security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,226 Commits 1 Branch 0 Tags
2f062ecf844db903130c8e42e07f70cd9342f8ba
Commit Graph

915 Commits

Author SHA1 Message Date
shashank-elastic 2f062ecf84 Add investigation guides (#2326) 2022-09-23 20:18:48 +05:30
Isai 5b8593559c [Rule Tuning] Kubernetes - update min_stack for new rules (#2310) 
## Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_denied_service_account_request.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml

## Description
<!-- Provide a detailed description of the suggested changes -->
min_stack change to 8.4 with new required fields added to Kubernetes Integration
 2022-09-20 17:09:22 -04:00
Jonhnathan 09565d97b7 [New Rule] PowerShell Script with Token Impersonation Capabilities (#2246) 
* [New Rule] PowerShell Script with Token Impersonation Capabilities

* Update privilege_escalation_posh_token_impersonation.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Update privilege_escalation_posh_token_impersonation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 15:43:38 -03:00
Jonhnathan a955e34b43 [New Rule] PowerShell Share Enumeration Script (#2243) 
* [New Rule] PowerShell Share Enumeration Script

* Move the rule to the correct folder

* Update discovery_posh_invoke_sharefinder.toml

* Update discovery_posh_invoke_sharefinder.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 15:38:23 -03:00
Jonhnathan d52c0d2257 [Rule Tuning] Remove "process_started" from Windows Rules (#2238) 
* [Rule Tuning] Remove "process_started" from Windows Rules

* Additional, pending ones

* Update defense_evasion_code_injection_conhost.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:06:30 -05:00
Samirbous acdfe5ddab [New Rule] Process Creation via Secondary Logon (#2282) 
* [New Rule] Process Creation via Secondary Logon

https://github.com/elastic/detection-rules/issues/2164

Create process using alternate creds (i.g. runas) :

* Update privilege_escalation_create_process_as_different_user.toml

* Update privilege_escalation_create_process_as_different_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:04:08 -05:00
Jonhnathan 4844b69ced [Rule Deprecation] Web Application Suspicious Activity: No User Agent (#2295) 
* [Rule Deprecation] Web Application Suspicious Activity: No User Agent

* Update apm_null_user_agent.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 10:56:03 -07:00
Isai 963d01ba89 [New Rule] Kubernetes Suspicious Assignment of Controller Service Account (#2298) 
* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account

Issues
--
#2034

Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.

* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml

updated query after testing

* Update non-ecs-schema.json

added new field used in query update

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:35:37 -04:00
Isai a9364beef9 [New Rule] Kubernetes Denied Service Account Request (#2299) 
* [New Rule] Kubernetes Denied Service Account Request

## Issue
#2040

## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

* Update discovery_denied_service_account_request.toml

updated the query after testing to reduce false positives

* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-09-19 13:22:20 -04:00
Samirbous 99dcfe2055 [New Rule] Multiple Vault Web credentials were read (#2281) 
* [New Rule] Multiple Vault Web credentials were read

https://github.com/elastic/detection-rules/issues/2164

* Update credential_access_saved_creds_vault_winlog.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_saved_creds_vault_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 19:07:05 +02:00
Terrance DeJesus 812a54fc70 [New Rule] Custom Gmail Route Created or Modified - Google Workspace (#2296) 
* adding new rule

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 13:03:23 -04:00
Samirbous 4609a5e8fe [New Rule] Scheduled Task Creation using winlog (#2277) 
* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 18:50:45 +02:00
Samirbous fc8ec668b1 [New Rule] Brute Force Detection - Windows (#2275) 
* [New Rule] Brute Force Detection - Windows

https://github.com/elastic/detection-rules/issues/2164 (T1110 - Brute Force)

- multiple logon failure from same source address in 10s maxspan
- 5 logon failure followed by success from same source address in 5s maxspan

* non ecs

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* fix error

* added bruteforce admin account and linted tomls

* Update credential_access_bruteforce_admin_account.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* related_rules

* 4625_errorcode_notes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 18:43:28 +02:00
Isai fa0310d0fb [New Rule] Kubernetes Anonymous Request Authorized (#2300) 
* [New Rule] Kubernetes Anonymous Request Authorized

## Issue
#2038

## Summary
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.

* [New Rule] Kubernetes Suspicious Change to Privileges of Running Security Context

## Issue
https://github.com/elastic/detection-rules/issues/2032

## Summary

* Delete non-ecs-schema.json

* Delete privilege_escalation_suspicious_change_to_privileges_of_running_security_context.toml

* Create non-ecs-schema.json

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2022-09-19 11:33:09 -05:00
shashank-elastic 725f7f3480 Linux rule to detect potential ssh brute force attack (#2291) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-09-19 20:26:18 +05:30
Jonhnathan ca2b3c2b7f [New Rule] Full User-Mode Dumps Enabled System-Wide (#2276) 
* [New Rule] Full User-Mode Dumps Enabled System-Wide

* Apply suggestions from review

* Update credential_access_generic_localdumps.toml
 2022-09-15 16:57:00 -03:00
shashank-elastic ae2a98e3f7 [New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-14 22:01:46 +05:30
Terrance DeJesus 59297c836e [New Rule] User Organizational Unit Changed - Google Workspace (#2289) 
* adding new rule

* adjusting severity and risk

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
 2022-09-13 15:36:27 -04:00
Terrance DeJesus 8c19e9ff6c [New Rule] Bitlocker Settings Disabled - Google Workspace (#2288) 
* adding new rule

