security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
173 Commits 1 Branch 0 Tags
3fa44d306563a49b92d13c193da7b21207ec3fec
Commit Graph

136 Commits

Author SHA1 Message Date
Mika Ayenson 3fa44d3065 [Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service (#2192) 
(cherry picked from commit dfef597794)
 2022-08-23 14:11:46 +00:00
Mika Ayenson bac094acfc [Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172) 
(cherry picked from commit 2204459e73)
 2022-08-23 14:00:45 +00:00
Mika Ayenson c20582493c [Rule Tuning] Suspicious Browser Child Process (#2138) 
(cherry picked from commit 2326b30a87)
 2022-08-23 13:57:23 +00:00
Jonhnathan a37494cd5b [Rule Tuning] Abnormal Process ID or Lock File Created (#2113) 
* [Rule Tuning] Abnormal Process ID or Lock File Created

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update execution_abnormal_process_id_file_created.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c5ff8511a9)
 2022-08-23 13:00:39 +00:00
Jonhnathan 3984f6e9cf [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#2240) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6631c4927d)
 2022-08-23 12:44:20 +00:00
Jonhnathan ad880bb7df [Rule Tuning] Standardizing Risk Score according to Severity (#2242) 
(cherry picked from commit 6e2d20362a)
 2022-08-22 01:30:44 +00:00
Samirbous 353fde10a0 [Deprecate Rule] Suspicious Process from Conhost (#2222) 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit d3420e3386)
 2022-08-16 14:33:36 +00:00
Samirbous 73834a3b08 [Rule Tuning] Whoami Process Activity (#2224) 
* added Whoami Process Activity

* Update discovery_whoami_command_activity.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 8e0ae64a04)
 2022-08-16 14:27:06 +00:00
Samirbous 0a6f9c6ddf [Rule Tuning] Suspicious Execution via Scheduled Task (#2235) 
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.

(cherry picked from commit 0f7b29918c)
 2022-08-15 19:51:18 +00:00
Samirbous 96fd9f86a2 [Rule Tuning] Reduce FPs (#2223) 
9 rules tuned to exclude common noisy FP patterns.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit b89d6185b2)
 2022-08-15 14:16:46 +00:00
Jonhnathan 9dabc6fc79 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit fc7a384d19)
 2022-08-09 00:35:02 +00:00
Mika Ayenson 7b0662289e [Rule Tuning] Persistence via Folder Action Script (#2174) 
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d1bc53e295)
 2022-08-05 18:37:02 +00:00
Mika Ayenson 9af8fb5ba4 [Rule Tuning] Potential Persistence via Login Hook (#2177) 
* Exclude FPs for iMazing Profile Editor and backupd

(cherry picked from commit 4f55e9b05f)
 2022-08-05 18:26:31 +00:00
Mika Ayenson 39ad3ba652 [Rule Tuning] Sublime Plugin or Application Script Modification (#2180) 
* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 058f11f650)
 2022-08-05 18:16:34 +00:00
TotalKnob c585aed3e2 Remove ambiguity from impact_modification_of_boot_config.toml (#2199) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit b043695833)
 2022-08-05 13:39:39 +00:00
Terrance DeJesus 8bddaa5225 [Deprecation rule] DNS Activity to the Internet (#2221) 
(cherry picked from commit a76c51ae17)
 2022-08-03 02:01:16 +00:00
Mika Ayenson 18295488fc [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) 
* add case sensitive Python process name and T1548

(cherry picked from commit ecd10b672a)
 2022-08-02 18:21:59 +00:00
Mika Ayenson 45a5981598 [Rule Tuning] Suspicious Calendar File Modification (#2187) 
* exclude fps for Mail.app

(cherry picked from commit d8e0c0fee3)
 2022-08-02 18:08:24 +00:00
Samirbous 979ca1dfab [Rules Tuning] Add support for Sysmon ImageLoad Events (#2215) 
* [Rules Tuning] Add support for Sysmon ImageLoad Events

added correct event.category and event.action to rules using library events to support sysmon eventid 7.

