security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,228 Commits 1 Branch 0 Tags
25ad765acbc26e642f580d2ebf0cd3e1cf2425eb
Commit Graph

1596 Commits

Author SHA1 Message Date
Jonhnathan 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) 2024-08-08 12:02:23 -03:00
Terrance DeJesus ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) 
* tuning 'Persistent Scripts in the Startup Directory'

* adjusted query logic; added note about performance

* adjusted query logic

* adjusted query logic; added note about performance

* removed newline

* adjusted query logic to be more inclusive

* adjusted query

* adjusted query to leave wildcard and substring searches towards the end

* TOML lint

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* adjusted note; removed setup

* adjusted note; removed setup

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-06 18:42:53 -04:00
shashank-elastic 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) 2024-08-06 18:48:24 +05:30
Jonhnathan a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) 2024-08-06 17:15:08 +05:30
Jonhnathan 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) 2024-08-06 17:05:17 +05:30
Jonhnathan 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) 2024-08-05 11:27:58 -03:00
Jonhnathan fbaac66f9f [Rule Tuning] Accepted Default Telnet Port Connection (#3954) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-03 20:15:06 -03:00
Jonhnathan 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) 2024-08-02 16:37:45 -03:00
Ruben Groenewoud 93d928625d [Tuning] Executable Bit Set for Potential Persistence Script (#3929) 2024-08-02 21:13:19 +02:00
Jonhnathan ff3f66cacf [Rule Tuning] AWS S3 Object Versioning Suspended (#3953) 2024-08-02 13:36:11 -03:00
Jonhnathan dfdc214be8 [New Rule] Potential Relay Attack against a Domain Controller (#3928) 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
 2024-08-02 13:03:20 -03:00
Jonhnathan 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-01 14:06:08 -03:00
Ruben Groenewoud 485312d5f2 [Rule Tuning] System Binary Moved or Copied (#3933) 2024-08-01 18:47:58 +02:00
Isai 62982f9d8c [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910) 
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User

* increased severity score

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-01 00:30:02 -04:00
Isai f2eb78219c [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time (#3923) 
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time

* Update discovery_new_terms_sts_getcalleridentity.toml

* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml

* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* rule name change, removed ec2

* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 16:55:49 -04:00
Isai 1b58d0640b [New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922) 
* [New Rule] AWS EC2 Instance Console Login via Assumed Role

* added reference for custom url creation

* added STS tag

* added event.provider to query

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:52:59 -04:00
Isai a28af59d02 [New Rule] AWS EC2 Instance Interaction with IAM Service (#3920) 
* [New Rule] AWS EC2 Instance Interaction with IAM Service

* Update rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:44:02 -04:00
Jonhnathan 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) 
* [New Rule] Potential Active Directory Replication User Backdoor

* Update credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 12:02:34 -03:00
Ruben Groenewoud 134b842361 [Rule Tuning] Removed Endgame from Incompatible Rules (#3931) 
* [Rule Tuning] Removed Endgame from Incompatible Rules

* ++
 2024-07-31 09:26:38 +02:00
shashank-elastic dce5bbd904 Update Rule minstack (#3925) 2024-07-25 17:45:55 +05:30
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
Jonhnathan 896946ad1b [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#3917) 
* [New Rule] Active Directory Forced Authentication from Linux Host via SMB Pipes

* Update credential_access_forced_authentication_pipes.toml

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-24 12:01:10 -03:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
Jonhnathan 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) 
* [New Rule] Potential WSUS Abuse for Lateral Movement

* Update lateral_movement_via_wsus_update.toml

* Update lateral_movement_via_wsus_update.toml
 2024-07-22 17:04:08 -03:00
Jonhnathan 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) 2024-07-22 08:39:40 -03:00
Ruben Groenewoud a71bbe0cf8 [Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905) 
* [Rule Tuning] Misc. DR Rule Tuning - Part 2

* ++

* Update privilege_escalation_suspicious_uid_guid_elevation.toml

* Update rules/linux/persistence_systemd_service_creation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-19 15:21:35 +02:00
Ruben Groenewoud 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) 
* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation
 2024-07-19 15:13:42 +02:00
Isai 322162f097 [New Rule] AWS S3 Bucket Replicated to Another Account (#3895) 2024-07-18 22:52:39 -04:00
Isai e9cb2228e6 [New Rule] AWS S3 Object Versioning Suspended (#3894) 
* [New Rule] AWS S3 Object Versioning Suspended

* description spacing changes

* update description
 2024-07-18 22:14:46 -04:00
Isai 80f85cff4d [New Rule] AWS S3 Bucket Server Access Logging Disabled (#3892) 
* [New Rule] AWS S3 Bucket Server Access Logging Disabled

