security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 5081735acc [New] Potential Persistence via Mandatory User Profile (#5530) 
* [New] Potential Persistence via Mandatory User Profile

https://deceptiq.com/blog/ntuser-man-registry-persistence

* Update persistence_suspicious_user_mandatory_profile_file.toml

* Update persistence_suspicious_user_mandatory_profile_file.toml
 2026-01-09 09:35:47 +00:00
Samirbous fde2fa972e [Tuning] Process Created with an Elevated Token (#5532) 
* [Tuning] Process Created with an Elevated Token

https://github.com/elastic/detection-rules/issues/5492

* Update privilege_escalation_via_token_theft.toml
 2026-01-09 09:23:37 +00:00
Samirbous f98f4e5a95 [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml
 2026-01-07 21:03:44 +00:00
Samirbous 08663dee79 Update persistence_webshell_detection.toml (#5524) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-02 12:45:50 -03:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Jonhnathan a9bdfaaea3 [Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486) 
* [Rule Tuning] PowerShell Misc Tuning/Severity Bump

* bump sev
 2025-12-18 03:30:22 -08:00
Jonhnathan 5ec8e3e500 [Rule Tuning] Communication App Rules (#5487) 
* [Rule Tuning] Communication App Rules

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-18 02:38:18 -08:00
Samirbous 2cc1a341de Update lateral_movement_credential_access_kerberos_correlation.toml (#5455) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-12 18:14:26 +00:00
Samirbous ef0ec1ac83 Update defense_evasion_suspicious_short_program_name.toml (#5454) 2025-12-12 17:25:00 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
Jonhnathan 56574c99c3 [Rule Tuning] Potential Masquerading as Svchost (#5439) 
* [Rule Tuning] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* to_lower

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-09 13:56:38 -08:00
theusername-sudo 3bcacdb4ee Update lateral_movement_scheduled_task_target.toml to fix null values (#5228) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-08 18:40:20 +05:30
Samirbous 8ddf8a838e Update defense_evasion_masquerading_as_svchost.toml (#5416) 2025-12-08 12:15:40 +00:00
Samirbous 896b6a214a [Tuning] Rare Connection to WebDAV Target (#5415) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2025-12-05 22:31:01 +00:00
Jonhnathan b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) 
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

* Update defense_evasion_posh_obfuscation_proportion_special_chars.toml

* ++, powershell.file.*

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 13:17:02 +01:00
Jonhnathan bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) 
* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml
 2025-12-02 08:30:54 -08:00
Jonhnathan 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) 2025-12-01 07:54:23 -08:00
Jonhnathan aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) 2025-12-01 07:45:03 -08:00
Jonhnathan 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_suspicious_powershell_imgload.toml

* I need some coffee
 2025-12-01 07:28:25 -08:00
Samirbous 5e1ac4f450 [Tuning] Powershell Atomics test gaps for T1059.001 (#5380) 
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
 2025-12-01 15:06:48 +00:00
Jonhnathan 20d86c8b47 [Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383) 2025-12-01 05:06:38 -08:00
Samirbous c3d09165c4 [Tuning] Suspicious Kerberos Authentication Ticket Request (#5364) 
* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml
 2025-11-26 18:45:30 +00:00
Samirbous f0e9281854 [New] Potential Masquerading as Svchost (#5305) 
* [New] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-11-19 12:10:11 +00:00
Samirbous 64cc823481 [Tuning] Outbound Scheduled Task Activity via PowerShell (#5287) 
https://github.com/elastic/detection-rules/issues/5286

Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):
 2025-11-17 10:02:50 +00:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Samirbous 7b7082e9f4 [New] Command Obfuscation via Unicode Modifier Letters (#5311) 
* [New] Command Obfuscation via Unicode Modifier Letters

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* ++

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml
 2025-11-13 21:29:07 +00:00
veritasr3x da9bfd0abc MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 (#5280) 
* Resolves Issue #5279

* Corrected the "updated_date" value

* Put the technique and sub-technique in the correct location

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-11 10:26:14 -05:00
shashank-elastic e938ecf41a Refresh Manifest and Schemas November Update (#5298) 2025-11-11 18:04:20 +05:30
Samirbous 34bd88a37e [Tuning] Potential Ransomware Behavior - Note Files by System (#5235) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update rules/windows/impact_high_freq_file_renames_by_kernel.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-10 18:22:37 +00:00
Samirbous 085ef447e8 [New] Windows Server Update Service Spawning Suspicious Processes (#5250) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

ttps://hawktrace.com/blog/CVE-2025-59287
 2025-11-10 18:10:32 +00:00
Samirbous 598e5c363f [New] Suspicious Kerberos Authentication Ticket Request (#5260) 
* [New] Suspicious Kerberos Authentication Ticket Request

Multi-datasource correlation to detect suspicious Kerberos Authentication Ticket Request from the source machine and the Domain Controller.

* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update lateral_movement_credential_access_kerberos_correlation.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-11-03 15:44:13 +00:00
shashank-elastic 818978975d Prep 9.2 (#5231) 2025-10-17 21:01:13 +05:30
Samirbous 64a8290b37 [New] Potential Command Shell via NetCat (#5221) 
* [New] Potential Command Shell via NetCat

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml
 2025-10-15 12:30:09 +01:00
Jonhnathan a31fb00614 [Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193) 2025-10-07 08:40:23 -07:00
shashank-elastic 3397b7e707 Monthly Schema Updates (#5187) 2025-10-06 21:39:14 +05:30
Samirbous 29c4c19d59 [Tuning] Startup or Run Key Registry Modification (#5137) 
* [Tuning] Startup or Run Key Registry Modification

high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.

* Update rules/windows/persistence_run_key_and_startup_broad.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-06 09:24:33 +01:00
Samirbous b4e9b48ad7 [New] Suspicious SeIncreaseBasePriorityPrivilege Use (#5150) 
* [New] Suspicious SeIncreaseBasePriorityPrivilege Us

https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main

https://x.com/sixtyvividtails/status/1970721197617717483

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-03 16:52:32 +01:00
Samirbous 66a0b6b97c [Tuning] Potential Ransomware Behavior - High count of Readme files by System (#5167) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-10-02 17:39:51 +01:00
Jonhnathan f75062a855 [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#5134) 
* Update execution_suspicious_powershell_imgload.toml

* Update execution_suspicious_powershell_imgload.toml
 2025-09-22 06:03:41 -07:00
Jonhnathan cd6c37e3b9 [Rule Tuning] Mark some field optional for 3rd party compatibility (#5135) 
* [Rule Tuning] Mark some field optional for 3rd party compatibility

* bump
 2025-09-22 05:43:10 -07:00
shashank-elastic 657b504f46 Update investigation guides (#5112) 2025-09-16 18:34:37 +05:30
Jonhnathan 4476ac52a8 [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091) 
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms

* ++

* ++

* Update credential_access_dcsync_replication_rights.toml

* Update persistence_webshell_detection.toml

* ++

* Update persistence_webshell_detection.toml
 2025-09-15 09:38:03 -07:00
Jonhnathan 7bd9c52852 [Rule Tuning] Windows High Severity - 5 (#5096) 
* [Rule Tuning] Windows High Severity - 4

* Update privilege_escalation_windows_service_via_unusual_client.toml
 2025-09-15 09:29:37 -07:00
Jonhnathan 76c73f84f6 [Rule Tuning] Windows High Severity - 4 (#5095) 
* [Rule Tuning] Windows High Severity - 4

* Update initial_access_execution_from_inetcache.toml
 2025-09-15 09:18:55 -07:00
Jonhnathan 8d9822e8be [Rule Tuning] Fix process.pe.original_file_name Conditions (#5101) 
* [Rule Tuning] Fix process.pe.original_file_name Conditions

* --
 2025-09-15 09:06:23 -07:00
Jonhnathan d69ede2508 [Rule Tuning] Windows High Severity - 3 (#5094) 
* [Rule Tuning] Windows High Severity - 3

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml
 2025-09-15 08:34:43 -07:00
Jonhnathan 567b82cb2f [Rule Tuning] Windows High Severity - 2 (#5093) 
* [Rule Tuning] Windows High Severity - 2

* [Rule Tuning] Windows High Severity - 3

* Revert "[Rule Tuning] Windows High Severity - 3"

This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.
 2025-09-15 07:53:31 -07:00
Jonhnathan 7910f465cc [Rule Tuning] Windows High Severity - 1 (#5092) 
* [Rule Tuning] Windows High Severity - 1

* Update command_and_control_headless_browser.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update command_and_control_outlook_home_page.toml
 2025-09-15 07:44:20 -07:00