security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
shashank-elastic 7175b3ab06 Add investigation guides for detection rules (#4886) 2025-07-08 00:25:42 +05:30
shashank-elastic 9b292b97ea Prep 8.19/9.1 (#4869) 
* Prep 8.19/9.1 Release

* Download Beats Schema

* Download API Schema

* Download 8.18.3 Beats Schema

* Download Latest Integrations manifest and schema

* Comment old schemas

* Update Patch version
 2025-07-07 11:27:48 -04:00
Jonhnathan 782605ae07 [Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867) 
* [Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts

* bum updated_date

* Fix DSL exception
 2025-07-07 10:56:13 -03:00
Jonhnathan d42128cdbf [Rule Tuning] Windows Misc Tuning (#4870) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_command_shell_started_by_svchost.toml

* bump

* Update rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_persistence_account_tokenfilterpolicy.toml
 2025-07-07 10:32:12 -03:00
Samirbous 4fb31c7ea6 Update command_and_control_new_terms_commonly_abused_rat_execution.toml (#4842) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-06-25 12:39:48 -03:00
Jonhnathan 82708867e3 [Rule Tuning] First Time Seen NewCredentials Logon Process (#4844) 
* [Rule Tuning] First Time Seen NewCredentials Logon Process

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-06-24 12:25:56 -03:00
Samirbous 4b20d69c03 [Tuning] Elevation via SCM rules (#4837) 
* Update privilege_escalation_krbrelayup_service_creation.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update non-ecs-schema.json

* Update non-ecs-schema.json

* Update pyproject.toml
 2025-06-20 09:52:59 +01:00
Samirbous caf6630325 Update impact_stop_process_service_threshold.toml (#4813) 2025-06-18 09:44:09 +05:30
Jonhnathan 1f71191c85 [New Rules] SPN Spoofing / Coercion Rules (#4815) 
* [New Rules] SPN Spoofing / Coercion Rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/credential_access_kerberos_coerce.toml

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/credential_access_kerberos_coerce.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* .

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

* Update pyproject.toml

* missing tag

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-06-17 18:50:28 -03:00
Jonhnathan 3bc57088a1 [Rule Tuning] PowerShell ES|QL Rules Tuning (#4785) 
* [Rule Tuning] PowerShell ES|QL Rules Tuning

* Update defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
 2025-06-17 10:36:51 -03:00
Samirbous 5273729106 [New] Potential Machine Account Relay Attack via SMB (#4803) 
* [New] Potential Machine Account Relay Attack via SMB

Identify a server machine account accessing itself via SMB but from a remote source.ip, this behavior is abnormal and match SMB relay:

* Update credential_access_machine_account_smb_relay.toml

* Update credential_access_machine_account_smb_relay.toml

* Update credential_access_machine_account_smb_relay.toml

* Update rules/windows/credential_access_machine_account_smb_relay.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_machine_account_smb_relay.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-06-16 17:16:04 +01:00
Jonhnathan d8d898d12d [Rule Tuning] Outlook Home Page Registry Modification (#4798) 2025-06-16 08:01:45 -03:00
Samirbous 718b64f1df Update execution_downloaded_url_file.toml (#4794) 2025-06-12 12:11:19 +01:00
Samirbous ba55fb412b [New] Potential CVE-2025-33053 Exploitation (#4795) 
* Create initial_access_url_cve_2025_33053.toml

* Delete docs/docset.yml

* Revert "Delete docs/docset.yml"

This reverts commit 5d0e6a68eb5510b6f3d9325cfcdf156bf11e1992.

* Update initial_access_url_cve_2025_33053.toml
 2025-06-12 08:08:20 +01:00
Samirbous c8d6e32d1c Update privilege_escalation_unusual_parentchild_relationship.toml (#4775) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-06-09 18:58:55 +01:00
Terrance DeJesus 0a8c3ca471 new rule for bloodhound user agents (#4769) 2025-06-04 09:11:13 -04:00
Samirbous 0abd8c923a Create defense_evasion_lsass_ppl_disabled_registry.toml (#4747) 2025-05-29 10:55:14 +01:00
Samirbous bb63887741 [New] BadSuccessor dMSA Abuse Detections (#4745) 
* [New] BadSuccessor dMSA Abuse Detections

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

using new term rule type with events 5136/5137 by winlog.event_data.SubjectUserName to detect unusual accounts performing dMSA changes (creation of a new dMSA account or the modification of the `msDS-ManagedAccountPrecededByLink` attribute to take over a target account)

* Update privilege_escalation_dmsa_creation_by_unusual_user.toml
 2025-05-25 09:38:15 +01:00
Samirbous 2c2b3e7d12 [Tuning] Lateral Movement Rules (#4736) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update execution_suspicious_cmd_wmi.toml

