security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
642 Commits 1 Branch 0 Tags
31e8d03438490f8976de3aa34eef57793d07c23e
Commit Graph

642 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Brent Murphy 31e8d03438 [New Rule] Suspicious Execution from a Mounted Device (#1230) 
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-05-28 14:44:07 -04:00
Ross Wolf b0270d059f Add a command to create a Kibana PR (#1208) 
* Add a command to create a Kibana PR
* Reformat code
* Fix docstring whitespace
* Make a hidden token prompt
* Fix E501
 2021-05-17 14:57:21 -06:00
Austin Songer 58ea49b092 [Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-05-14 15:52:02 -04:00
Ross Wolf a940c10ead Update backport.yml (#1205) 2021-05-13 16:54:52 -06:00
Ross Wolf eb40c52c7c Port historical schemas to jsonschema (#1084) 
* Port historical schemas to jsonschema
* Add marshmallow-json dependency
* Mark etc/api_schemas as binary
* Remove gitattributes attempt
* Lint fix
* Apply PR feedback
* Additional PR feedback
* Extract stack version from packages.yml
* Fix the backport schemas
* Cache the schema reads
* Add migration for #1167
* Make a separate 'migration not found' error
 2021-05-13 14:27:32 -06:00
Brent Murphy e40276c12b [Bug] Update main.py to fix toml-lint (#1202) 2021-05-13 09:43:13 -06:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Ross Wolf 60f5168f07 Retrieve branch history of main in backport job 2021-05-06 23:12:57 -06:00
Ross Wolf 700c63d7d5 Disable persist-credentials from checkout job (#1187) 
* Disable persist-credentials from checkout job
* Set the token at the checkout stage
 2021-05-06 22:58:31 -06:00
Ross Wolf a33e943591 Use @protectionsmachine to push backports (#1186) 2021-05-06 22:26:30 -06:00
Ross Wolf f3f344018b Fix backport job webhook + push (#1185) 2021-05-06 21:32:40 -06:00
Ross Wolf 2ceb5b52c9 Add job for 'backport: auto' labeled PRs (#1174) 
* Add job for 'backport: auto' labeled PRs

* Limit the job to sequential only

* Fix delayed labels and use the right commit

* Add slack webhook integration
 2021-05-06 20:03:05 -06:00
Justin Ibarra 1fb0b6726e Fix rule filenames during packaging (#1158) 2021-05-05 11:27:04 -08:00
Justin Ibarra 3d7f5d73a4 Allow ML rules to accept a single or array of job IDs (#1167) 2021-05-05 11:12:12 -08:00
Justin Ibarra 7040538a9a bump packages version to 7.14 2021-04-30 11:32:18 -08:00
Justin Ibarra 82ec6ac1ee Convert windows rules from KQL to EQL (#1114) 2021-04-30 11:21:12 -08:00
Andrew Pease 92eaa5b18a [New Rule] Threat intel indicator match rule (#1133) 2021-04-26 07:07:04 -05:00
Austin Songer 8362578492 [Rule Tuning] AWS IAM Deactivation of MFA Device (#1132) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-23 14:52:54 -04:00
Justin Ibarra a0a3143a52 Refresh beats and ecs schemas (#1140) 
* download new beats and ecs schemas
* add beats download func by version and download v7.11.2
 2021-04-22 09:49:06 -08:00
Ross Wolf 8d8bcfbc42 Add wildcard field support to KQL (#1139) 2021-04-22 11:15:38 -06:00
Justin Ibarra cabe9239c0 Add threat_match rule type (#1138) 2021-04-22 09:03:57 -08:00
Ross Wolf 8789dd7c90 Separate out query validation from the class hierarchy (#1136) 
* Separate out query validation from the class hierarchy
* Rename to *RuleData for consistency
* Apply suggestions from code review
* Fix lint error
 2021-04-21 14:55:26 -06:00
Brent Murphy ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) 
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-04-21 15:10:06 -04:00
Justin Ibarra e656a984b3 Update threshold rule schema to disallow empty field string (#1099) 2021-04-15 16:22:45 -06:00
Ross Wolf 791c911b9e Merge branch '7.12' into main 2021-04-15 16:17:59 -06:00
Ross Wolf 5669988e0b Remove unnecessary required=False check 2021-04-15 16:16:42 -06:00
Samirbous 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) 
* [Deprecation] Process Discovery via Tasklist

* deprecation_date

* update date

* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 22:18:56 +02:00
Samirbous e323084433 [Deprecation] Trusted Developer Application Usage (#1118) 
* [Deprecation] Trusted Developer Application Usage

* update date
 2021-04-15 22:15:38 +02:00
Samirbous 170b87097d [New Rule] Potential Protocol Tunneling via EarthWorm (#1094) 
* [New Rule] Potential Protocol Tunneling via EarthWorm

* fixed tactic ID

* fixed rule_id

* tactic case sensitive

* tags

* Update rules/linux/command_and_control_tunneling_via_earthworm.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 10:17:56 +02:00
Justin Ibarra b0f449339d add branch_name option to kibana-commit command 2021-04-14 21:16:09 -08:00
Justin Ibarra dbd2874b4f [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files (#1026) 
* [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files
* revise note with information from microsoft
* add Exchange Server to paths
* replaced process.parent.name with process.name and C drive with ?

