security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,537 Commits 1 Branch 0 Tags
28c3d074b82d0ea0fb479c962df026a0ea574734
Commit Graph

2537 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Groenewoud 28c3d074b8 [New Rule] Process Started with Executable Stack (#4340) 
* [New Rule] Process Started with Executable Stack

* [New Rule] Process Started with Executable Stack

* Update execution_executable_stack_execution.toml

* Update rules/linux/execution_executable_stack_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-17 17:36:39 +01:00
Terrance DeJesus ca3994af0d [Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts (#4394) 
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'

* adding 'Deprecated - Suspicious JAVA Child Process'

* updated dates

* changed to deprecated maturity
 2025-01-17 10:52:13 -05:00
Ruben Groenewoud ac541f0b18 [New Rules] Kernel Seeking/Unpacking Activity (#4341) 
* [New Rules] Kernel Seeking/Unpacking Activity

* ++
 2025-01-16 12:04:04 +01:00
Ruben Groenewoud bba5096efa [New Rule] System Binary Path File Permission Modification (#4339) 2025-01-16 10:32:23 +01:00
Ruben Groenewoud 75c7c09595 [New Rule] Suspicious Path Invocation from Command Line (#4338) 2025-01-16 10:20:37 +01:00
Ruben Groenewoud 9186c5e14a [New BBR] Linux System Information Discovery via Getconf (#4337) 
* [New BBR] Linux System Information Discovery via Getconf

* ++

* Update discovery_linux_sysctl_enumeration.toml
 2025-01-16 10:05:29 +01:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus c04ae6d444 [New Rule] Adding Coverage for SNS Topic Message Publish by Rare User (#4350) 
* new rule 'SNS Topic Message Publish by Rare User'

* added new terms note

* added investigation guide tag

* fixed tag, added investigation fiedls

* toml lint

* fixed mitre ATT&CK mapping
 2025-01-15 13:55:45 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
shashank-elastic 32f596629d Provide Deprecate Warnings for Experimental ML commands (#4365) 2025-01-15 21:53:16 +05:30
Terrance DeJesus f8312cc5b0 [Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded (#4334) 
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* updating subtechnique ID

* added mitre tag lateral movement

* changing sequence of mitre ATT&CK
 2025-01-15 11:12:53 -05:00
Terrance DeJesus f97007f3a8 [New Rule] Adding Coverage for AWS SQS Queue Purge (#4354) 
* new rule 'AWS SQS Queue Purge'

* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml

* added investigation guide tag; fixed file name
 2025-01-15 10:52:22 -05:00
Jonhnathan 447fce3b08 [Rule Tuning] Suspicious Communication App Child Process (#4369) 2025-01-15 12:13:10 -03:00
Eric Forte cc00963fc3 [Bug] [DaC] Actions Connector Defaults to None (#4376) 
* Add explicit calls to pass directories

* Bump Version
 2025-01-15 09:31:23 -05:00
Jonhnathan 74f11dbf7f [Rule Tuning] Posh BBRs (#4372) 2025-01-15 11:00:21 -03:00
Terrance DeJesus c912b78586 maintenance - remove hunting TOML files from repo version checks (#4374) 2025-01-14 14:45:53 -05:00
Samirbous bcca0a2016 [New] Sensitive Audit Policy Sub-Category Disabled (#4373) 
* [New] Sensitive Audit Policy Sub-Category Disabled

https://elasticstack.slack.com/archives/C016E72DWDS/p1736784727633579

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-14 12:13:45 -03:00
Ruben Groenewoud e822af47a4 [Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351) 
* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
 2025-01-13 16:53:09 +01:00
Ruben Groenewoud 79b26085f5 [New Rule] Potential Process Name Stomping with Prctl (#4352) 
* [New Rule] Potential Process Name Stomping with Prctl

* Update defense_evasion_prctl_process_name_tampering.toml
 2025-01-13 16:35:40 +01:00
Jonhnathan 0e1edfecea [Rule Tuning] Windows Misc BBR Tuning (#4368) 
* [Rule Tuning] Windows Noisy BBRs

* ++

* bump

* Update credential_access_win_private_key_access.toml

* Update credential_access_win_private_key_access.toml
 2025-01-13 12:03:40 -03:00
James Valente f52cfb3729 [Rule: Tuning] - Azure blob permission modification tagging - Correct tags (#4371) 
* Remove `Data Source: Elastic Defend` tag

