security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,648 Commits 1 Branch 0 Tags
4233fef23895302a7f3e1e35628cbecef8a263f7
Commit Graph

1648 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Ruben Groenewoud 6115a68aba [Rule Tuning] Small Linux DR Tuning (#3074) 
* [Rule tuning] Adressing community issue

* Changed title

* Changed IG title
 2023-09-05 14:20:57 +02:00
Mika Ayenson 811d1b7727 label bbr rules (#3067) 2023-08-31 17:00:16 -05:00
Ruben Groenewoud 3c64b454fb [New Rule] Sus User Privilege Enumeration via id (#3049) 2023-08-31 18:13:42 +02:00
Jonhnathan fdd45148b8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-31 12:59:02 -03:00
Ruben Groenewoud f7d8d4752a [New Rules] GDB Secret Dumping (#3060) 
* [New Rules] GDB Secret Dumping

* Added references to BBR

* Update rules/linux/credential_access_gdb_init_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 17:41:22 +02:00
Ruben Groenewoud b6ed215958 [New Rule] File Creation, Exec and Self-Deletion (#3045) 
* [New Rule] File Creation, Exec and Self-Deletion

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-31 17:32:17 +02:00
Ruben Groenewoud 3588600d57 [Rule Tuning] 3 tunings to reduce FPs (#3058) 
* [Rule Tuning] 2 tunings to reduce FPs back to 0

* Added one more tune for community issue #3041

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update rules/linux/execution_abnormal_process_id_file_created.toml
 2023-08-31 17:16:57 +02:00
Ruben Groenewoud 2eaaf27f1e [New Rule] Potential Disabling of AppArmor (#3046) 
* [New Rule] Potential Disabling of AppArmor

* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml

* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 17:06:15 +02:00
Ruben Groenewoud 04d1c3cd5b [New BBR] Suspicious which Enumeration (#3059) 2023-08-31 13:55:56 +02:00
Ruben Groenewoud d838a3352f [New Rule] Binary Copied and/or Moved to Suspicious Directory (#3048) 
* [New Rule] Binary Copied and/or Moved to sus dir

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 13:46:41 +02:00
Ruben Groenewoud a5b5d513af [New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 (#3057) 
* [New Rule] Sudo PE via CVE-2019-14287

* Added Elastic Defend Data Source tag

* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml

* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 13:11:34 +02:00
Jonhnathan c89b722a34 [New Rule] Suspicious Communication App Child Process (#2998) 
* [New Rule] Suspicious Communication App Child Process

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-31 07:33:16 -03:00
Ruben Groenewoud a395f54054 [New Rules] sus program compilation activity (#3043) 2023-08-31 09:30:56 +02:00
Jonhnathan a7a22a0917 [New Rule] Potential Masquerading as VLC DLL (#3006) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-30 17:45:45 -03:00
Ruben Groenewoud 32abdb95f7 [New Rules] Linux Tunneling and Port Forwarding (#3028) 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-30 22:12:19 +02:00
Eric 41a7a36817 Tune rule for new DLL written to Windows Servicing (#3062) 2023-08-30 13:51:23 -03:00
Jonhnathan 6d7df50d78 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 16:42:19 -03:00
Jonhnathan 7004c99ef5 [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 09:10:25 -03:00
Jonhnathan 0e337e2c36 [New Rule] New BBR Rules - Part 4 (#3035) 
* [New Rule] New BBR Rules - Part 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-29 08:49:22 -03:00
Jonhnathan 9f213cc9f7 [New Rule] Potential Masquerading as Browser Process (#2995) 
* [New Rule] Potential Masquerading as Browser Process

* Update rules_building_block/defense_evasion_masquerading_browsers.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_masquerading_browsers.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-28 13:28:26 -03:00
Samirbous 22931d6afb Update credential_access_lsass_openprocess_api.toml (#3047) 2023-08-28 16:22:08 +01:00
Jonhnathan 7496c5cb68 [New Rule] Potential Masquerading as Windows System32 DLL (#3021) 
* [New Rule] Potential Masquerading as Windows System32 DLL

