security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
176 Commits 1 Branch 0 Tags
230cd73e287ccc09ffb7a9754bed6862f637ba81
Commit Graph

29 Commits

Author SHA1 Message Date
Jonhnathan a37494cd5b [Rule Tuning] Abnormal Process ID or Lock File Created (#2113) 
* [Rule Tuning] Abnormal Process ID or Lock File Created

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update execution_abnormal_process_id_file_created.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c5ff8511a9)
 2022-08-23 13:00:39 +00:00
Jonhnathan ad880bb7df [Rule Tuning] Standardizing Risk Score according to Severity (#2242) 
(cherry picked from commit 6e2d20362a)
 2022-08-22 01:30:44 +00:00
shashank-elastic 72fc1e4231 Rule tuning as part of Linux Detection Rules Review (#2210) 
(cherry picked from commit 19d9a7eb87)
 2022-08-02 12:17:59 +00:00
shashank-elastic 6dfbcb61eb Rule(s) to identify potential mining activities (#2185) 
(cherry picked from commit b2b5c170dd)
 2022-07-29 17:31:28 +00:00
shashank-elastic 40529e9150 Rule tuning as part of Linux Detection Rules Review (#2170) 
(cherry picked from commit 8afded11e7)
 2022-07-29 16:26:57 +00:00
shashank-elastic 8d4606d0dc Rule(s) deprecation as part of Linux Detection Rule Review (#2163) 
(cherry picked from commit e9267e544c)
 2022-07-26 13:19:25 +00:00
Colson Wilhoit 883607488a [New Rule] File made Immutable by Chattr (#2161) 
* [New Rule] File made Immutable by Chattr

* Update rules/linux/defense_evasion_chattr_immutable_file.toml

(cherry picked from commit c222d4528d)
 2022-07-25 18:12:55 +00:00
Colson Wilhoit a138a1f2a2 [New Rule] Chkconfig Service Add (#2159) 
* [New Rule] Chkconfig Service Add

* Update rules/linux/persistence_chkconfig_service_add.toml

(cherry picked from commit 146f59f4bd)
 2022-07-25 16:44:01 +00:00
Colson Wilhoit d988fcb0de [New Rule] Suspcious Etc File Creation (#2160) 
* [New Rule] Suspcious Etc File Creation

* Update rules/linux/persistence_etc_file_creation.toml

* Update MITRE syntax

* Update rules/linux/persistence_etc_file_creation.toml

* Update rules/linux/persistence_etc_file_creation.toml

* Update rules/linux/persistence_etc_file_creation.toml

(cherry picked from commit 1746897359)
 2022-07-25 13:49:28 +00:00
Terrance DeJesus 141b00ec41 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Removed changes from:
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

(selectively cherry picked from commit e8c39d19a7)
 2022-07-22 18:31:42 +00:00
Colson Wilhoit 7909fb47a0 [New Rule] Hidden so file (#2131) 
* [New Rule] Hidden Shared Object File

* [Rule Tuning] Hidden File from Tmp

* Update updated_date

* Update rules/linux/defense_evasion_hidden_shared_object.toml

* Update rules/linux/defense_evasion_hidden_shared_object.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/defense_evasion_hidden_shared_object.toml

* Update rules/linux/defense_evasion_hidden_shared_object.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 98d93bc21e)
 2022-07-22 16:39:00 +00:00
Mika Ayenson 62298d92f4 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit a52751494e)
 2022-07-18 21:25:32 +00:00
Colson Wilhoit 4235b5d798 [New Rule] Dynamic Linker Copy (#2099) 
* [New Rule] Dynamic Linker Copy

* Update rules/linux/persistence_dynamic_linker_backup.toml

* Update rules/linux/persistence_dynamic_linker_backup.toml

* Update rules/linux/persistence_dynamic_linker_backup.toml

(cherry picked from commit 9995558b2a)
 2022-07-13 15:18:44 +00:00
Colson Wilhoit 4913be81e0 [New Rule] Tc BPF Filter (#2091) 
* tc bpf filter