* Update metadata

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-13 10:40:34 -03:00
Terrance DeJesus 32a94dc7c7 updating token references (#4367) 2025-01-10 11:20:17 -05:00
Samirbous 65b95a1996 Update discovery_potential_syn_port_scan_detected.toml (#4366) 2025-01-10 15:29:29 +00:00
Terrance DeJesus 46637f38a4 maintenance repository config update pt 4 (#4364) 2025-01-09 18:05:55 -05:00
Terrance DeJesus 98cef59a5b [Maintenance] Repository Config Update pt 3 (#4363) 
* updating integrations and manual backport tokens

* updated no reply address

* changed integrations to security docs token

* changed integrations to security docs token
 2025-01-09 17:20:57 -05:00
Terrance DeJesus 4e588e8d90 updated package token (#4361) 2025-01-09 16:59:02 -05:00
Terrance DeJesus ad180777cf [Maintenance] Repository Config Update (#4359) 
* updating tokens

* bumped patch

* updated navigator gist ID

* updated naming

* Update .github/workflows/manual-backport.yml

* updated navigator url

* updated noreply email

* updated naming

* Update .github/workflows/manual-backport.yml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* updating README

* updated gist token

* replaced guidelines token with GITHUB_TOKEN

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-01-09 16:35:18 -05:00
Jonhnathan 6b0b988d79 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10 (#4357) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10

* Remaining ones
 2025-01-09 11:54:46 -03:00
Jonhnathan 7eeca006bc [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 (#4355) 2025-01-09 11:38:26 -03:00
Jonhnathan e66bca73e0 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 (#4349) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7

* Update rules/linux/discovery_process_capabilities.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 11:28:21 -03:00
Jonhnathan cc889e3bf2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 (#4345) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:59:32 -03:00
Jonhnathan 0fc83fe815 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3

* .

* Update rules/linux/command_and_control_ip_forwarding_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:35:58 -03:00
Jonhnathan d6ceb88558 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 (#4348) 2025-01-09 10:17:57 -03:00
Jonhnathan f4a022c5d2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 (#4346) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - X

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/defense_evasion_mount_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 09:44:40 -03:00
Jonhnathan 2af2e1f57b [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 (#4356) 2025-01-09 08:29:51 -03:00
Jonhnathan 4142868956 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 (#4333) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 15:23:19 -03:00
Jonhnathan 282f613ddf [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

* min_stack

* Update defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 14:40:43 -03:00
github-actions[bot] 47571956a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347) 2025-01-07 22:54:34 +05:30
github-actions[bot] 2edc062b53 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4344) 2025-01-07 22:13:30 +05:30
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
Ruben Groenewoud d16f56b4e2 [New Rule] SSH via Backdoored System User (#4336) 
* [New Rule] SSH via Backdoored System User

* ++

* Update persistence_ssh_via_backdoored_system_user.toml

* Update persistence_ssh_via_backdoored_system_user.toml

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-01-07 13:20:36 +01:00
Ruben Groenewoud 2530c4d376 [New Rule] Pluggable Authentication Module Source Download (#4301) 
* [New Rule] Pluggable Authentication Module Source Download

* Update persistence_pluggable_authentication_module_source_download.toml

* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
 2025-01-07 13:04:05 +01:00
Terrance DeJesus 1a189a5749 [Python] Ignore Hunting Doc Changes for Version Code Checks (#4331) 
* Ignore hunting docs for version code checks

* added index.md to be ignored

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-07 12:54:27 +01:00
shashank-elastic 318ab3ffa0 Enhance Readability of KQL validation check failures (#4329) 2025-01-06 22:18:05 +05:30
shashank-elastic 52db5e0361 Monthly Refresh ECS & Beats schemas, Integration manifests & schemas. (#4332) 2025-01-06 21:48:11 +05:30
Samirbous 419e5c1ad3 [Tuning] Suspicious WMI Event Subscription Created (#4327) 
* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-06 09:40:26 -03:00
Ruben Groenewoud feaeabf60c [New Rule] Dynamic Linker (ld.so) Creation (#4306) 2025-01-03 17:06:38 +01:00
Ruben Groenewoud fea5c90ed9 [New Rule] Kernel Object File Creation (#4325) 
* [New Rule] Kernel Object File Creation

* ++

* Update rules/linux/persistence_kernel_object_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-03 16:49:59 +01:00
Ruben Groenewoud 466097c31e [Rule Tuning] Potential Persistence via File Modification (#4310) 
* [Rule Tuning] Potential Persistence via File Modification

* Update persistence_suspicious_file_modifications.toml

* Update persistence_suspicious_file_modifications.toml
 2025-01-03 16:19:58 +01:00
Ruben Groenewoud 53ca51b20c [New Rule] Simple HTTP Web Server Connection (#4309) 2025-01-03 16:06:28 +01:00