* adjusted UUID
 2022-09-12 16:06:01 -04:00
TotalKnob 3ba777c1b1 [Rule Tuning] Disable Windows Firewall Rules via Netsh (#2231) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 13:10:08 -04:00
Terrance DeJesus 6a6ef0ce11 [New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace (#2268) 
* adding new rule

* adjusted UUID to address unit testing failures

* adjusted UUID to address unit testing failures

* adjusted references
 2022-08-26 12:43:30 -04:00
Terrance DeJesus bd6befb168 [New Rule] Google Drive Ownership Transferred (#2265) 
* adding new rule

* adjusted query format

* adjusted file and rule name to include google workspace

* Update collection_google_drive_ownership_transferred_via_google_workspace.toml

Fixed a couple minor typos

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:41:10 -04:00
Terrance DeJesus 18df50443c [Rule Tuning] Admin Role Assigned to User - Google Workspace (#2266) 
* tuning rule query and att&ck mappings

* adjusted description and query formatting

* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adjusted risk and severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:35:44 -04:00
Terrance DeJesus cd2539f1eb [New Rule] User Group Access Modified to Allow External Access (#2264) 
* adding new rule

* adjusting rule name, file name and description

* adjusted att&ck technique

* adjusted file and rule name to include google workspace

* adjusted references

* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml

Fixed minor typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:25:29 -04:00
Terrance DeJesus c0a339e277 [New Rule] 2SV Policy Disabled - Google Workspace (#2271) 
* adding new rule

* adjusted file name, query and rule name
 2022-08-26 12:22:54 -04:00
Terrance DeJesus e5399bc148 [New Rule] Application Removed from Blocklist - Google Workspace (#2267) 
* adding new rule

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:16:41 -04:00
TotalKnob 97e42d01d8 [Rule Tuning] SUNBURST Command and Control Activity (#2232) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 13:11:22 -03:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
TotalKnob 023fbc7bbd [Rule Tuning] Clearing Windows Event Logs (#2233) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-23 21:41:30 -03:00
Mika Ayenson dfef597794 [Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service (#2192) 2022-08-23 10:10:40 -04:00
Mika Ayenson 2204459e73 [Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172) 2022-08-23 09:59:43 -04:00
Mika Ayenson 2326b30a87 [Rule Tuning] Suspicious Browser Child Process (#2138) 2022-08-23 09:56:23 -04:00
Jonhnathan c5ff8511a9 [Rule Tuning] Abnormal Process ID or Lock File Created (#2113) 
* [Rule Tuning] Abnormal Process ID or Lock File Created

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update execution_abnormal_process_id_file_created.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-08-23 09:59:31 -03:00
Jonhnathan 6631c4927d [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#2240) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-23 09:43:09 -03:00
Jonhnathan 6e2d20362a [Rule Tuning] Standardizing Risk Score according to Severity (#2242) 2022-08-21 22:29:39 -03:00
Samirbous d3420e3386 [Deprecate Rule] Suspicious Process from Conhost (#2222) 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:32:24 +02:00
Samirbous 8e0ae64a04 [Rule Tuning] Whoami Process Activity (#2224) 
* added Whoami Process Activity

* Update discovery_whoami_command_activity.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:26:10 +02:00
Samirbous 0f7b29918c [Rule Tuning] Suspicious Execution via Scheduled Task (#2235) 
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
 2022-08-15 21:50:23 +02:00
Samirbous b89d6185b2 [Rule Tuning] Reduce FPs (#2223) 
9 rules tuned to exclude common noisy FP patterns.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-15 09:15:48 -05:00
Jonhnathan fc7a384d19 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-08-08 21:34:05 -03:00
Mika Ayenson d1bc53e295 [Rule Tuning] Persistence via Folder Action Script (#2174) 
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:36:05 -04:00
Mika Ayenson 4f55e9b05f [Rule Tuning] Potential Persistence via Login Hook (#2177) 
* Exclude FPs for iMazing Profile Editor and backupd
 2022-08-05 14:25:31 -04:00
Mika Ayenson 058f11f650 [Rule Tuning] Sublime Plugin or Application Script Modification (#2180) 
* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:15:28 -04:00
TotalKnob b043695833 Remove ambiguity from impact_modification_of_boot_config.toml (#2199) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-05 10:38:41 -03:00
Terrance DeJesus a76c51ae17 [Deprecation rule] DNS Activity to the Internet (#2221) 2022-08-02 20:59:35 -05:00
Mika Ayenson ecd10b672a [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) 
* add case sensitive Python process name and T1548
 2022-08-02 14:21:00 -04:00
Mika Ayenson d8e0c0fee3 [Rule Tuning] Suspicious Calendar File Modification (#2187) 
* exclude fps for Mail.app
 2022-08-02 14:06:57 -04:00
Samirbous 50bb821708 [Rules Tuning] Add support for Sysmon ImageLoad Events (#2215) 
* [Rules Tuning] Add support for Sysmon ImageLoad Events

added correct event.category and event.action to rules using library events to support sysmon eventid 7.

`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`

`dll.name` --> `file.name`

* added Suspicious RDP ActiveX Client Loaded

* Delete workspace.xml
 2022-08-02 18:40:26 +02:00
Samirbous b15f0de9a4 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml
 2022-08-02 18:37:07 +02:00
Samirbous a046dc0d29 [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.
 2022-08-02 18:30:57 +02:00