security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,370 Commits 1 Branch 0 Tags
42f6c8f9a525931fd7d2e57e08b0fbf792cd1198
Commit Graph

2370 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud 592ad0fe9a [Rule Tuning] Q2 Linux DR Tuning - BBR (#4171) 
* [Rule Tuning] Q2 Linux DR Tuning - BBR

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update discovery_linux_sysctl_enumeration.toml

* Update discovery_potential_memory_seeking_activity.toml

* Update discovery_potential_memory_seeking_activity.toml
 2024-10-18 16:45:23 +02:00
Ruben Groenewoud 09bd4cef16 [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) 
* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml
 2024-10-18 16:38:14 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00
Ruben Groenewoud af9f9e2456 [Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 1

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-10-18 15:59:51 +02:00
Terrance DeJesus 61b731c300 [Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145) 
* tuning

* added note about whitelisting user agent

* removed extra new line
 2024-10-16 11:41:50 -04:00
shashank-elastic b1e91ddb14 Add setuptools as project dependency (#4160) 2024-10-16 20:09:23 +05:30
Terrance DeJesus 4b4b2cc9c8 [Hunt Tuning] Enforce STATS or KEEP functions in ES|QL hunting queries (#4157) 
* enforcing aggregate or keep in ES|QL queries

* Update hunting/definitions.py

* Update hunting/definitions.py

* Update hunting/definitions.py

* updated capitalization of linting

* updated raise value error

* Update hunting/definitions.py

* added note about stats in best practices
 2024-10-16 09:16:28 -04:00
github-actions[bot] c1ce0d43d1 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4159) 2024-10-16 10:23:33 +05:30
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Samirbous 8f56b7de5e Update privilege_escalation_gpo_schtask_service_creation.toml (#4152) 2024-10-15 18:36:35 +05:30
Samirbous a98161ad2a [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-15 10:49:01 +01:00
Samirbous 8404d41cca [New] Untrusted DLL Loaded by Azure AD Sync Service (#4151) 
* Create credential_access_imageload_azureadconnectauthsvc.toml

* Update credential_access_imageload_azureadconnectauthsvc.toml

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-14 18:04:46 +01:00
Jonhnathan e1addc6a8f [Rule Tuning] 3rd Party EDR Compatibility - 18 (#4056) 
* [Rule Tuning] 3rd Party EDR Compatibility - 18

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* min_stack for merge, bump updated_date

* Update persistence_browser_extension_install.toml
 2024-10-13 20:25:17 -03:00
Jonhnathan 6f69b33529 [Rule Tuning] 3rd Party EDR Compatibility - 17 (#4042) 
* [Rule Tuning] 3rd Party EDR Compatibility - 17

* Update rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:34:22 -03:00
Jonhnathan 7385f9dd2e [Rule Tuning] 3rd Party EDR Compatibility - 16 (#4041) 
* [Rule Tuning] 3rd Party EDR Compatibility - 16

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:14:24 -03:00
Jonhnathan 080a891c79 [Rule Tuning] 3rd Party EDR Compatibility - 15 (#4040) 
* [Rule Tuning] 3rd Party EDR Compatibility - 15

* min_stack for merge, bump updated_date
 2024-10-11 18:33:22 -03:00
Jonhnathan 10a8cef21f [Rule Tuning] 3rd Party EDR Compatibility - 14 (#4039) 
* [Rule Tuning] 3rd Party EDR Compatibility - 14

* min_stack for merge, bump updated_date
 2024-10-11 17:22:53 -03:00
Jonhnathan 07c4535871 [Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038) 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
 2024-10-11 16:55:02 -03:00
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan 1d9cb6a195 [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#4117) 
* [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
 2024-10-11 13:46:57 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
shashank-elastic acb01cf9ee Refresh to fetch latest ECS & Beats schemas, Integration manifests & schemas. (#4140) 2024-10-10 11:30:00 +05:30
github-actions[bot] afbca3ee75 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4147) 2024-10-09 20:56:57 -05:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Eric Forte 4edef2ea80 [FR][DAC] Import Rules Verbose Message (#4093) 
* Draft Verbose Message

* Fix Linting

* Made more descriptive

* Updated for readability
 2024-10-09 17:19:59 -04:00
Terrance DeJesus 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) 
* fixed existing rules;added query checks

* fixed flake errors

* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules

* removed valueError and replaced ValidationError

* adjusted validation error output based on feedback

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added space for failure

* updated to use re.compile

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-09 15:25:36 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-10-03 12:47:40 -04:00
Terrance DeJesus 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-02 15:50:22 -04:00
protections machine 51859e57f3 Sync RTA Base64 or Xxd Decode Argument Evasion (#4113) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 23:10:34 +05:30
protections machine e6646790d5 Sync RTA Suspicious Echo Execution (#4110) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:57:13 +05:30
protections machine 264938236c Sync RTA Hexadecimal Payload Execution (#4109) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:47:04 +05:30
protections machine 9e539e82f4 Sync RTA Potential Process Injection via dd (#4108) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-01 22:36:56 +05:30
protections machine 37ba89bc3e Sync RTA Linux Telegram API Request (#4107) 2024-10-01 22:28:29 +05:30
github-actions[bot] 80143b23b2 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4116) 2024-10-01 18:14:03 +05:30