sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mika Ayenson, PhD	8993d1450b	[Rule Tuning] Add Supplemental Mitre Mappings (#5876 ) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2026-04-01 09:12:42 -05:00
Colson Wilhoit	43d3f3b467	[New] Endpoint Rule Conversion PR (#5658 ) * update * [New] Endpoint Rule Conversion PR * fix: replace invalid rule_ids with valid UUIDs * fix: remove malformed TOML in docker_outbound_connection rule * fix: rename Security Software Discovery rule to avoid name collision * fix: remove rule using unsupported 'as event' alias syntax * fix: add timestamp_override, investigation guides, and fix MITRE mapping - Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules - Added '## Triage and analysis' investigation guides to 19 high-severity rules - Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions' * Enhance investigation guides for 19 high-severity macOS SIEM rules Enhanced investigation guides to align with existing SIEM rule format: - Added detailed context paragraphs explaining the threat and detection logic - Expanded investigation steps to 6-7 items with specific field references - Enhanced false positive analysis with 4-5 items and exclusion guidance - Added comprehensive response and remediation steps (6-7 items) Rules enhanced: - Defense Evasion: dylib_injection, gatekeeper_override, tcc_access - Persistence: shell_profile, hidden_plist, chromium_extension, startup_item, pkg_install_script, launch_agent_daemon - Execution: unusual_library_python - Lateral Movement: jamf_endpoint - Command and Control: google_calendar_c2, oast_domain, etherhiding, curl_from_app, curl_google_script, unsigned_binary - Collection: pbpaste, sensitive_file_compression * Fix investigation guide tests: add Resources tag and fix OAST title - Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides - Fixed OAST rule investigation guide title to match rule name exactly: 'Network Connection to OAST Domain via Script Interpreter' * Remove duplicate detection_rules 2 folder from PR * Address Samir's PR feedback: consolidate rules, convert to ES\|QL, fix Gatekeeper rule Changes: - Convert AWS S3 connection rule to ES\|QL with aggregation - Consolidate Python + Node non-standard port rules into single script interpreter rule - Fix Gatekeeper rule to use correct gatekeeper_override event - Simplify Gatekeeper rule to single event per Samir's suggestion - Convert TCC access rule to ES\|QL with COUNT_DISTINCT - Tune cross-platform security software grep rule (add egrep, pgrep, more tools) - Add node to system/network config check rule Deleted duplicates (covered by existing cross-platform rules): - Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain) - Security software via grep (tuned cross-platform version instead) - VM fingerprinting via grep (duplicate of cross-platform version) * fix: ESQL formatting and wildcard versioning patterns - Add Esql. prefix to computed fields in ESQL rules - Add KEEP statements to ESQL rules for proper field visibility - Add perl* wildcard to OAST domain rule for version consistency - Add ruby* wildcard to Etherhiding C2 rule for version consistency - Fix regex pattern in TCC rule (perl./ruby. for versioning) * fix: remove duplicate Script Interpreter rule Delete command_and_control_suspicious_outbound_python_network.toml which is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml (same rule_id: aa1e007a-2997-4247-b048-dd9344742560) * fix: add timestamp_override to Pbpaste and Gatekeeper rules - collection_pbpaste_execution_via_unusual_parent.toml - defense_evasion_gatekeeper_override_and_execution.toml EQL/KQL rules require timestamp_override: event.ingested * fix: remove perl from Script Interpreter rule Perl is covered by the broader perl_outbound_network_connection rule which catches perl → any external IP (not just non-standard ports). Perl network connections on macOS are rare and inherently suspicious regardless of port. * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_manual_chromium_extension_loading.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_startup_item_plist_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Fix ESQL syntax error in AWS S3 connection rule Remove trailing comma before BY clause in STATS command that caused a parsing_exception. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-06 10:53:44 -06:00

Author

SHA1

Message

Date

Mika Ayenson, PhD

8993d1450b

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>

2026-04-01 09:12:42 -05:00

Colson Wilhoit

43d3f3b467

[New] Endpoint Rule Conversion PR (#5658 )

* update

* [New] Endpoint Rule Conversion PR

* fix: replace invalid rule_ids with valid UUIDs

* fix: remove malformed TOML in docker_outbound_connection rule

* fix: rename Security Software Discovery rule to avoid name collision

* fix: remove rule using unsupported 'as event' alias syntax

* fix: add timestamp_override, investigation guides, and fix MITRE mapping

- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'

* Enhance investigation guides for 19 high-severity macOS SIEM rules

Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)

Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
  pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
  curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression

* Fix investigation guide tests: add Resources tag and fix OAST title

- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
  'Network Connection to OAST Domain via Script Interpreter'

* Remove duplicate detection_rules 2 folder from PR

* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule

Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule

Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)

* fix: ESQL formatting and wildcard versioning patterns

- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)

* fix: remove duplicate Script Interpreter rule

Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)

* fix: add timestamp_override to Pbpaste and Gatekeeper rules

- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml

EQL/KQL rules require timestamp_override: event.ingested

* fix: remove perl from Script Interpreter rule

Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_manual_chromium_extension_loading.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_startup_item_plist_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix ESQL syntax error in AWS S3 connection rule

Remove trailing comma before BY clause in STATS command that caused a parsing_exception.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-06 10:53:44 -06:00

2 Commits