security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,807 Commits 1 Branch 0 Tags
1f2ae31f673cd92dfbddbb147d4672c9018ba653
Commit Graph

1807 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) 
* [New Rule] Suspicious Execution - Short Program Name

* Update rules/windows/execution_suspicious_short_program_name.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:27:37 +01:00
Samirbous 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) 
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility

* Update lateral_movement_rdp_tunnel_plink.toml

* Update lateral_movement_rdp_tunnel_plink.toml

* changed tags

* expanded condition to more than plink

there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.

* Update lateral_movement_rdp_tunnel_plink.toml

* more args options

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:25:48 +01:00
Samirbous 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) 
* [New Rule] Security Software Discovery using WMIC

* added tags

* adjusted args for performance

avoiding leading wildcard in process args

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:23:28 +01:00
Samirbous ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) 
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer

* Linted

* Update privilege_escalation_uac_bypass_com_ieinstal.toml

* adjusted executable path for better performance

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:21:15 +01:00
Samirbous 3af915ff49 [New Rule] Suspicious Cmd Execution via WMI (#389) 
* [New Rule] Suspicious Cmd Execution via WMI

* Update lateral_movement_suspicious_cmd_wmi.toml

* Update lateral_movement_suspicious_cmd_wmi.toml

* expanded process args for more coverage

* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-17 21:19:30 +01:00
David French 9d3395f9e3 Create okta_attempt_to_delete_okta_application.toml (#497) 2020-11-17 08:53:59 -07:00
David French 58e54f40e3 Create okta_attempt_to_deactivate_okta_application.toml (#496) 2020-11-17 08:51:51 -07:00
David French 768069a8bc [New Rule] Attempt to Modify an Okta Application (#495) 
* Create okta_attempt_to_modify_okta_application.toml

* add reference
 2020-11-17 08:49:02 -07:00
David French 88b8bca929 Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml (#530) 2020-11-17 08:44:37 -07:00
Justin Ibarra 0573def41c Merge pull request #528 from brokensound77/mergeback/7.10-to-main 
Mergeback 7.10 changes to main
 2020-11-12 20:49:04 +01:00
Justin Ibarra 00f8f83a25 Merge branch 'main' into mergeback/7.10-to-main 2020-11-12 20:28:42 +01:00
Ross Wolf b91203233d Link to the Elastic contributor program (#520) 2020-11-12 07:02:18 -07:00
brokensound77 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main 2020-11-12 00:59:31 -09:00
brokensound77 123d523cf0 lock version changes for 7.10 2020-11-12 00:52:44 -09:00
Ross Wolf 8ca32f1423 Fix ClientError (NoneType) suffix 2020-11-09 11:08:36 -07:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Brent Murphy 9838d3d2f7 [Rule Tuning] Remove duplicate rules after EQL conversion (#436) 
* [Rule Tuning] Remove duplicate rules after EQL conversion

* Update defense_evasion_rundll32_sequence.toml

* swap msxsl rules
 2020-10-30 15:49:28 -04:00
Justin Ibarra 3b597bdb72 fix auth args in get_es_client 2020-10-30 09:19:50 -08:00
Justin Ibarra 3827d01a65 fix bugs in es client retrieval 2020-10-29 21:20:49 -08:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Justin Ibarra fda1e7ef94 Bump zoom rule to production (#427) 2020-10-29 11:02:29 -08:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Ross Wolf 7da343e89f Fix kibana upload command (#425) 2020-10-28 10:16:36 -06:00
Ross Wolf a0a8d63baf Merge branch '7.10' into main 2020-10-28 09:40:15 -06:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
Justin Ibarra e71398e2ad [Bug] Fix Kibana client login to work with 7.10 (#404) 2020-10-26 22:25:48 -08:00
Justin Ibarra 442b31bd2f Update packages.yml 2020-10-26 12:07:34 -08:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) 
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
 2020-10-21 12:35:18 -08:00
Justin Ibarra fd2d36573d Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) 2020-10-20 15:22:02 -08:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Stijn Holzhauer 60b3d47efd Add kibana-upload --space option (#251) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-10-08 12:21:54 -06:00
Justin Ibarra 758e4a2c5b Add unit tests for rule tags (#359) 2020-10-07 19:29:19 -08:00
Justin Ibarra bd680a2bd4 Re-organize commands under more specific click groups (#356) 
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files 
* distinguish variable names for better env/config parsing
 2020-10-07 12:15:33 -08:00
Kevin Logan f34c96f4dc [Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355) 2020-10-05 09:55:15 -08:00
Andrew Pease 0b745c5492 [New Rule] Zoom Meeting with no Passcode (#292) 2020-09-30 21:44:45 -08:00
Justin Ibarra bf202b6b6c [New Rule] Initial converted EQL rules (#304) 
* 18 converted eql rules (not all prod)
 2020-09-30 21:40:55 -08:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Samirbous d094c76534 [New Rule] Suspicious Zoom ChildProcess (#245) 2020-09-30 15:46:33 -08:00
Andrew Pease 5ba848552a [New Rule] Post Exploitation Public IP Reconnaissance (#270) 2020-09-30 15:36:22 -08:00
Andrew Pease e753162fe2 [New Rule] Detecting Unsecure Elasticsearch Nodes (#109) 2020-09-30 15:34:38 -08:00
Andrew Pease 1a260536d4 [New Rule] RAR and PowerShell Downloaded from the Internet (#30) 2020-09-30 15:32:44 -08:00
Andrew Pease faeac00465 [New Rule] Possible FIN7 Command and Control Behavior (#28) 2020-09-30 15:26:13 -08:00
Andrew Pease d68e4ac7f0 [New Rule] Hosts File Modified (#25) 2020-09-30 15:24:07 -08:00
Andrew Pease 1620559f1f [New Rule] Halfbaked C2 Beacon (#23) 2020-09-30 15:21:33 -08:00
Andrew Pease 8caf897a73 [New Rule] Cobalt Strike Beacon (#21) 2020-09-30 14:58:24 -08:00
Justin Ibarra 7c1e9c1ed5 Update package summary extras produced during package generation (#341) 
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
 2020-09-30 14:43:45 -08:00
Brent Murphy 83fb9bdf93 [Rule Tuning] Update event.code to category (#349) 2020-09-30 14:34:58 -08:00