`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`

`dll.name` --> `file.name`

* added Suspicious RDP ActiveX Client Loaded

* Delete workspace.xml

(cherry picked from commit 50bb821708)
 2022-08-02 16:41:40 +00:00
Samirbous ad1e7fbde9 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml

Removed changes from:
- rules/windows/credential_access_lsass_memdump_file_created.toml

(selectively cherry picked from commit b15f0de9a4)
 2022-08-02 16:38:59 +00:00
Samirbous 7585d6264d [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.

(cherry picked from commit a046dc0d29)
 2022-08-02 16:32:01 +00:00
Samirbous 08f2e9003f [Deprecate Rule] File and Directory Discovery (#2217) 
* [Deprecate Rule] File and Directory Discovery

very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.

* Delete workspace.xml

(cherry picked from commit e5ee8e024f)
 2022-08-02 15:58:37 +00:00
shashank-elastic 72fc1e4231 Rule tuning as part of Linux Detection Rules Review (#2210) 
(cherry picked from commit 19d9a7eb87)
 2022-08-02 12:17:59 +00:00
Samirbous 8126bde72c [Rule Tuning] Suspicious Process Creation CallTrace (#2207) 
Excluding some FPs by process.parent.executable and process.parent.args.

(cherry picked from commit 04dcf09c03)
 2022-08-01 17:01:08 +00:00
Samirbous 777584bbc2 [Rule Tuning] Unusual Service Host Child Process - Childless Service (#2208) 
Excluding some noisy unique processes.

(cherry picked from commit 1f21c5c57f)
 2022-08-01 16:41:46 +00:00
Samirbous 2fe7336f2b [Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209) 
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP

FPs in certain cases with no room for tuning.

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 8d34416049)
 2022-08-01 16:29:46 +00:00
Samirbous 84121d910e [Rule Tuning] Suspicious Process Access via Direct System Call (#2204) 
Excluding some FPs by calltrace.

(cherry picked from commit a22fef8723)
 2022-08-01 16:17:07 +00:00
Samirbous ccad691b30 [Rule Tuning] Remotely Started Services via RPC (#2211) 
* [Rule Tuning] Remotely Started Services via RPC

excluding noisy FPs by process.executable to be compatible with winlog and endpoint

* Update lateral_movement_remote_services.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6f69695820)
 2022-08-01 16:12:14 +00:00
Samirbous 38e9b64fd6 [Rule Tuning] Process Termination followed by Deletion (#2206) 
Excluded some FPs by process.executable and file.path.

(cherry picked from commit 91896db453)
 2022-08-01 16:02:39 +00:00
Samirbous 475d67f1e8 [Rule Tuning] Potential Remote Credential Access via Registry (#2203) 
* [Rule Tuning] Potential Remote Credential Access via Registry

Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)

* Update credential_access_remote_sam_secretsdump.toml

(cherry picked from commit 049fbf7979)
 2022-08-01 15:50:38 +00:00
Samirbous 0dfae46dcc [Rule Tuning] Kerberos Traffic from Unusual Process (#2202) 
Excluding couple of FPs by process.executables to reduce FPs rate.

(cherry picked from commit 527507835f)
 2022-07-29 20:28:55 +00:00
Isai 5b183e66fa [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195) 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.

* Update persistence_via_update_orchestrator_service_hijack.toml

revert back to eql

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 386a8202c0)
 2022-07-29 20:12:27 +00:00
Samirbous 044b5a2c61 [Rule Tuning] Modification of WDigest Security Provider (#2201) 
excluding svchost.exe running as system (main src of FPs for this use case).

