security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

3314 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Eric Forte 4b8676c586 [Bug] [DaC] Fix Typo in CLI.md (#4491) 
* Fix Typo in CLI.md
 2025-02-24 10:15:19 -05:00
shashank-elastic 66996ac597 Fix typo in error message (#4489) 2025-02-24 20:16:43 +05:30
Terrance DeJesus 1851ab91fd new hunting queries for Azure device code (#4468) 2025-02-21 11:00:34 -05:00
Terrance DeJesus 4b7aa67213 [New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469) 
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'

* removed Azure data source tag; added saas tag

* removed Azure data source tag; added saas tag

* updated mitre mappings

* added tactic:collection tag

* removed file directory, added targeted_time_window to aggregation
 2025-02-21 10:45:04 -05:00
Terrance DeJesus 0b98462cfe [New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458) 
* new hunting queries for SNS

* added KEEP to all queries; adjusted description in SNS rule
 2025-02-20 10:53:36 -05:00
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Terrance DeJesus 17ea9fbdd5 [New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455) 
* new rule 'AWS SNS Topic Created by Rare User'

* changed file name

* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml

* moved new terms link to investigation guide
 2025-02-20 10:05:40 -05:00
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
github-actions[bot] bd62867465 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4463) 2025-02-17 18:27:01 +05:30
Jonhnathan b951e86a55 [Rule Tuning] Account Configured with Never-Expiring Password (#4459) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-17 07:19:33 -03:00
Jonhnathan 15177246cc [Rule Tuning] Windows - Improve Index Pattern Consistency (#4462) 2025-02-17 07:04:34 -03:00
shashank-elastic aded9deb79 Modify Unit Test to Support Alert Suppression for EQL Sequences (#4457) 2025-02-14 00:14:28 +05:30
Jonhnathan 5155f47b86 [Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445) 
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-07 18:42:28 -03:00
github-actions[bot] 2bf4cf0b2a Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4453) 2025-02-07 21:41:29 +05:30
Sergey Polzunov a650b028f3 Bumping number of versions per rule to 4 in total (#4451) 
* Bumping number of versions per rule to 4 in total

* Add explicit caps

* Simpler comment

* Renaming constants

* Drop to 8.17 again

* Clearer constants

* Drop if condition and extend the comment

* Shorten the lines

* Version bump

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2025-02-07 16:28:36 +01:00
Samirbous 27e8b85840 Update execution_windows_script_from_internet.toml (#4452) 2025-02-07 14:52:56 +00:00
Mika Ayenson c7f5385711 [Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450) 2025-02-07 08:30:35 -06:00
Sergey Polzunov e528feb989 chore(ci): new CI action trigger for REACT testing workflow (#4435) 
* React test trigger

* Delete outdated CI trigger

* Fixing a trigger event

* Dummy rule updates

* Fix workflow name

* Fix typo in curl command

* Use correct token

* Using full workflow filename with extension

* Simplified JSON in curl request

* Using a correct value for branch

* Use a correct ref for a workflow

* Fix for invalid field name in a dispatch data

* Simplify json body

* Revert "Dummy rule updates"

This reverts commit 6c18c5b8b39702cd4106c7b46b8534c76c4c9c27.
 2025-02-06 19:39:49 +01:00
Ruben Groenewoud b13d6bf314 [New Hunt] Persistence via NetworkManager Dispatcher Script (#4408) 2025-02-06 09:33:42 +01:00
Jonhnathan be54140485 [Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444) 2025-02-05 17:32:57 -03:00
Jonhnathan 0268daa17d [Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446) 2025-02-05 15:25:45 -03:00
Jonhnathan ab89dfb98d [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447) 2025-02-05 15:09:27 -03:00
Jonhnathan 3e0ba33749 [Rule Tuning] Remote Execution via File Shares (#4448) 2025-02-05 14:51:47 -03:00
Ruben Groenewoud 802419178c [New Hunt] Persistence via Desktop Bus (D-Bus) (#4407) 2025-02-05 16:45:17 +01:00
Ruben Groenewoud 1aea556998 [New Hunt] Persistence via PolicyKit (#4406) 
* [New Hunt] Persistence via PolicyKit

* ++
 2025-02-05 16:29:47 +01:00
Ruben Groenewoud 6fa8a862a2 [New Hunt] General Kernel Manipulation (#4403) 
* [New Hunt] General Kernel Manipulation

* Update index.yml
 2025-02-05 16:18:51 +01:00
Ruben Groenewoud 32975e5155 [Rule Tuning] Port Scan Rules (#4443) 2025-02-05 15:40:27 +01:00
Terrance DeJesus f1dee060b6 [Hunt Tuning] Fixing Sort Logic in Aviatrix Hunting Query (#4432) 
* fixing sort logic error

