security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
686 Commits 1 Branch 0 Tags
4e2a141145963cd31ac97c9ecc030d9c39e47323
Commit Graph

517 Commits

Author SHA1 Message Date
Samirbous 43dd58d11d [New Rule] Potential PrintNightmare Exploitation rules (#1326) 
* [New Rule] Potential PrintNightmare Exploitation rules

* added Potential PrintNightmare File Modification

* added spoolsv as process name to narrow more the scope

* added Suspicious Print Spooler File Deletion

* removed Suspicious Print Driver Registry Modification cuz of potential noise

* Update privilege_escalation_printspooler_malicious_registry_modification.toml

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted description and added a comment for sysmon compatibility

* added FP note and relinted all files

* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
(cherry picked from commit 89420ae976)
 2021-07-07 16:56:55 +00:00
Samirbous dd24dabb0d [New Rule] Complementary Rules for Recent REvil TTPs (#1329) 
* [New Rule] Complementary Rules for Recent REvil TTPs

* added OFN

* relinted and added T1574.002

* removed new line

* Update defense_evasion_disabling_windows_defender_powershell.toml

* corrected rule name

* added a reference url

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
(cherry picked from commit 9fadc4c1dc)
 2021-07-07 15:03:09 +00:00
Justin Ibarra 68e7b6bbe3 Make "config" in note field consistent (#1310) 
* Add test to ensure consistent config in note field
* Update inconsistent rule

(cherry picked from commit 63a39665e3)
 2021-07-06 23:54:18 +00:00
Austin Songer 102b9ff7d5 [New Rule] AWS RDS Security Group Created (#1260) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit 8e451f2318)
 2021-06-23 00:15:15 +00:00
Austin Songer 6fd6bb1712 [New Rule] AWS RDS Security Group Deleted (#1261) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit fe14cd23ed)
 2021-06-23 00:09:32 +00:00
Austin Songer 7749086f3b [New Rule] AWS RDS Instance Creation (#1269) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit 9d4574b267)
 2021-06-23 00:03:06 +00:00
Austin Songer 78c75d71b0 [New Rule] AWS RDS Snapshot Export (#1270) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit ccae1dc841)
 2021-06-22 23:58:29 +00:00
Austin Songer 4823a40d19 [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit c215c44809)
 2021-06-22 17:36:32 +00:00
Ross Wolf ba5f3eed82 Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date

(cherry picked from commit 31f63e728e)
 2021-06-22 15:10:59 +00:00
Brent Murphy 549cc9992d [Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251) 
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors

(cherry picked from commit d8ef9a81ef)
 2021-06-22 14:39:09 +00:00
Brent Murphy c493c5df67 Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml (#1225) 
(cherry picked from commit a8c9d7174f)
 2021-06-22 14:22:18 +00:00
Austin Songer 74132fbbe9 [New Rule] AWS Route 53 Domain Transferred to Another Account (#1198) 
(cherry picked from commit ea9a23af8d)
 2021-06-22 06:09:14 +00:00
Austin Songer 10d22d9477 [New Rule] AWS Route 53 Domain Transfer Lock Disabled (#1197) 
(cherry picked from commit 2cadee1718)
 2021-06-22 06:06:10 +00:00
Austin Songer b8a3f43b99 [New Rule] EC2 Full Network Packet Capture Detected (#1175) 
(cherry picked from commit d7e0e37e54)
 2021-06-22 06:01:05 +00:00
Austin Songer 3996e94bfd [New Rule] Azure Service Principal Credentials Added (#1169) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
(cherry picked from commit 6986f28af6)
 2021-06-22 05:50:17 +00:00
Justin Ibarra 18765631fb Fix rules which were note using v2 license (#1291) 
(cherry picked from commit e0fa25ae8e)
 2021-06-16 14:21:50 +00:00
Ross Wolf 915c2dea2a [Bug] Fix ML job IDs that used hyphens (#1287) 
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date

(cherry picked from commit 49cb2e8dbf)
 2021-06-15 17:41:04 +00:00
David French fb93735c0f [Rule Tuning] Attempts to Brute Force an Okta User Account (#1216) 
* update rule.threshold field value

