sigma-rules

Author	SHA1	Message	Date
shashank-elastic	e357a2c050	Refresh MITRE Attack v15.1.0 (#3725 )	2024-06-04 20:14:58 +05:30
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Justin Ibarra	ce21acef9c	[Bug] Fix test_os_and_platform_in_query test and rules (#3695 ) Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-05-20 08:43:30 -07:00
Samirbous	ec27bf8545	Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#3691 )	2024-05-17 21:30:16 -07:00
Colson Wilhoit	1fb58e1b61	[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435 ) * Update to use new data source * Exclude FPs * Update logic * Exclude FPs * Update to match ER logic * Exclude FP * Update to match endpoint rule and reduce FPs * Update logic to reduce FPs * Update logic to reduce FPs * Exclude FPs * Update logic to remove FPs * Update logic to reduce FPs * Update logic and min stack version to reduce FPs * Exclude FP * Remove FPs * Update logic and min stack to reduce FPs * Exclude FPs * Update logic and min stack to exclude FPs * Update logic and min stack to exclude FPs * Update logic to be more efficient * Update logic * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml * Update persistence_folder_action_scripts_runtime.toml * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/credential_access_credentials_keychains.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Fix * Fix * Fix * Update min stack comments * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_systemkey_dumping.toml * Update rules/macos/discovery_users_domain_built_in_commands.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Remove field --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-11 12:52:18 -05:00
Jonhnathan	458e67918a	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules	2024-03-11 09:09:40 -03:00
Terrance DeJesus	1c10c37468	[Rule Tuning] Update `timestamp_override` Unit Tests and Fix Rules Missing Field (#3368 ) * updated timestamp override unit test; fixed rules missing this field * fixed flake error * simplified and consolidated logic * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * added comments * updated logic; added comments; removed unused variables * removed custom python script * updated dates * removed deprecated rule change * updated dates --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-01-17 14:14:38 -05:00
shashank-elastic	7854081cc0	Setup Guide information for MacOS rules (#3274 )	2023-11-22 20:18:22 +05:30
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Colson Wilhoit	6400bb3237	[Tuning] Access to Stored Browser Credentials (#3066 ) * Exclude FPs * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-10-27 15:10:09 -05:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
eric-forte-elastic	aaa4ce2ea0	[BUG] test_all_rule_queries_optimized does not run on rules (#2823 ) * Fixed kql -> kuery in test_all_rule_queries_opt... * all queries optimized * manually reconciled all rules that failed due to toml escaped chars * merge rules from main * Rules needing optimization * Fix optimized note * fix another note * another note fix * fixing whitespace * Updated for readability --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-23 10:58:31 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Isai	7df801f5c2	[Rule Tuning] Add missing techniques (#2482 ) * tune for missing techniques -added missing techniques to rules * added same missing techniques to another rule - updated_date for all files - added missing techniques to a 3rd rule * added T1057 technique added T1057 technique for Process discovery	2023-02-10 15:07:19 -05:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Mika Ayenson	be884a1cf3	[Rule Tuning] Screensaver Plist File Modified by Unexpected Process (#2413 )	2022-12-22 10:27:10 -05:00
Justin Ibarra	c1dd3c57ad	Adds commands to manage ATT&CK mappings (#2343 ) * add att&ck commands; fix 2 rule mappings * update message to stdout * updated date for rule changes * unrelated click bug fix * add type hinting	2022-11-01 13:14:40 -06:00
Terrance DeJesus	b00de3e445	[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321 ) * added unit test for duplicate rule names * adjusted macos file name and updated date values * removed unit test and added assertion error in rule loader * addressed flake errors * addressed flake errors * Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml	2022-09-26 10:04:38 -04:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