* Update hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-02-03 21:43:02 -05:00
github-actions[bot] 1dfb05ec1c Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4442) 2025-02-04 00:05:59 +05:30
shashank-elastic a866ee7f57 Fix remaining Replace master doc URLs with current (#4441) 2025-02-03 23:03:20 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Samirbous 8f73b88884 [Tuning / New] Execution of a downloaded windows script (#4434) 
* [New] Execution of a downloaded windows script

using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution

* Update defense_evasion_posh_assembly_load.toml

* Update execution_powershell_susp_args_via_winscript.toml

* Update guides

* Update defense_evasion_network_connection_from_windows_binary.toml

* Update execution_windows_script_from_internet.toml

* Update execution_windows_script_from_internet.toml

* Update rules/windows/execution_windows_script_from_internet.toml

* Update rules/windows/execution_powershell_susp_args_via_winscript.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_windows_script_from_internet.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_windows_script_from_internet.toml

* Create command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update execution_windows_script_from_internet.toml

* Create defense_evasion_indirect_exec_forfiles.toml

* Update execution_windows_script_from_internet.toml

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-02-03 14:33:59 +00:00
shashank-elastic aba793f3e5 Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel (#4438) 2025-02-03 09:15:14 -05:00
shashank-elastic 350474b7b4 Refresh ECS & Beats schemas, Integration manifests & schemas (#4436) 2025-02-03 19:18:49 +05:30
Ruben Groenewoud 8d29a1f7d5 [New Rule] Process Backgrounded by Unusual Parent (#4431) 
* [New Rule] Process Backgrounded by Unusual Parent

* Update execution_process_backgrounded_by_unusual_parent.toml

* Update execution_process_backgrounded_by_unusual_parent.toml
 2025-02-03 14:17:15 +01:00
Ruben Groenewoud 14c648598e [Rule Tuning] Linux DR Tuning - Part 6 (#4423) 
* [Rule Tuning] Linux DR Tuning - Part 6

* Update privilege_escalation_ld_preload_shared_object_modif.toml

* Update privilege_escalation_ld_preload_shared_object_modif.toml
 2025-02-03 14:05:26 +01:00
Ruben Groenewoud 6b84542093 [Rule Tuning] Linux DR Tuning - Part 5 (#4422) 
* [Rule Tuning] Linux DR Tuning - Part 5

* Update rules/linux/persistence_xdg_autostart_netcon.toml
 2025-02-03 13:53:53 +01:00
Ruben Groenewoud 53b9b53467 [Rule Tuning] Linux DR Tuning - Part 4 (#4421) 
* [Rule Tuning] Linux DR Tuning - Part 4

* [Rule Tuning] Linux DR Tuning - Part 4

* Update persistence_etc_file_creation.toml
 2025-02-03 13:31:00 +01:00
Ruben Groenewoud 1c98a0d64c [Rule Tuning] Linux DR Tuning - Part 3 (#4420) 
* Initial set

* [Rule Tuning] Linux DR - Part 3

* ++

* Update execution_unusual_path_invocation_from_command_line.toml

* Update execution_unusual_path_invocation_from_command_line.toml
 2025-02-03 13:17:00 +01:00
Terrance DeJesus bf1caf8b5f [Rule Tuning] December-January AWS Rule Tuning (#4425) 
* [Rule Tuning] AWS Monthly Rule Tunings

* Adding several more AWS tunings

* updating patch version

* updating non-ecs type to boolean

* fixed cloudtrail index
 2025-01-31 10:35:18 -05:00
Ruben Groenewoud b1a8341371 [Hunt Tuning] Logon Activity by Source IP (#4428) 2025-01-31 15:44:38 +01:00
Ruben Groenewoud b642c55680 [Rule Tuning] Potential OpenSSH Backdoor Logging Activity (#4429) 2025-01-31 15:33:21 +01:00
Ruben Groenewoud 18dd9cb04a [New Rule] Suspicious Usage of bpf_probe_write_user Helper (#4426) 
* [New Rule] Suspicious Usage of bpf_probe_write_user Helper

* Update persistence_bpf_probe_write_user.toml
 2025-01-29 11:46:40 +01:00
Ruben Groenewoud 52d33c12b8 [Rule Tuning] Linux DR Tuning - Part 2 (#4417) 2025-01-29 10:34:13 +01:00
Terrance DeJesus 4e95bc7891 [New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity (#4409) 
* new hunt 'unusual aviatrix default role activity'

* added additional investigation notes
 2025-01-28 12:09:29 -05:00
Ruben Groenewoud fed7b216d5 [Rule Tuning] Linux DR Tuning - Part 1 (#4416) 2025-01-28 14:43:00 +01:00
Ruben Groenewoud bbcf0c7c34 [New Hunt] Persistence via Initramfs (#4402) 
* [New Hunt] Persistence via Initramfs

* Update index.yml
 2025-01-27 10:19:44 +01:00
Ruben Groenewoud 80fe96109b [New & Tuning] Persistence via GRUB Bootloader (#4401) 
* [New & Tuning] Persistence via GRUB Bootloader

* testing github version code workflow update

* testing github version code workflow re-order

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-01-27 09:58:43 +01:00
Samirbous 4e6625ae40 [Tuning] Unusual Instance Metadata Service (IMDS) API Request (#4418) 
* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-24 17:23:32 +00:00