rule Tuning] WebProxy Settings Modification (#1008) 
* [Rule Tuning] WebProxy Settings Modification

* kql optimz test

* update date
 2021-03-19 10:00:50 +01:00
Samirbous bcc8b6922c [Rule Tuning] Suspicious macOS MS Office Child Process (#1022) 
* [Rule Tuning] Suspicious macOS MS Office Child Process

* comment for exclusions

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-03-19 09:48:27 +01:00
Samirbous f800199cc5 [Rule Tuning] Access to Keychain Credentials Directories (#999) 
* [Rule Tuning] Access to Keychain Credentials Directories

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 09:42:32 +01:00
Justin Ibarra 0b65678d8c [Rule tuning] Correct tags with associated threat mappings (#1003) 2021-03-08 14:12:29 -09:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Andrew Pease 8c4df09542 [New Rule] Installer Spawning cURL from macOS Package (#960) 
* initial commit

* extra lint extra test

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>

* moved to EQL

* Update rules/macos/execution_installer_spawned_network_event.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
 2021-02-26 09:46:01 -06:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
brokensound77 a77bd6178f Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 
# Conflicts:
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
 2021-02-17 14:11:50 -09:00