security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

169 Commits

Author SHA1 Message Date
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-25 14:03:29 +02:00
Jonhnathan 17f6537e44 [Rule Tuning] Windows BBR Rules (#3018) 
* [Rule Tuning] Windows BBR Rules

* Update discovery_generic_process_discovery.toml
 2023-08-25 05:21:16 -03:00
Jonhnathan 460919a9d7 [Rule Tuning] Compression DLL Loaded by Unusual Process (#3017) 2023-08-25 05:08:36 -03:00
Jonhnathan f8df53626e [New Rule] Potential Masquerading as Windows System32 Executable (#3022) 
* [New Rule] Potential Masquerading as Windows System32 Executable

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-21 15:14:22 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Jonhnathan 2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) 
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities

* Update collection_posh_webcam_video_capture.toml

* Update rules_building_block/collection_posh_webcam_video_capture.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-09 15:17:15 -03:00
Ruben Groenewoud ef1fa94c52 [New BBR] Suspicious Clipboard Activity (#2970) 
* [New BBR] Suspicious Clipboard Activity

* Added new line to end of file

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 15:41:23 +02:00
Jonhnathan d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) 
* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml
 2023-07-31 11:03:57 -03:00
Jonhnathan 6966a6df09 [New Rule] Building Block Rules - Part 3 (#2924) 
* [New Rule] Building Block Rules - Part 3

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Apply suggestions from code review

* Update rules_building_block/discovery_generic_account_groups.toml

* Apply suggestions from code review

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-31 10:28:25 -03:00
Mika Ayenson 3813a08f59 [FR] Add support for BBR rules to the rule loader (#2968) 
---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-07-27 11:27:04 -05:00
Ruben Groenewoud 9cc4b0e348 [New BBR] Potential Suspicious File Edit (#2960) 
* [New BBR] Potential Suspicious File Edit

* Added a few more interesting files

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-07-26 15:22:56 +02:00
shashank-elastic 93845626b7 Potential Cross Site Scripting ( XSS ) (#2922) 2023-07-20 19:12:00 +05:30
shashank-elastic 8b808b9b83 New Cross Platform BBR Rules (#2920) 2023-07-19 21:27:23 +05:30
shashank-elastic f920bc6151 New Linux BBR Rules (#2917) 2023-07-19 20:12:59 +05:30
Jonhnathan 7949b8a03e [New Rule] Building Block Rules - Part 1 (#2912) 
* [New Rule] Building Block Rules - Part 1

* Update defense_evasion_powershell_clear_logs_script.toml

* Update discovery_posh_generic.toml

* .

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-18 20:01:43 -03:00
Jonhnathan ff2c951136 [New Rule] Potential Masquerading as Communication Apps (#2780) 
* [New Rule] Potential Masquerading as Communication Apps

* ocd

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Apply suggestions from code review

* Merge branch 'main' into comms_masquerade

* Move to BBR folder

* Revert "Merge branch 'main' into comms_masquerade"

This reverts commit 726c63c0cab782a83d9f505e54e55d4edd1f5589.
 2023-06-30 11:46:54 -03:00
Jonhnathan 5da2771c12 [New Rule] [BBR] Expired or Revoked Driver Loaded (#2880) 
* [New Rule] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml

* Update rules_building_block/privilege_escalation_expired_driver_loaded.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-06-27 09:18:35 -03:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00