security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,501 Commits 1 Branch 0 Tags
282f613ddfe35153abb84f66f15e5e02bebf3b14
Commit Graph

382 Commits

Author SHA1 Message Date
Jonhnathan 282f613ddf [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

* min_stack

* Update defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 14:40:43 -03:00
Ruben Groenewoud d16f56b4e2 [New Rule] SSH via Backdoored System User (#4336) 
* [New Rule] SSH via Backdoored System User

* ++

* Update persistence_ssh_via_backdoored_system_user.toml

* Update persistence_ssh_via_backdoored_system_user.toml

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-01-07 13:20:36 +01:00
Ruben Groenewoud 2530c4d376 [New Rule] Pluggable Authentication Module Source Download (#4301) 
* [New Rule] Pluggable Authentication Module Source Download

* Update persistence_pluggable_authentication_module_source_download.toml

* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
 2025-01-07 13:04:05 +01:00
Ruben Groenewoud feaeabf60c [New Rule] Dynamic Linker (ld.so) Creation (#4306) 2025-01-03 17:06:38 +01:00
Ruben Groenewoud fea5c90ed9 [New Rule] Kernel Object File Creation (#4325) 
* [New Rule] Kernel Object File Creation

* ++

* Update rules/linux/persistence_kernel_object_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-03 16:49:59 +01:00
Ruben Groenewoud 53ca51b20c [New Rule] Simple HTTP Web Server Connection (#4309) 2025-01-03 16:06:28 +01:00
Ruben Groenewoud e26e4e40b4 [New Rule] Simple HTTP Web Server Creation (#4308) 2025-01-03 15:54:25 +01:00
Ruben Groenewoud 0273997581 [New Rule] Loadable Kernel Module Configuration File Creation (#4307) 2025-01-03 15:33:31 +01:00
Ruben Groenewoud 7e775a6c95 [New Rule] Unusual Preload Environment Variable Process Execution (#4305) 2025-01-03 15:23:41 +01:00
Ruben Groenewoud 9424a57207 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#4304) 2025-01-03 15:05:05 +01:00
Ruben Groenewoud c9c8e3501e [New Rule] Unusual SSHD Child Process (#4303) 
* [New Rule] Unusual SSHD Child Process

* Update persistence_unusual_sshd_child_process.toml
 2025-01-03 14:50:43 +01:00
Ruben Groenewoud c7fe940206 [New Rule] Pluggable Authentication Module Creation in Unusual Directory (#4302) 
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory

* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
 2025-01-03 14:35:08 +01:00
Ruben Groenewoud 5384191934 [New Rule] PAM Version Discovery (#4300) 
* [New Rule] PAM Version Discovery

* Update discovery_pam_version_discovery.toml

* Update discovery_pam_version_discovery.toml

* Update discovery_pam_version_discovery.toml

* Update rules/linux/discovery_pam_version_discovery.toml
 2025-01-03 14:25:38 +01:00
shashank-elastic f0291b440a Minstack endpoint rules with process.group.id fields (#4294) 2024-12-10 21:03:32 +05:30
Ruben Groenewoud 4e28895e66 [Rule Tuning] Kernel Module Removal (#4269) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-11-25 21:13:44 +01:00
Ruben Groenewoud 56e61a6321 [New Rule] Potential Hex Payload Execution (#4241) 
* [New Rule] Potential Hex Payload Execution

* Update rules/linux/defense_evasion_hex_payload_execution.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:15:17 +01:00
Ruben Groenewoud 54bb319f7b [New Rule] Memory Swap Modification (#4239) 
* [New Rule] Memory Swap Modification

* Update rules/linux/impact_memory_swap_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:06:55 +01:00
Ruben Groenewoud 3207ca37e4 [New Rule] Unusual Interactive Shell Launched from System User (#4238) 
* [New Rule] Unusual Interactive Shell Launched from System User

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:24:30 +01:00
Ruben Groenewoud 267a6b6fa6 [New Rule] Web Server Spawned via Python (#4236) 
* [New Rule] Web Server Spawned via Python

* Update execution_python_webserver_spawned.toml

* Update rules/linux/execution_python_webserver_spawned.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_python_webserver_spawned.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:16:19 +01:00
Ruben Groenewoud 83f31e1640 [New Rule] Directory Creation in /bin directory (#4227) 
* [New Rule] Directory Creation in /bin directory

* Description fix

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:07:06 +01:00
Ruben Groenewoud 6040b6aee4 [New Rule] Hidden Directory Creation via Unusual Parent (#4226) 
* [New Rule] Hidden Directory Creation via Unusual Parent