Mika Ayenson	dfef597794	[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service (#2192 )	2022-08-23 10:10:40 -04:00
Mika Ayenson	2204459e73	[Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172 )	2022-08-23 09:59:43 -04:00
Mika Ayenson	2326b30a87	[Rule Tuning] Suspicious Browser Child Process (#2138 )	2022-08-23 09:56:23 -04:00
Jonhnathan	6e2d20362a	[Rule Tuning] Standardizing Risk Score according to Severity (#2242 )	2022-08-21 22:29:39 -03:00
Mika Ayenson	d1bc53e295	[Rule Tuning] Persistence via Folder Action Script (#2174 ) * Exclude FPs for iterm Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-08-05 14:36:05 -04:00
Mika Ayenson	4f55e9b05f	[Rule Tuning] Potential Persistence via Login Hook (#2177 ) * Exclude FPs for iMazing Profile Editor and backupd	2022-08-05 14:25:31 -04:00
Mika Ayenson	058f11f650	[Rule Tuning] Sublime Plugin or Application Script Modification (#2180 ) * expand filter to sublime text contents Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-08-05 14:15:28 -04:00
Mika Ayenson	ecd10b672a	[Rule Tuning] Execution with Explicit Credentials via Scripting (#2190 ) * add case sensitive Python process name and T1548	2022-08-02 14:21:00 -04:00
Mika Ayenson	d8e0c0fee3	[Rule Tuning] Suspicious Calendar File Modification (#2187 ) * exclude fps for Mail.app	2022-08-02 14:06:57 -04:00
Colson Wilhoit	998afcf9c4	[Rule Tuning] MacOS Installer Package Net Event (#2193 ) * [Rule Tuning] MacOS Installer Package Net Event * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update execution_installer_package_spawned_network_event.toml just deleting a typo Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2022-07-28 15:16:10 -05:00
Mika Ayenson	3a557503d1	[Rule Tuning] Unexpected Child Process of macOS Screensaver Engine (#2184 ) * add screensaver subtechnique	2022-07-27 14:49:22 -04:00
Mika Ayenson	df670fac56	[Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123 ) * filter run by macOS os type	2022-07-27 11:58:30 -04:00
Mika Ayenson	fcc9cc9d8e	fix typo in description (#2168 )	2022-07-27 08:51:52 -04:00
Mika Ayenson	cdafe17ffb	[Rule Tuning] Authorization Plugin Modification (#2156 ) * exclude files altered by shove processes	2022-07-27 08:34:23 -04:00
Mika Ayenson	e6bab063dc	[Rule Tuning] LaunchDaemon Creation or Modification and Immediate Loading (#2154 ) * update query	2022-07-27 08:24:57 -04:00
Mika Ayenson	b44714c83f	filter Bitdefender FPs (#2109 )	2022-07-25 10:12:30 -04:00
Mika Ayenson	286941cb8e	[Rule Tuning] Attempt to Unload Elastic Endpoint Security Kernel Extension (#2134 ) * add subtechnique T1547/006/	2022-07-23 11:22:27 -04:00
Mika Ayenson	1dc0fcec47	add CVE to tag (#2127 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-07-22 20:44:14 -04:00
Mika Ayenson	f07c72254d	update description (#2149 )	2022-07-22 17:12:41 -04:00
Mika Ayenson	b3334941f9	[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#2147 ) * exclude jamf fp and add ssh subtechnique Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-07-22 17:10:09 -04:00
Mika Ayenson	84104773a6	exclude google drive FP (#2145 )	2022-07-22 17:00:00 -04:00
Mika Ayenson	44ae72d054	[Rule Tuning] Suspicious Automator Workflows Execution (#2142 ) * add subtechnique Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-07-22 16:50:45 -04:00
Mika Ayenson	f176b5ef57	update tags to include C2 tactic (#2140 )	2022-07-22 16:39:25 -04:00
Colson Wilhoit	d6527afd51	[Rule Tuning] Remove File Quarantine Attribute (#2129 )	2022-07-22 15:25:12 -05:00
Mika Ayenson	1e28385ea4	[Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#2136 ) * fix parens and exclude parent process FPs and update description	2022-07-22 16:16:27 -04:00
Mika Ayenson	d2be29b226	[Rule Tuning] Potential Privacy Control Bypass via TCCDB Modification (#2121 ) * add exception for Bitdefender	2022-07-22 16:07:41 -04:00
Mika Ayenson	cefb84ae15	[Rule Tuning] Modification of Environment Variable via Launchctl (#2119 ) * add exception for vmoptions	2022-07-22 16:03:46 -04:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00

1 2 3 4

163 Commits