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Restrict logic

* Update defense_evasion_masquerading_windows_dll.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-28 08:31:20 -03:00
Jonhnathan ffa60f2d03 [New Rule] Network-Level Authentication (NLA) Disabled (#3039) 
* [New Rule] Network-Level Authentication (NLA) Disabled

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-28 08:05:21 -03:00
Jonhnathan de32287889 [Rule Tuning] High Number of Process and/or Service Terminations (#2940) 2023-08-25 19:19:25 -03:00
shashank-elastic d21ed24e4f BBR Rules Addition (#3027) 2023-08-25 19:10:12 +05:30
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-25 14:03:29 +02:00
Eric 17d0e5cda8 [Rule Tuning] Threat Intel Hash Indicator Match (#3031) 
* Remove impash matches due to rate of false positives

* Update rules/cross-platform/threat_intel_indicator_match_hash.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-25 06:21:16 -03:00
Jonhnathan 17f6537e44 [Rule Tuning] Windows BBR Rules (#3018) 
* [Rule Tuning] Windows BBR Rules

* Update discovery_generic_process_discovery.toml
 2023-08-25 05:21:16 -03:00
Jonhnathan 460919a9d7 [Rule Tuning] Compression DLL Loaded by Unusual Process (#3017) 2023-08-25 05:08:36 -03:00
Mika Ayenson 5bb5994c6f [Bug] Fix RTA Metadata (#3036) 2023-08-24 11:12:16 -05:00
Mika Ayenson c72ec4da90 [Bug] Set session cookie key to sid (#3010) 2023-08-22 16:02:20 -05:00
Apoorva Joshi 9482bda414 Adding related integrations to ML rules (#2972) 
* Adding related integrations to ML rules

* added adjustments to determine related integrations for ML rules

* fixed lint errors

* Empty commit

* Empty commit

* Empty commit

---------

Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box>
 2023-08-22 14:39:18 -04:00
Terrance DeJesus 2ddcf7817e [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) 
* adding tuning to ignore windows update

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-22 13:04:25 -04:00
Jonhnathan 0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) 2023-08-22 07:45:00 -03:00
Jonhnathan f8df53626e [New Rule] Potential Masquerading as Windows System32 Executable (#3022) 
* [New Rule] Potential Masquerading as Windows System32 Executable

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-21 15:14:22 -03:00
Samirbous 5e801b2edf [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-21 16:23:34 +01:00
Steve Ross 4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-21 10:42:47 -04:00
Jonhnathan 72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-20 17:29:16 -03:00
Joe Desimone b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-17 13:52:26 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
github-actions[bot] 4cf70654ad Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3019) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/deprecated_rules.json

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-17 09:09:05 -04:00
Terrance DeJesus 08b646aa94 [FR] 8.10 Release Preparation and Update Main Branch to 8.11 (#3012) 
* prepping for 8.11 branch

* fixed lint errors

* added 8.11 to stack schema map

* trimmed version lock file; adjusted new terms validation

* reverting changes to version lock, stack schema and workflow
 2023-08-16 14:23:44 -04:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ruben Groenewoud e938ed28a0 [Rule Tuning] added additional event action (#3008) 2023-08-10 16:59:07 +02:00
Jonhnathan 2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) 
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities

* Update collection_posh_webcam_video_capture.toml

* Update rules_building_block/collection_posh_webcam_video_capture.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-09 15:17:15 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Ruben Groenewoud 4cbfd7c4ae [Rule Tuning] Restricted Shell Breakout (#2999) 2023-08-04 19:30:18 +02:00
Ruben Groenewoud e904ebb760 [New Rule] PE via Container Misconfiguration (#2983) 
* [New Rule] PE via Container Misconfiguration

* fixed boolean comparison unit test error

* Update privilege_escalation_container_util_misconfiguration.toml

* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-04 16:39:40 +02:00
Ruben Groenewoud ef49709c7d [New Rules] Linux Wildcard Injection (#2973) 
* [New Rules] Linux Wildcard Injection

* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-04 16:32:34 +02:00