security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
946 Commits 1 Branch 0 Tags
4397244f73ad32afd2dda6ebdbb2dbabb2f926f7
Commit Graph

946 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Justin Ibarra 4397244f73 Refresh ATT&CK to v10.1 (#1791) 
(cherry picked from commit a5eb02ac28)
 2022-02-25 01:40:49 +00:00
Justin Ibarra ca5f2d4018 Ensure github module is installed before running PR commands (#1777) 
* Ensure github module is installed before running PR commands

* move go and elastic-package assertions to top of command

* update error msg for missing pkg

* remove redundant github assertion

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit d373db7659)
 2022-02-24 23:51:24 +00:00
Mika Ayenson aab23636e8 [New Rule] LSASS Memory Dump (#1784) 
* Add new event_data fields (ObjectName, ProcessName)

* Add detection for LSASS Memory Dump Handle Access

* Reference an example of 120089 AccessMask presence

* modify query to increase performance and update the description to remove ("This rule").

* expand path to Elastic Agent ensure syntax consistency

* Optimize rule based on AccessMaskDescription and additional False Positives.

* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used

* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription

* cleanup

(cherry picked from commit aa7d79cc53)
 2022-02-24 13:16:42 +00:00
Mika Ayenson 775779c756 [Bug] Fix toml-lint ordering of Mitre metadata #1249 (#1774) 
* Order the MITRE metadata by recursively sorting the rule object before writing.

* Refactor order_rule into the rule_formatter module.

* sort test_toml.json according to rule_formatter spec

* rename var to obj since this will traverse all data in the rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 0aeb7399d4)
 2022-02-22 19:00:16 +00:00
Jonhnathan 99c559f870 Update persistence_azure_conditional_access_policy_modified.toml (#1788) 
(cherry picked from commit 8664ef59f4)
 2022-02-22 18:29:00 +00:00
github-actions[bot] 76f3ff1074 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1

(cherry picked from commit 5e073af69d)
 2022-02-16 17:27:58 +00:00
Jonhnathan 678f7cb93c [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit dec4243db0)
 2022-02-16 16:44:51 +00:00
Jonhnathan f571eb970d [Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773) 
* Remove Windows Integration & Winlogbeat Support

* Update lateral_movement_service_control_spawned_script_int.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3227d65cd8)
 2022-02-16 02:07:27 +00:00
Jonhnathan cd59ed785a [Rule Tuning] Potential Command and Control via Internet Explorer (#1771) 
* Use user.name on the sequence instead of user.id

* Update command_and_control_iexplore_via_com.toml

* Remove min_stack and comment "with runs"

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 03f60cc11c)
 2022-02-16 02:00:28 +00:00
Jonhnathan ef78093d88 [New Rule] Potential Credential Access via DCSync (#1763) 
* "Potential Credential Access via DCSync" Initial Rule

* replace unintentional bracket removal

* json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 42436d3364)
 2022-02-16 00:42:49 +00:00
Jonhnathan 9885be0f59 Modified to use Integrity fields instead of user.id (#1772) 
(cherry picked from commit fd678dc5cb)
 2022-02-16 00:25:10 +00:00
Jonhnathan fd3d2708a1 [Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775) 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26fec0)
 2022-02-15 12:59:15 +00:00
Jonhnathan 3b97ee423b Update discovery_net_command_system_account.toml (#1769) 
(cherry picked from commit c646a18efb)
 2022-02-14 15:13:55 +00:00
Samirbous fbcc7433ad [New Rule] Windows Service Installed via an Unusual Client (#1759) 
* [New Rule] Windows Service Installed via an Unusual Client

https://www.x86matthew.com/view_post?id=create_svc_rpc

* Update non-ecs-schema.json

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add ```s

* Update privilege_escalation_windows_service_via_unusual_client.toml

* add missing comma to schema

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 326aa64ff6)
 2022-02-11 20:59:20 +00:00
Jonhnathan c59429719d Modification of AmsiEnable Registry Key - Sysmon support (#1760) 
(cherry picked from commit 9c56b00429)
 2022-02-11 20:51:51 +00:00
Jonhnathan 782b6c1d0e Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757) 
(cherry picked from commit aa9fedd18d)
 2022-02-11 17:18:12 +00:00
github-actions[bot] 0c66fd9e03 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1768) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1