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2021-04-14 20:24:44 -08:00
Ross Wolf 9bbb122d20 Update the prebuilt rule link 2021-04-14 22:02:46 -06:00
Samirbous 8f78afb8e5 [Rule Tuning] Windows Suspicious Script Object Execution (#1081) 
* [Rule Tuning] Windows Suspicious Script Object Execution

* renamed rule in version.lock.json

* adjusted codesig check

* added 1 exclusion

* update date

* added cmd to exclusion as per EG telem

* removed changes to version.lock.json

* restored comment for code sig to support winlogbeat

* Revert "removed changes to version.lock.json"

This reverts commit 62794be02486b668ae5f25e5613f18b292342377.

* restored rule name in version.lock

* fixed typo

* removed winlogbeat index

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 23:54:39 +02:00
Brent Murphy c1fd3b3374 [Rule Tuning] AWS Config Service Tampering (#1108) 
* Update defense_evasion_config_service_rule_deletion.toml
 2021-04-14 17:13:27 -04:00
Brent Murphy 4a46b2f03b Create collection_microsoft_365_new_inbox_rule.toml (#1068) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-04-14 17:06:39 -04:00
Samirbous 7408133f79 [New Rule] Potential Remote Desktop Shadowing Activity (#1101) 
* [New Rule] Potential Remote Desktop Shadowing Activity

* added event.ingested

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 22:09:49 +02:00
dstepanic17 66dff28498 [Rule Tuning] Public IP Reconnaissance Activity (#1091) 
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml

* Updated ip lookup rule

* Modified index field

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 09:58:00 -05:00
Brent Murphy c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) 
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 10:49:28 -04:00
Samirbous 00923dcde1 [Rule Tuning] Setuid / Setgid Bit Set via chmod (#1032) 
* [Rule Tuning] Setuid / Setgid Bit Set via chmod

* update date

* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:41:37 +02:00
Samirbous 2926e98c5d [Rule Tuning] Startup or Run Key Registry Modification (#1086) 
* [Rule Tuning] Startup or Run Key Registry Modification

* update date

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:38:00 +02:00
Samirbous 1354d8059c [New Rule] Network Logon Providers Registry Modification (#1053) 
* [New Rule] Network Logon Providers Registry Modification

* fix mitre filename mapping error

* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 16:31:46 +02:00
Samirbous dc774517bf [New Rule] Persistence via Scheduled Job Creation (#1038) 
* [New Rule] Persistence via Scheduled Job Creation

* Update rules/windows/persistence_local_scheduled_job_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_local_scheduled_job_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:15:54 +02:00
Samirbous 731d2b2a54 [Rule Tuning] Unusual Persistence via Services Registry (#1077) 
* [Rule Tuning] Unusual Persistence via Services Registry

* update date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 16:09:46 +02:00
Justin Ibarra 462fab3ff8 Update threshold rule schema to disallow empty field string (#1098) 
* Update threshold rule schema to disallow empty field string
* lock versions for rule changes
 2021-04-14 04:56:38 -08:00
Samirbous dd4bc3e57e [Rule Tuning] Connection to Commonly Abused Web Services (#1079) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* adjusted 1 exclusion

* update date

* added 3 dns.names as suggested by Daniel

* added requestbin.net used for DNS tunneling by APT34
 2021-04-14 00:53:27 +02:00
Samirbous 0fe09aaed5 [New Rule] NullSessionPipe Registry Modification (#1058) 
* [New Rule] NullSessionPipe Registry Modification

* Update lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

* Update rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 00:50:31 +02:00
Samirbous 0ba469dbe4 [Rule Tuning] Modification of Standard Authentication Module or Confi… (#1056) 
* [Rule Tuning] Modification of Standard Authentication Module or Configuration

* update date
 2021-04-14 00:36:38 +02:00
Samirbous 0669e9be00 [New Rule] Suspicious Startup Shell Folder Modification (#1042) 
* [New Rule] Suspicious Startup Shell Folder Modification

* Update rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 00:33:54 +02:00
Samirbous f2bc0c685d [Rule Tuning] Suspicious Explorer Child Process (#1035) 
* [Rule Tuning] Suspicious Explorer Child Process

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 00:10:29 +02:00
Samirbous 0cc0e3d31f [New Rule] Persistence via BITS Job Notify Cmdline (#1096) 
* [New Rule] Persistence via BITS Job Notify Cmdline

* changed severity and added 1 exclusion

* Update rules/windows/persistence_via_bits_job_notify_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-13 23:25:30 +02:00