* changed severity from low to medium
 2024-07-18 18:28:19 -04:00
Samirbous 6ac278df0c [tuning] Connection to Commonly Abused Web Services (#3901) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-18 09:59:53 -03:00
Jonhnathan 1384742f07 [New Rule] Service DACL Modification via sc.exe (#3900) 
* [New Rule] Service DACL Modification via sc.exe

* Update defense_evasion_sc_sdset.toml

* Update defense_evasion_sc_sdset.toml
 2024-07-17 19:39:50 -03:00
Ruben Groenewoud 39350847d6 [New Rules] Git Hook execution/netcon (#3896) 
* [New Rules] Git Hook execution/netcon

* TImestamp formatting change

* Update rules/linux/persistence_git_hook_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-17 15:28:37 +02:00
Ruben Groenewoud 83d6eeb844 [New Rule] RPM Package Installed by Unusual Parent Process (#3882) 
* [New Rule] RPM Package Installed by Unusual Parent Process

* Update persistence_rpm_package_installation_from_unusual_parent.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-07-17 15:12:17 +02:00
Ruben Groenewoud 8c5910b1a6 [New Rule] Unsafe Docker Container Creation (#3884) 
* [New Rule] Unsafe Docker Container Creation

* Update execution_potentially_overly_permissive_container_creation.toml

* Update execution_potentially_overly_permissive_container_creation.toml

* Update execution_potentially_overly_permissive_container_creation.toml
 2024-07-17 15:03:07 +02:00
Ruben Groenewoud e5d08a2c38 [Rule Tuning] Updated setup guide (#3885) 
* [Rule Tuning] Updated setup guide

* Update persistence_user_or_group_creation_or_modification.toml

* Update rules/linux/persistence_user_or_group_creation_or_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/linux/persistence_user_or_group_creation_or_modification.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-07-17 14:39:38 +02:00
Ruben Groenewoud 56e8e059b6 [New Rules] Docker Entrypoint Netcon / Nsenter Escape (#3883) 
* [New Rules] Docker entrypoint netcon / nsenter escape

* ++

* Update privilege_escalation_docker_escape_via_nsenter.toml

* Update privilege_escalation_docker_escape_via_nsenter.toml

* Better description formatting

* Update execution_egress_connection_from_entrypoint_in_container.toml

* Update privilege_escalation_docker_escape_via_nsenter.toml
 2024-07-15 13:07:36 +02:00
Ruben Groenewoud 82a0cc80a7 [New Rules] DPKG Execution/Installation (#3879) 
* [New Rules] DPKG Execution/Installation

* Update rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml

* Update persistence_dpkg_package_installation_from_unusual_parent.toml

* Update persistence_dpkg_unusual_execution.toml

* Update persistence_dpkg_unusual_execution.toml
 2024-07-15 12:59:03 +02:00
Jonhnathan ffb68174f9 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#3887) 2024-07-15 06:41:45 -03:00
Isai 44658ea5f6 [Rule Tunings] Change from to prevent double alerts (#3868) 2024-07-11 13:02:10 -04:00
Isai f0ab897f99 [Rule Tunings] AWS Administrator Access Policy Attached Rules (#3867) 
* [Tuning] AWS Administrator Access Policy Attached Rules

* change lookback to prevent overlap

* changed from to now-6m
 2024-07-11 12:49:03 -04:00
George Papakyriakopoulos 80ac2794f2 [Rule BugFix] Google Workspace Oauth2 new app (#3436) 
* [Rule BugFix] Google Workspace Oauth2 new app

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

* [Rule BugFix] Google Workspace Oauth2 new app update (#3436)

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-11 10:45:17 -04:00
Ruben Groenewoud 21485b16fa [Tuning & Changes] Misc rule/hunt tuning (#3875) 
* [Tuning & Changes] Misc rule/hunt tuning

* Bump update_date

* ++

* Updated docs
 2024-07-11 14:55:33 +02:00
Jonhnathan 6e7ece4384 [Rule Tuning] Fix event.action conditions - AD Rules (#3874) 2024-07-10 10:33:14 -03:00
ar3diu b303b8296b [Rule Tuning] LSASS Memory Dump Creation (#3810) 
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
 2024-07-10 06:12:38 -05:00
shashank-elastic b66d6e06aa Fix Double Bump For Rule Microsoft Management Console File from Unusual Path (#3878) 2024-07-09 17:59:51 +05:30
Terrance DeJesus 7f3c977192 [Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account (#3860) 
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'

* added reference

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-08 13:07:44 -04:00