* Trigger Build

* Remove change to trigger build

Co-authored-by: DefSecSentinel <DefSecSentinel@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 8f36346139)
 2022-02-10 21:09:09 +00:00
Khristinin Nikita 4fe57055a0 [Rule Tuning] Fix IM query (#1767) 
* Fix IM quer

* Add update date

(cherry picked from commit b1121da237)
 2022-02-10 18:32:37 +00:00
Jonhnathan 6b1b8587e1 [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) 
* Adjust Integration Name

* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

* Update integration name

* .

* Case

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 5a16a222ad)
 2022-02-09 22:06:05 +00:00
Colson Wilhoit 04f1a08824 Prep for creation of 8.2 branch (#1762) 
Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit e0dda91f26)
 2022-02-09 03:46:26 +00:00
Justin Ibarra b4863ddde5 Move misplaced rule to proper folder (#1756) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 97835bc5c5)
 2022-02-04 20:38:01 +00:00
Jonhnathan 2fe12168bc [New Rule] Potential Shadow Credentials added to AD Object (#1729) 
* Potential Shadow Credentials added to AD Object Initial Rule

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_shadow_credentials.toml

* Add AD tag

* Update credential_access_shadow_credentials.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 85b72256c2)
 2022-02-04 18:51:25 +00:00
Jonhnathan df2a844584 [New Rule] PowerShell Script Block Logging Disabled (#1749) 
* PowerShell Script Block Logging Disabled

* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_disable_posh_scriptblocklogging.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 7dac52f1cf)
 2022-02-04 18:46:55 +00:00
Jonhnathan 7e25f14766 Update credential_access_mod_wdigest_security_provider.toml (#1751) 
(cherry picked from commit 40095d95bf)
 2022-02-04 18:40:39 +00:00
Jonhnathan 6ed9769eb6 [New Rule] AdminSDHolder Backdoor (#1745) 
* AdminSDHolder Backdoor

* Update rules/windows/persistence_ad_adminsdholder.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9ce5d0b92a)
 2022-02-01 13:17:28 +00:00
Jonhnathan 58e0584e73 [New Rule] KRBTGT Delegation Backdoor (#1743) 
* KRBTGT Delegation Backdoor

* Update persistence_msds_alloweddelegateto_krbtgt.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* refresh rule_id with new uuid

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d949fefe0c)
 2022-02-01 13:11:57 +00:00
Justin Ibarra bd826ceeb3 [Bug] Fix AttributeError in RuleCollection dupe check (#1747) 
(cherry picked from commit 2828633919)
 2022-02-01 01:00:08 +00:00
Jonhnathan f661eca2eb [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741) 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year

(cherry picked from commit 26d5bad914)
 2022-02-01 00:04:37 +00:00
Jonhnathan 4e9432a563 [New Rule] Kerberos Preauthentication Disabled for User (#1717) 
* Initial "Kerberos Preauthentication Disabled for User" Rule

* Update credential_access_disable_kerberos_preauth.toml

* Update credential_access_disable_kerberos_preauth.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Add config directives

* Update rules/windows/credential_access_disable_kerberos_preauth.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 6e3f4b2824)
 2022-01-31 15:34:02 +00:00
Jonhnathan fa09b26d59 [New Rule] SeEnableDelegationPrivilege assigned to User (#1737) 
* SeEnableDelegationPrivilege assigned to User

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix logging policy name

* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 25ec71579d)
 2022-01-31 15:25:23 +00:00
Justin Ibarra 948e484070 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 72c64de3f5)
 2022-01-28 19:43:39 +00:00
Khristinin Nikita c05b5dc5f9 [Rule Tuning] Change default time query for rounding days (#1713) 
* Change default time query for rounding days

