security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

178 Commits

Author SHA1 Message Date
Samirbous 485c6214fa [New Rule] Environment Variable Modification using Launchctl (#865) 
* [New Rule] Environment Variable Modification using Launchctl

* excluding some FPs

* Update defense_evasion_modify_environment_launchctl.toml

* Update defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-01-26 21:41:30 +01:00
Samirbous b4cb953aa4 [New Rule] Script Execution via Automator Workflows (#763) 
* [New Rule] Script Execution via Automator Workflows

* Update execution_script_via_automator_workflows.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/macos/execution_script_via_automator_workflows.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-26 09:07:39 +01:00
Samirbous 5d9c031c8b [New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775) 
* [New Rule] TCC Bypass via Mounted APFS Snapshot Access

* Update defense_evasion_tcc_bypass_mounted_apfs_access.toml

* conv to kql

* Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-26 08:50:28 +01:00
Samirbous dc53fc1f04 [New Rule] Persistence via Docker Shortcut Modification (#733) 
* [New Rule] Persistence via Docker Shortcut Modification

* ref url decoded

* added exclusions

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* exclude some noisy procs and conv to kql

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:38:38 +01:00
Samirbous 6883ea0aa6 [New Rule] Potential Persistence via Login Hook (#900) 
* [New Rule] Potential Persistence via Login Hook

* Update persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-26 08:35:16 +01:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Samirbous b98f5d4042 [New Rule] Launch Agent Creation or Modification followed by Loading (#696) 
* [New Rule] Launch Agent Creation or Modification

* replaced file event with a sequence for precision

* fixed nice error in query

* Update rules/macos/persistence_creation_change_launch_agents_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_change_launch_agents_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* replaced : with ==

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 19:08:16 +01:00
Samirbous 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) 
* [New Rule] LaunchDaemon Creation or Modification followed by Loading

* fix technique

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 16:04:34 +01:00
Samirbous c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) 
* [New Rule] Attempt to Remove File Quarantine Attribute

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:27:03 +01:00
Samirbous d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) 
* [New Rule] Apple Script Execution followed by Network Connection

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding LAN and loopback addresses

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:25:03 +01:00
Samirbous aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) 
* [New Rule] Persistence via Login and/or Logout Hooks

* fixed tags

* fixed tags

* added logouthook and extra refurl

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:09:36 +01:00
Samirbous 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) 
* [New Rule] Execution with Explicit Credentials via Apple Scripting

* fixing tactic

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added ref

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:57:52 +01:00
Samirbous f756619478 [New Rule] Persistence via Folder Action Script (#685) 
* [New Rule] Persistence via Folder Action Script

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:51:52 +01:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00
Samirbous da949b0051 [New Rule] Potential SSH Bruteforce Detected (#538) 
* [New Rule] Potential SSH Bruteforce Detected

* Update credential_access_potential_ssh_bruteforce.toml

* added parent process condition

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* spaces

* ecs_version

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:18:03 +01:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Samirbous abea5d0779 [New Rule] Prompt for Credentials with OSASCRIPT (#540) 2020-11-17 22:25:40 +01:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Justin Ibarra 758e4a2c5b Add unit tests for rule tags (#359) 2020-10-07 19:29:19 -08:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Samirbous cbf465ba01 [New Rule] Kerberos dump using kcc command (#139) 
* [New Rule] Kerberos dump using kcc command

* Delete .gitignore

* Delete vcs.xml

* Delete profiles_settings.xml

* Delete misc.xml

* Delete rules.iml

* Delete modules.xml

* Update credential_access_kerberosdump_kcc.toml

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_kerberosdump_kcc.toml

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_kerberosdump_kcc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_kerberosdump_kcc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-30 23:03:44 +02:00
Samirbous 269925ae2e [New Rule] - MacOS Keychains compression (#136) 
* macOS Keychains compression

* Update exfiltration_compress_credentials_keychains.toml

* Update exfiltration_compress_credentials_keychains.toml

* Update exfiltration_compress_credentials_keychains.toml

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update exfiltration_compress_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-29 10:23:43 +02:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Samirbous 3e67e8fada [New Rule] Remote SSH Login Enabled (#172) 
* [New Rule] Remote SSH Login Enabled

* Update lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:21:20 +02:00