security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,436 Commits 1 Branch 0 Tags
2ca746c4b40f7cf192560ef70e41b02fc0b286dd
Commit Graph

765 Commits

Author SHA1 Message Date
Jonhnathan d1b102730c [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8

* Update defense_evasion_powershell_windows_firewall_disabled.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:38:27 -03:00
Jonhnathan ef0f96c874 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:27:47 -03:00
Samirbous d2dfd46b3e Update credential_access_suspicious_lsass_access_generic.toml (#4188) 2024-11-07 13:56:53 +00:00
Jonhnathan 6c2dad966a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9 (#4234) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9

* .

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:39:32 -03:00
Jonhnathan a743b9c8c4 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 (#4231) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6

* Update credential_access_cmdline_dump_tool.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Revert "Update defense_evasion_powershell_windows_firewall_disabled.toml"

This reverts commit d2df2a848290425ebfe0bb5157332ad0611f726f.

* Update lateral_movement_via_wsus_update.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:00:43 -03:00
Jonhnathan d5b5ba387d [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 (#4230) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5

* Update collection_winrar_encryption.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 14:46:10 -03:00
Jonhnathan 63956a6f51 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225) 2024-11-05 14:22:14 -03:00
Jonhnathan 2b6116e0ce [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222) 2024-11-04 11:55:04 -03:00
Jonhnathan 80841b5619 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 (#4221) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2

* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-11-04 11:47:43 -03:00
Jonhnathan 81292aee8a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 (#4220) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1

* Update Integrations unit tests

* Update test_all_rules.py
 2024-11-04 11:32:22 -03:00
shashank-elastic 92fe46b8ff Fix Minstack version for windows integration (#4214) 2024-10-28 19:28:10 +05:30
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Samirbous 8f56b7de5e Update privilege_escalation_gpo_schtask_service_creation.toml (#4152) 2024-10-15 18:36:35 +05:30
Samirbous a98161ad2a [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-15 10:49:01 +01:00
Samirbous 8404d41cca [New] Untrusted DLL Loaded by Azure AD Sync Service (#4151) 
* Create credential_access_imageload_azureadconnectauthsvc.toml

* Update credential_access_imageload_azureadconnectauthsvc.toml

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-14 18:04:46 +01:00
Jonhnathan e1addc6a8f [Rule Tuning] 3rd Party EDR Compatibility - 18 (#4056) 
* [Rule Tuning] 3rd Party EDR Compatibility - 18

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* min_stack for merge, bump updated_date

* Update persistence_browser_extension_install.toml
 2024-10-13 20:25:17 -03:00
Jonhnathan 6f69b33529 [Rule Tuning] 3rd Party EDR Compatibility - 17 (#4042) 
* [Rule Tuning] 3rd Party EDR Compatibility - 17

* Update rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:34:22 -03:00
Jonhnathan 7385f9dd2e [Rule Tuning] 3rd Party EDR Compatibility - 16 (#4041) 
* [Rule Tuning] 3rd Party EDR Compatibility - 16

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:14:24 -03:00
Jonhnathan 080a891c79 [Rule Tuning] 3rd Party EDR Compatibility - 15 (#4040) 
* [Rule Tuning] 3rd Party EDR Compatibility - 15

* min_stack for merge, bump updated_date
 2024-10-11 18:33:22 -03:00
Jonhnathan 10a8cef21f [Rule Tuning] 3rd Party EDR Compatibility - 14 (#4039) 
* [Rule Tuning] 3rd Party EDR Compatibility - 14

* min_stack for merge, bump updated_date
 2024-10-11 17:22:53 -03:00
Jonhnathan 07c4535871 [Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038) 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
 2024-10-11 16:55:02 -03:00
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Samirbous 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) 2024-09-28 11:46:46 +01:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
shashank-elastic 814130bf34 min_stack New Rules that use the S1 Integration (#4081) 2024-09-16 20:12:09 +05:30
Jonhnathan 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) 
* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml
 2024-09-16 11:02:46 -03:00
Samirbous 31ca246ea7 [New] Potential Foxmail Exploitation (#4044) 
* Create execution_initial_access_foxmail_exploit.toml

* Update execution_initial_access_foxmail_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 12:29:40 +01:00
Samirbous 41a7a5f049 [New] Execution via Windows Command Debugging Utility (#3918) 
* [New] Execution via Windows Command Debugging Utility

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

* Update defense_evasion_lolbas_win_cdb_utility.toml

* ++

* Update defense_evasion_lolbas_win_cdb_utility.toml
 2024-09-16 09:14:39 +01:00
Samirbous f26d7fc81b [New] Persistence via a Windows Installer (#4055) 
* Create persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 07:50:57 +01:00
Samirbous b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) 
* [New] Attempt to establish VScode Remote Tunnel

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update rules/windows/command_and_control_tunnel_vscode.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-09-16 07:39:39 +01:00
Samirbous 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) 
* [New] MsiExec Service Child Process With Network Connection

converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 20:22:44 +01:00
Samirbous 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 19:51:21 +01:00
Samirbous b6162abefa [New] WPS Office Exploitation via DLL Hijack (#4043) 
* Create execution_initial_access_wps_dll_exploit.toml

* Update execution_initial_access_wps_dll_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 11:23:35 +01:00
Samirbous 9255dafe53 [New] Detonate LNK TOP Rules (#4058) 
* [New] Detonate LNK TOP Rules

the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update rules/windows/execution_windows_cmd_shell_susp_args.toml

* Update rules/windows/execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 10:49:17 +01:00
Samirbous cad3865fcf [New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 (#4076) 
* [New] Potential Escalation via Vulnerable MSI Repair

https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

* Update privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-13 17:57:44 +01:00
Jonhnathan 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
 2024-09-11 10:49:41 -03:00
Samirbous dc9c58527f [Tuning] Unusual Network Activity from a Windows System Binary (#4065) 
* Update defense_evasion_network_connection_from_windows_binary.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-10 13:30:56 -03:00