* Update rules/linux/defense_evasion_hidden_directory_creation.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:58:13 +01:00
Ruben Groenewoud 43148a72f4 [New Rule] Security File Access via Common Utilities (#4243) 
* [New Rule] Security File Access via Common Utilities

* [New Rule] Security File Access via Common Utilities

* Update discovery_security_file_access_via_common_utility.toml
 2024-11-08 17:41:33 +01:00
Ruben Groenewoud f89e245e29 [New Rule] Potential Data Splitting Detected (#4235) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:32:59 +01:00
Ruben Groenewoud 3e268282d1 [New Rule] Private Key Searching Activity (#4242) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:13:55 +01:00
Ruben Groenewoud 40118186fb [New Rule] IPv4/IPv6 Forwarding Activity (#4240) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:06:07 +01:00
Ruben Groenewoud 993c60decb [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) 
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent

* OS Type update

* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 16:51:18 +01:00
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00
Ruben Groenewoud af9f9e2456 [Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 1

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-10-18 15:59:51 +02:00
Ruben Groenewoud 5b41bbd5e9 [Tuning] Updated references (#4114) 2024-10-01 08:43:14 -03:00
Ruben Groenewoud a3e89a7fab [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) (#4106) 
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)

* Description update

* Investigation Guide Update
 2024-09-27 14:48:03 +02:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Samirbous e30dc312e4 [Tuning] Potential Execution via XZBackdoor (#4053) 
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
 2024-09-05 20:13:32 +01:00
Terrance DeJesus be611be8b3 [New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005) 
* new rule metadata API requests

* updated description and name

* added Ipv6

* adjusted query

* rule name fix

* changed to EQL; added discovery tactic

* removed timestamp override

* adding host.os.type

* adjusted description

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusted query

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-05 10:08:32 -04:00
Ruben Groenewoud 9f964b68a4 [New Rule] Root Certificate Installation (#4025) 
* [New Rule] Root Certificate Installation

* Update defense_evasion_root_certificate_installation.toml

* Update rules/linux/defense_evasion_root_certificate_installation.toml
 2024-09-03 17:40:17 +02:00
Ruben Groenewoud b3a75899d5 [New Rule] SELinux Configuration Creation or Modification (#4024) 
* [New Rule] SELinux Configuration Creation or Modification

* Update rules/linux/defense_evasion_selinux_configuration_creation_modification.toml

* Rename defense_evasion_selinux_configuration_creation_modification.toml to defense_evasion_selinux_configuration_creation_or_renaming.toml

* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml

* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
 2024-09-01 10:14:59 +02:00
Ruben Groenewoud fb07033159 [New Rule] Attempt to Disable Auditd Service (#4028) 
* [New Rule] Attempt to Disable Auditd Service

* Update defense_evasion_attempt_to_disable_auditd_service.toml

* Update rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-09-01 09:51:13 +02:00
Ruben Groenewoud 30cd1b6a00 [New Rule] Potential Defense Evasion via Doas (#4027) 
* [New Rule] Potential Defense Evasion via Doas

* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml

* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Rename defense_evasion_doas_configuration_creation_or_modification.toml to defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-08-29 21:19:13 +02:00
Ruben Groenewoud 19b4a4d7dd [New Rule] SSL Certificate Deletion (#4026) 
* [New Rule] SSL Certificate Deletion

* Update defense_evasion_ssl_certificate_deletion.toml

* Update rules/linux/defense_evasion_ssl_certificate_deletion.toml
 2024-08-29 21:10:59 +02:00
Terrance DeJesus 6aaccc64a6 [New Rule] AWS CLI Command with Custom Endpoint URL (#4002) 
* new rule AWS CLI COmmand with Custom Endpoint URL

* fixed query

* added host os type

* added timestamp override
 2024-08-28 09:58:08 -04:00
Ruben Groenewoud 162a48c97f [New Rule] Openssl Client or Server Activity (#3930) 
* [New Rule] Openssl Client or Server Activity

* Endgame support

* Added one exclusion

* Update execution_shell_openssl_client_or_server.toml

* Update execution_shell_openssl_client_or_server.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-22 16:53:31 +02:00
Ruben Groenewoud c58ae92dd1 [New Rule] Dynamic Linker Creation or Modification (#3969) 
* [New Rule] Dynamic Linker Creation or Modification

* Removed new line from description

* Update rules/linux/defense_evasion_dynamic_linker_file_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_dynamic_linker_file_creation.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-10 10:25:55 +02:00