(cherry picked from commit 6d61a68c29)
 2022-07-29 17:46:25 +00:00
shashank-elastic 6dfbcb61eb Rule(s) to identify potential mining activities (#2185) 
(cherry picked from commit b2b5c170dd)
 2022-07-29 17:31:28 +00:00
shashank-elastic 40529e9150 Rule tuning as part of Linux Detection Rules Review (#2170) 
(cherry picked from commit 8afded11e7)
 2022-07-29 16:26:57 +00:00
Colson Wilhoit fcf7a23401 [Rule Tuning] MacOS Installer Package Net Event (#2193) 
* [Rule Tuning] MacOS Installer Package Net Event

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update execution_installer_package_spawned_network_event.toml

just deleting a typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit 998afcf9c4)
 2022-07-28 20:17:14 +00:00
Mika Ayenson b67ffd413a [Rule Tuning] Unexpected Child Process of macOS Screensaver Engine (#2184) 
* add screensaver subtechnique

(cherry picked from commit 3a557503d1)
 2022-07-27 18:50:26 +00:00
Jonhnathan 7a2d7237b6 [Security Content] Add Investigation Guides - Cloud - 3 (#2132) 
* [Security Content] Add Investigation Guides - Cloud - 3

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

* update dates

* Apply suggestions from review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Removed changes from:
- rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml

(selectively cherry picked from commit 91c00fd442)
 2022-07-27 18:41:05 +00:00
Mika Ayenson 6a7b78f14c [Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123) 
* filter run by macOS os type

(cherry picked from commit df670fac56)
 2022-07-27 15:59:43 +00:00
Mika Ayenson 4534f04c0c fix typo in description (#2168) 
(cherry picked from commit fcc9cc9d8e)
 2022-07-27 12:52:56 +00:00
Mika Ayenson e11739383d [Rule Tuning] Authorization Plugin Modification (#2156) 
* exclude files altered by shove processes

(cherry picked from commit cdafe17ffb)
 2022-07-27 12:35:20 +00:00
Mika Ayenson 1fdfadbb7e [Rule Tuning] LaunchDaemon Creation or Modification and Immediate Loading (#2154) 
* update query

(cherry picked from commit e6bab063dc)
 2022-07-27 12:26:06 +00:00
shashank-elastic 8d4606d0dc Rule(s) deprecation as part of Linux Detection Rule Review (#2163) 
(cherry picked from commit e9267e544c)
 2022-07-26 13:19:25 +00:00
Colson Wilhoit 883607488a [New Rule] File made Immutable by Chattr (#2161) 
* [New Rule] File made Immutable by Chattr

* Update rules/linux/defense_evasion_chattr_immutable_file.toml

(cherry picked from commit c222d4528d)
 2022-07-25 18:12:55 +00:00
Colson Wilhoit a138a1f2a2 [New Rule] Chkconfig Service Add (#2159) 
* [New Rule] Chkconfig Service Add

* Update rules/linux/persistence_chkconfig_service_add.toml

(cherry picked from commit 146f59f4bd)
 2022-07-25 16:44:01 +00:00
Mika Ayenson a06662f91a filter Bitdefender FPs (#2109) 
(cherry picked from commit b44714c83f)
 2022-07-25 14:13:36 +00:00
Colson Wilhoit d988fcb0de [New Rule] Suspcious Etc File Creation (#2160) 
* [New Rule] Suspcious Etc File Creation

* Update rules/linux/persistence_etc_file_creation.toml

* Update MITRE syntax

* Update rules/linux/persistence_etc_file_creation.toml

* Update rules/linux/persistence_etc_file_creation.toml

* Update rules/linux/persistence_etc_file_creation.toml

(cherry picked from commit 1746897359)
 2022-07-25 13:49:28 +00:00
Mika Ayenson cbfa323c34 [Rule Tuning] Attempt to Unload Elastic Endpoint Security Kernel Extension (#2134) 
* add subtechnique T1547/006/

(cherry picked from commit 286941cb8e)
 2022-07-23 15:23:38 +00:00
Mika Ayenson f8a53b50b7 add CVE to tag (#2127) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 1dc0fcec47)
 2022-07-23 00:45:21 +00:00
Mika Ayenson cf1cdb1791 update description (#2149) 
(cherry picked from commit f07c72254d)
 2022-07-22 21:13:40 +00:00