security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Jonhnathan 080a891c79 [Rule Tuning] 3rd Party EDR Compatibility - 15 (#4040) 
* [Rule Tuning] 3rd Party EDR Compatibility - 15

* min_stack for merge, bump updated_date
 2024-10-11 18:33:22 -03:00
Jonhnathan 10a8cef21f [Rule Tuning] 3rd Party EDR Compatibility - 14 (#4039) 
* [Rule Tuning] 3rd Party EDR Compatibility - 14

* min_stack for merge, bump updated_date
 2024-10-11 17:22:53 -03:00
Jonhnathan 07c4535871 [Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038) 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
 2024-10-11 16:55:02 -03:00
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Samirbous 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) 2024-09-28 11:46:46 +01:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
shashank-elastic 814130bf34 min_stack New Rules that use the S1 Integration (#4081) 2024-09-16 20:12:09 +05:30
Jonhnathan 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) 
* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml
 2024-09-16 11:02:46 -03:00
Samirbous 31ca246ea7 [New] Potential Foxmail Exploitation (#4044) 
* Create execution_initial_access_foxmail_exploit.toml

* Update execution_initial_access_foxmail_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 12:29:40 +01:00
Samirbous 41a7a5f049 [New] Execution via Windows Command Debugging Utility (#3918) 
* [New] Execution via Windows Command Debugging Utility

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

* Update defense_evasion_lolbas_win_cdb_utility.toml

* ++

* Update defense_evasion_lolbas_win_cdb_utility.toml
 2024-09-16 09:14:39 +01:00
Samirbous f26d7fc81b [New] Persistence via a Windows Installer (#4055) 
* Create persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 07:50:57 +01:00
Samirbous b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) 
* [New] Attempt to establish VScode Remote Tunnel

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update rules/windows/command_and_control_tunnel_vscode.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-09-16 07:39:39 +01:00
Samirbous 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) 
* [New] MsiExec Service Child Process With Network Connection

converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 20:22:44 +01:00
Samirbous 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 19:51:21 +01:00
Samirbous b6162abefa [New] WPS Office Exploitation via DLL Hijack (#4043) 
* Create execution_initial_access_wps_dll_exploit.toml

* Update execution_initial_access_wps_dll_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 11:23:35 +01:00
Samirbous 9255dafe53 [New] Detonate LNK TOP Rules (#4058) 
* [New] Detonate LNK TOP Rules

the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update rules/windows/execution_windows_cmd_shell_susp_args.toml

* Update rules/windows/execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 10:49:17 +01:00
Samirbous cad3865fcf [New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 (#4076) 
* [New] Potential Escalation via Vulnerable MSI Repair

https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

* Update privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-13 17:57:44 +01:00
Jonhnathan 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
 2024-09-11 10:49:41 -03:00
Samirbous dc9c58527f [Tuning] Unusual Network Activity from a Windows System Binary (#4065) 
* Update defense_evasion_network_connection_from_windows_binary.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-10 13:30:56 -03:00
Jonhnathan e60c21b37b [Rule Tuning] Enumeration of Privileged Local Groups Membership (#4016) 2024-08-27 09:54:19 -03:00
Jonhnathan 70c3a6f7b1 [Rule Tuning] Potential privilege escalation via CVE-2022-38028 (#4004) 2024-08-22 15:32:28 -03:00
Jonhnathan 4c44f98cd6 [Rule Tuning] LSASS Process Access via Windows API (#3975) 
* [Rule Tuning] LSASS Process Access via Windows API

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
 2024-08-14 11:42:18 -03:00
Terrance DeJesus 3500c3db15 [Rule Tuning] Tuning Direct Outbound SMB Connection (#3485) 
* tuning 'Direct Outbound SMB Connection'

* removed lolbas references

* reverted EQL function due to escaped characters in substring match

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* reverted internal address exclusion; adjusted rule name and description

* removing min-stack

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-08-13 13:53:07 -04:00
Terrance DeJesus 74d8186aeb [Rule Tuning] Tuning MsBuild Making Network Connections (#3482) 
* tuning 'MsBuild Making Network Connections'

* added performance note; added comments in query

* adjusted array search

* linting

* updated query logic;updated date

* updated query logic

* fixed query error

* changed query logic

* removing min-stack

* reverting change

* updated network sequence event
 2024-08-13 12:55:08 -04:00
Jonhnathan 8950d33539 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#3964) 
* [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation

* .

* ++
 2024-08-09 13:23:16 -03:00
Jonhnathan 20f4242566 [Rule Tuning] Simple KQL to EQL Conversion (#3948) 
* [Rule Tuning] Simple KQL to EQL Conversion

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update privilege_escalation_group_policy_iniscript.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-09 13:11:27 -03:00
Jonhnathan fcc8aaaf63 [Rule Tuning] Fix missing Winlogbeat index (#3976) 
* [Rule Tuning] Fix missing Winlogbeat index

* bump
 2024-08-09 12:46:33 -03:00
Jonhnathan 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) 
* [Rule Tuning] Windows File-based Rules Tuning

* Update credential_access_lsass_memdump_file_created.toml

* .
 2024-08-09 12:26:58 -03:00
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
Terrance DeJesus 698e830f9f [Rule Tuning] Removing Minimum Stack Compatibility (#3974) 
* removing min-stack

* removing min-stack

* updating date
 2024-08-08 11:47:48 -04:00
Terrance DeJesus fe9ba15a2a [Rule Tuning] Tuning Suspicious HTML File Creation for Performance (#3480) 
* tuning 'Suspicious HTML File Creation'

* TOML lint; reverted EQL function checks

* updated date
 2024-08-08 11:12:55 -04:00
Jonhnathan 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) 2024-08-08 12:02:23 -03:00
Terrance DeJesus ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) 
* tuning 'Persistent Scripts in the Startup Directory'

* adjusted query logic; added note about performance

* adjusted query logic

* adjusted query logic; added note about performance

* removed newline

* adjusted query logic to be more inclusive

* adjusted query

* adjusted query to leave wildcard and substring searches towards the end

* TOML lint

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* adjusted note; removed setup

* adjusted note; removed setup

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-06 18:42:53 -04:00
shashank-elastic 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) 2024-08-06 18:48:24 +05:30
Jonhnathan a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) 2024-08-06 17:15:08 +05:30
Jonhnathan 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) 2024-08-06 17:05:17 +05:30
Jonhnathan 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) 2024-08-05 11:27:58 -03:00
Jonhnathan 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) 2024-08-02 16:37:45 -03:00