security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,537 Commits 1 Branch 0 Tags
28c3d074b82d0ea0fb479c962df026a0ea574734
Commit Graph

396 Commits

Author SHA1 Message Date
Ruben Groenewoud 28c3d074b8 [New Rule] Process Started with Executable Stack (#4340) 
* [New Rule] Process Started with Executable Stack

* [New Rule] Process Started with Executable Stack

* Update execution_executable_stack_execution.toml

* Update rules/linux/execution_executable_stack_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-17 17:36:39 +01:00
Ruben Groenewoud ac541f0b18 [New Rules] Kernel Seeking/Unpacking Activity (#4341) 
* [New Rules] Kernel Seeking/Unpacking Activity

* ++
 2025-01-16 12:04:04 +01:00
Ruben Groenewoud bba5096efa [New Rule] System Binary Path File Permission Modification (#4339) 2025-01-16 10:32:23 +01:00
Ruben Groenewoud 75c7c09595 [New Rule] Suspicious Path Invocation from Command Line (#4338) 2025-01-16 10:20:37 +01:00
Ruben Groenewoud 79b26085f5 [New Rule] Potential Process Name Stomping with Prctl (#4352) 
* [New Rule] Potential Process Name Stomping with Prctl

* Update defense_evasion_prctl_process_name_tampering.toml
 2025-01-13 16:35:40 +01:00
Jonhnathan 6b0b988d79 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10 (#4357) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10

* Remaining ones
 2025-01-09 11:54:46 -03:00
Jonhnathan 7eeca006bc [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 (#4355) 2025-01-09 11:38:26 -03:00
Jonhnathan e66bca73e0 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 (#4349) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7

* Update rules/linux/discovery_process_capabilities.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 11:28:21 -03:00
Jonhnathan cc889e3bf2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 (#4345) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:59:32 -03:00
Jonhnathan 0fc83fe815 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3

* .

* Update rules/linux/command_and_control_ip_forwarding_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:35:58 -03:00
Jonhnathan d6ceb88558 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 (#4348) 2025-01-09 10:17:57 -03:00
Jonhnathan f4a022c5d2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 (#4346) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - X

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/defense_evasion_mount_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 09:44:40 -03:00
Jonhnathan 2af2e1f57b [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 (#4356) 2025-01-09 08:29:51 -03:00
Jonhnathan 4142868956 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 (#4333) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 15:23:19 -03:00
Jonhnathan 282f613ddf [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

* min_stack

* Update defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 14:40:43 -03:00
Ruben Groenewoud d16f56b4e2 [New Rule] SSH via Backdoored System User (#4336) 
* [New Rule] SSH via Backdoored System User

* ++

* Update persistence_ssh_via_backdoored_system_user.toml

* Update persistence_ssh_via_backdoored_system_user.toml

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-01-07 13:20:36 +01:00
Ruben Groenewoud 2530c4d376 [New Rule] Pluggable Authentication Module Source Download (#4301) 
* [New Rule] Pluggable Authentication Module Source Download

* Update persistence_pluggable_authentication_module_source_download.toml

* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
 2025-01-07 13:04:05 +01:00
Ruben Groenewoud feaeabf60c [New Rule] Dynamic Linker (ld.so) Creation (#4306) 2025-01-03 17:06:38 +01:00
Ruben Groenewoud fea5c90ed9 [New Rule] Kernel Object File Creation (#4325) 
* [New Rule] Kernel Object File Creation

* ++

* Update rules/linux/persistence_kernel_object_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-03 16:49:59 +01:00
Ruben Groenewoud 53ca51b20c [New Rule] Simple HTTP Web Server Connection (#4309) 2025-01-03 16:06:28 +01:00
Ruben Groenewoud e26e4e40b4 [New Rule] Simple HTTP Web Server Creation (#4308) 2025-01-03 15:54:25 +01:00
Ruben Groenewoud 0273997581 [New Rule] Loadable Kernel Module Configuration File Creation (#4307) 2025-01-03 15:33:31 +01:00
Ruben Groenewoud 7e775a6c95 [New Rule] Unusual Preload Environment Variable Process Execution (#4305) 2025-01-03 15:23:41 +01:00
Ruben Groenewoud 9424a57207 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#4304) 2025-01-03 15:05:05 +01:00
Ruben Groenewoud c9c8e3501e [New Rule] Unusual SSHD Child Process (#4303) 
* [New Rule] Unusual SSHD Child Process

* Update persistence_unusual_sshd_child_process.toml
 2025-01-03 14:50:43 +01:00
Ruben Groenewoud c7fe940206 [New Rule] Pluggable Authentication Module Creation in Unusual Directory (#4302) 
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory

* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
 2025-01-03 14:35:08 +01:00
Ruben Groenewoud 5384191934 [New Rule] PAM Version Discovery (#4300) 
* [New Rule] PAM Version Discovery

* Update discovery_pam_version_discovery.toml

* Update discovery_pam_version_discovery.toml

* Update discovery_pam_version_discovery.toml

* Update rules/linux/discovery_pam_version_discovery.toml
 2025-01-03 14:25:38 +01:00
shashank-elastic f0291b440a Minstack endpoint rules with process.group.id fields (#4294) 2024-12-10 21:03:32 +05:30
Ruben Groenewoud 4e28895e66 [Rule Tuning] Kernel Module Removal (#4269) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-11-25 21:13:44 +01:00
Ruben Groenewoud 56e61a6321 [New Rule] Potential Hex Payload Execution (#4241) 
* [New Rule] Potential Hex Payload Execution

* Update rules/linux/defense_evasion_hex_payload_execution.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:15:17 +01:00
Ruben Groenewoud 54bb319f7b [New Rule] Memory Swap Modification (#4239) 
* [New Rule] Memory Swap Modification

* Update rules/linux/impact_memory_swap_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:06:55 +01:00
Ruben Groenewoud 3207ca37e4 [New Rule] Unusual Interactive Shell Launched from System User (#4238) 
* [New Rule] Unusual Interactive Shell Launched from System User

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:24:30 +01:00
Ruben Groenewoud 267a6b6fa6 [New Rule] Web Server Spawned via Python (#4236) 
* [New Rule] Web Server Spawned via Python

* Update execution_python_webserver_spawned.toml

* Update rules/linux/execution_python_webserver_spawned.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_python_webserver_spawned.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:16:19 +01:00
Ruben Groenewoud 83f31e1640 [New Rule] Directory Creation in /bin directory (#4227) 
* [New Rule] Directory Creation in /bin directory

* Description fix

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:07:06 +01:00
Ruben Groenewoud 6040b6aee4 [New Rule] Hidden Directory Creation via Unusual Parent (#4226) 
* [New Rule] Hidden Directory Creation via Unusual Parent

* Update rules/linux/defense_evasion_hidden_directory_creation.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:58:13 +01:00
Ruben Groenewoud 43148a72f4 [New Rule] Security File Access via Common Utilities (#4243) 
* [New Rule] Security File Access via Common Utilities

* [New Rule] Security File Access via Common Utilities

* Update discovery_security_file_access_via_common_utility.toml
 2024-11-08 17:41:33 +01:00
Ruben Groenewoud f89e245e29 [New Rule] Potential Data Splitting Detected (#4235) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:32:59 +01:00
Ruben Groenewoud 3e268282d1 [New Rule] Private Key Searching Activity (#4242) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:13:55 +01:00
Ruben Groenewoud 40118186fb [New Rule] IPv4/IPv6 Forwarding Activity (#4240) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:06:07 +01:00
Ruben Groenewoud 993c60decb [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) 
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent

* OS Type update

* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 16:51:18 +01:00
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00