* Update lateral_movement_incoming_wmi.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update lateral_movement_incoming_wmi.toml

* Update execution_suspicious_cmd_wmi.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-05-21 15:59:45 +01:00
Samirbous 22cf1f0ced [Tuning] Account Discovery Command via SYSTEM Account (#4734) 
* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml
 2025-05-21 06:25:16 +01:00
Jonhnathan e6fb73970d [Rule Tuning] Startup or Run Key Registry Modification (#4710) 2025-05-19 22:12:37 +05:30
Jonhnathan 9af2bf4a66 [Rule Tuning] Unusual Scheduled Task Update (#4714) 2025-05-19 21:51:14 +05:30
Jonhnathan 47059e22f2 [Rule Tuning] Backup Deletion with Wbadmin (#4715) 2025-05-19 20:34:25 +05:30
Jonhnathan d30e65e5a2 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#4712) 2025-05-09 13:56:54 -03:00
Jonhnathan e028bf7954 [New Rule] Potential Dynamic IEX Reconstruction via Environment Variables (#4633) 2025-05-06 21:06:06 +05:30
Jonhnathan 0cd7de6862 [New Rule] Potential PowerShell Obfuscation via Special Character Overuse (#4632) 2025-05-06 20:29:19 +05:30
Jonhnathan b7016253ae [New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion (#4631) 2025-05-06 20:13:34 +05:30
Jonhnathan 5d8f0c2ffe [New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (#4630) 2025-05-06 19:58:01 +05:30
Jonhnathan dc6cb3e811 [New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (#4615) 2025-05-06 19:26:15 +05:30
Jonhnathan 5ab73943a1 [New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences (#4614) 2025-05-06 19:10:10 +05:30
Jonhnathan b5ac9707ba [New Rule] PowerShell Obfuscation via Negative Index String Reversal (#4610) 2025-05-06 18:54:22 +05:30
Jonhnathan c291638521 [New Rule] Potential PowerShell Obfuscation via Reverse Keywords (#4609) 2025-05-06 18:36:13 +05:30
Jonhnathan 7b9cd77bc2 [New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction (#4608) 2025-05-06 18:18:29 +05:30
Jonhnathan ebe77f2d86 [New Rule] Potential PowerShell Obfuscation via String Concatenation (#4607) 2025-05-06 18:02:35 +05:30
Samirbous 91acb4e9ce [New] Windows Sandbox with Sensitive Configuration (#4606) 
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
 2025-05-06 15:58:39 +05:30
Samirbous 04f15aa08c [New] Rare Connection to WebDAV Target (#4667) 2025-05-06 15:41:30 +05:30
Samirbous bcff3f95d5 Update command_and_control_common_webservices.toml (#4686) 2025-05-06 13:27:21 +05:30
shashank-elastic e4856d3c2c Refresh ecs, beats, integration manifests & schemas (#4699) 2025-05-05 23:06:40 +05:30
shashank-elastic 34231160ee Fix versions for changes in required_fileds (#4640) 2025-04-24 06:28:18 +05:30
Jonhnathan b9ed05562d [Rule Tuning] User Added to Privileged Group in Active Directory (#4646) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 06:12:33 +05:30
Jonhnathan e8e76972f5 [Rule Tuning] Replace legacy winlog.api usage (#4647) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 05:52:38 +05:30
Samirbous f8e91be329 [New] RemoteMonologue Attack rules (#4604) 
* [New] RemoteMonologue Attack rules

https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
    https://github.com/xforcered/RemoteMonologue

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-22 15:26:57 -03:00
Jonhnathan 1bab74179e [New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635) 
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation

* Update execution_posh_malicious_script_agg.toml
 2025-04-22 13:36:04 -03:00
Jonhnathan 8361cfd205 [New Rule] Potential PowerShell Obfuscation via String Reordering (#4595) 
* [New Rule] Potential PowerShell Obfuscation via String Reordering

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
 2025-04-22 12:26:55 -03:00
Jonhnathan a495b4b9b2 [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627) 2025-04-22 11:59:06 -03:00
Jonhnathan a9f99137f3 [New Rule] Dynamic IEX Reconstruction via Method String Access (#4634) 2025-04-22 11:47:03 -03:00
Jonhnathan e11fe78846 [Rule Tuning] Suspicious WMI Event Subscription Created (#4618) 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
 2025-04-16 10:05:20 -03:00
Jonhnathan a5d9d6400a [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) 2025-04-07 22:59:08 +05:30
Samirbous 6d8cfda10f Update defense_evasion_microsoft_defender_tampering.toml (#4573) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-01 18:04:29 +01:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00