* Udpate date

* Revert rule updated_data

* Restore threat_query

(cherry picked from commit 87c7210aab)
 2022-01-28 19:36:44 +00:00
Jonhnathan c1c239e1ec [New Rule] PowerShell Kerberos Ticket Request (#1715) 
* PowerShell Kerberos Ticket Request Initial Rule

* bump date

(cherry picked from commit edd0df5e1a)
 2022-01-27 19:38:40 +00:00
Jonhnathan 012e88601e [New Rule] Email Reported by User as Malware or Phish (#1699) 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 189c2b152c)
 2022-01-27 19:33:20 +00:00
Jonhnathan 239f7f9324 [New Rule] MS Office Macro Security Registry Modifications (#1696) 
* "MS Office Macro Security Registry Modifications" Initial Rule

* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit b6cbdbd416)
 2022-01-27 19:27:12 +00:00
Jonhnathan c300fce9f7 [New Rule] OneDrive Malware File Upload (#1693) 
* "OneDrive Malware File Upload" Initial Rule

* bump severity

(cherry picked from commit f7bc13b437)
 2022-01-27 19:22:11 +00:00
Jonhnathan b0b52abbd5 [New Rule] SharePoint Malware File Upload (#1691) 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity

(cherry picked from commit 1676844640)
 2022-01-27 19:15:20 +00:00
Samirbous c8671b4a1e [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660) 
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 26fb8e83a5)
 2022-01-27 14:49:15 +00:00
Jonhnathan 71c382b1f5 [New Rule] Global Administrator Role Assigned (#1686) 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14252d45ee)
 2022-01-27 12:55:30 +00:00
Jonhnathan 15d6244331 Create credential_access_mfa_push_brute_force.toml (#1682) 
(cherry picked from commit 7e4325dd7a)
 2022-01-27 12:40:11 +00:00
Jonhnathan b753a05c72 [Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 38ae64f729)
 2022-01-27 12:34:30 +00:00
Jonhnathan a5b1ac9e0e Update credential_access_suspicious_lsass_access_memdump.toml (#1714) 
(cherry picked from commit 1699f50beb)
 2022-01-27 12:30:41 +00:00
Jonhnathan 45946dbf3e Update source.ip condition (#1712) 
(cherry picked from commit 4ac824192f)
 2022-01-27 12:27:38 +00:00
Jonhnathan 042f9cfaa1 [Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687) 
* Tune rule query

* Update credential_access_microsoft_365_potential_password_spraying_attack.toml

* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml

* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"

This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.

(cherry picked from commit 0a23d820c9)
 2022-01-27 12:25:02 +00:00
Jonhnathan 51dbef8321 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683) 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json

(cherry picked from commit 50c7d5f262)
 2022-01-27 12:23:36 +00:00
Jonhnathan 9fd1c14450 [Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679) 
* Update impact_virtual_network_device_modified.toml

* Change case

(cherry picked from commit fdeb8cb1de)
 2022-01-27 12:19:33 +00:00
Samirbous 9e5c68a04c [New Rule] Potential Privilege Escalation via PKEXEC (#1727) 
* [New Rule] Potential Privilege Escalation via PKEXEC

Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :

* Update privilege_escalation_pkexec_envar_hijack.toml

* removed = sign

(cherry picked from commit b9edc5464e)
 2022-01-27 09:44:06 +00:00
Justin Ibarra 71ac505580 Autogenerate docs for integration package releases (#1567) 
* Autogenerate docs for integration package releases
* add parameter to bypass query validation in git loader
* strip space and - from normalized name

(cherry picked from commit 1f216d12aa)
 2022-01-27 06:21:17 +00:00
Justin Ibarra bcdadbeabc Update base branch in integrations-pr command (#1733) 
(cherry picked from commit e26374cb40)
 2022-01-27 05:54:34 +00:00
Justin Ibarra 2f481ee10c Update tests to account for non-backported deprecations (#1735) 
* Update tests to account for non-backported deprecations
* remove comment spacing

(cherry picked from commit 30f5d62bf5)
 2022-01-27 05:42:37 +00:00