* Update rules/linux/execution_tc_bpf_filter.toml

(cherry picked from commit 58ad0823ca)
 2022-07-13 14:42:49 +00:00
Colson Wilhoit 3e73a3c60a [New Rule] Insmod kernel module load (#2093) 
* insmod kernel module load

* Update rules/linux/persistence_insmod_kernel_module_load.toml

* Update rules/linux/persistence_insmod_kernel_module_load.toml

(cherry picked from commit d7d0466344)
 2022-07-13 14:23:29 +00:00
shashank-elastic 69237c4ed2 [Rule tuning] existing strace activity rule. (#2028) 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd80f)
 2022-06-16 11:49:16 +00:00
shashank-elastic b12d1cb978 [Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012) 
* Add MITRE Details to existing hping activity rule.

(cherry picked from commit f02325fe2f)
 2022-06-02 05:08:23 +00:00
shashank-elastic 821e04aaf8 Linux binary(s) ftp shell evasion threat (#2007) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 98a85ddcee)
 2022-06-01 16:40:06 +00:00
shashank-elastic 75f8928d1f [Rule tuning] Linux binary(s) shell evasion threat 
* Linux binary(s) git shell evasion threat

(cherry picked from commit fd7a6d63b0)
 2022-05-25 13:53:22 +00:00
shashank-elastic 44046642e7 [Rule tuning] Linux binary(s) shell evasion threat (#1957) 
* Linux binary(s) shell evasion threat

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 51b2d9da4b)
 2022-05-25 03:04:53 +00:00
Justin Ibarra 0796082300 [Rule tuning] Unusual Process Execution - Temp (#1968) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1840a638c8)
 2022-05-23 15:06:55 +00:00
Mika Ayenson a2dbfff31b [Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974) 
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag

(cherry picked from commit 77966473d1)
 2022-05-20 15:12:56 +00:00
Colson Wilhoit 4817bf26c8 [Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983) 
* [Rule Tuning] Update Rule Name

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

(cherry picked from commit d12f45c6ba)
 2022-05-17 22:43:06 +00:00
Terrance DeJesus a440d87f67 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) 
* adding initial rule

* adjusted UUID

* removed event.ingested as query is a sequence

* changed file name to match mitre ATT&CK tactic

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* TOML linted

* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml

Just edited a couple grammar things. Looks good

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* added additional tactic for privilege escalation and linted

* formatted query to be more readable

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit c89f423961)
 2022-05-16 21:24:34 +00:00
Terrance DeJesus c7d1ea428c [New Rule] Abnormal Process ID File Creation (#1964) 
* adding rule detection

* changed Rule ID

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot extension as well.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot to description.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Added additional reference to similar threat.

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added rule for a process starting where the executable's name represented a PID file

* Adjusted user.id value from integer to string

* Added simple investigation notes and osquery coverage

* TOML linting

* Updated date to reflect recent changes

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 1704924f7b)
 2022-05-12 14:40:34 +00:00
Terrance DeJesus b5f473a444 [New Rule] Executable Launched from Shared Memory Directory (#1961) 
* new rule to check for executables launched from shared memory directory

* added references and false positive instances

* Update rules/linux/execution_shared_memory_executable.toml

* Update rules/linux/execution_shared_memory_executable.toml

* Update rules/linux/execution_shared_memory_executable.toml

* adjusted process to account for var run and lock directories

* TOML lint and query formatting

* TOML lint and query formatting

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* added BPFDoor tag to be threat specific

* TOML linting and adjusted risk because of root requirement

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5f447a63a2)
 2022-05-11 16:22:41 +00:00
Terrance DeJesus 5769a21867 [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) 
* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml

(cherry picked from commit e9f5585a9f)
 2022-05-06 17:23:22 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00