* add rule authors

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 177cfc85bf)
 2021-06-15 16:08:09 +00:00
Apoorva Joshi cce7c126b6 Updating rules to query v2 (#1254) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
(cherry picked from commit 1f7c88c6f4)
 2021-06-15 14:21:09 +00:00
Brent Murphy 683621fe62 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 12577f7380)
 2021-06-15 13:23:16 +00:00
Austin Songer 3d6cefb296 [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 546e43071c)
 2021-06-15 13:20:40 +00:00
Brent Murphy 8b3d085f73 Update persistence_suspicious_com_hijack_registry.toml (#1244) 
(cherry picked from commit 13bf55480a)
 2021-06-14 13:00:39 +00:00
Austin Songer 5d41f2719a [New Rule] AWS EC2 VM Export Failure (#1142) 
* New Rule: AWS EC2 VM Export Failure

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
(cherry picked from commit 6b45186827)
 2021-06-09 19:03:56 +00:00
Brent Murphy 1eb36b1a9e [New Rule] Modification of AmsiEnable Registry Key (#1248) 
* Create defense_evasion_amsienable_key_mod.toml

(cherry picked from commit fce022c275)
 2021-06-07 17:21:36 +00:00
Brent Murphy f91e0facea Update privilege_escalation_persistence_phantom_dll.toml (#1228) 
(cherry picked from commit 6626cbb943)
 2021-06-01 13:29:25 +00:00
Brent Murphy f9805954ee [New Rule] Unusual Network Connection via DllHost (#1232) 
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override

(cherry picked from commit c457614e37)
 2021-05-28 19:09:26 +00:00
Brent Murphy acfca54f73 [New Rule] Suspicious Execution from a Mounted Device (#1230) 
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 31e8d03438)
 2021-05-28 18:44:24 +00:00
Austin Songer fcd29373d5 [Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 58ea49b092)
 2021-05-14 20:05:56 +00:00
Justin Ibarra 138e410a06 Cleanup note field in rules (#1194) 
* standardize usage of note field

(cherry picked from commit 6ef5c53b0c)
 2021-05-10 21:41:23 +00:00
Justin Ibarra 82ec6ac1ee Convert windows rules from KQL to EQL (#1114) 2021-04-30 11:21:12 -08:00
Andrew Pease 92eaa5b18a [New Rule] Threat intel indicator match rule (#1133) 2021-04-26 07:07:04 -05:00
Austin Songer 8362578492 [Rule Tuning] AWS IAM Deactivation of MFA Device (#1132) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-23 14:52:54 -04:00
Brent Murphy ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) 
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-04-21 15:10:06 -04:00
Ross Wolf 791c911b9e Merge branch '7.12' into main 2021-04-15 16:17:59 -06:00
Samirbous 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) 
* [Deprecation] Process Discovery via Tasklist

* deprecation_date

* update date

* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 22:18:56 +02:00
Samirbous e323084433 [Deprecation] Trusted Developer Application Usage (#1118) 
* [Deprecation] Trusted Developer Application Usage

* update date
 2021-04-15 22:15:38 +02:00
Samirbous 170b87097d [New Rule] Potential Protocol Tunneling via EarthWorm (#1094) 
* [New Rule] Potential Protocol Tunneling via EarthWorm

* fixed tactic ID

* fixed rule_id

* tactic case sensitive

* tags

* Update rules/linux/command_and_control_tunneling_via_earthworm.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 10:17:56 +02:00
Justin Ibarra dbd2874b4f [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files (#1026) 
* [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files
* revise note with information from microsoft
* add Exchange Server to paths
* replaced process.parent.name with process.name and C drive with ?

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2021-04-14 20:24:44 -08:00
Samirbous 8f78afb8e5 [Rule Tuning] Windows Suspicious Script Object Execution (#1081) 
* [Rule Tuning] Windows Suspicious Script Object Execution

* renamed rule in version.lock.json

* adjusted codesig check

* added 1 exclusion

* update date

* added cmd to exclusion as per EG telem

* removed changes to version.lock.json

* restored comment for code sig to support winlogbeat

* Revert "removed changes to version.lock.json"

This reverts commit 62794be02486b668ae5f25e5613f18b292342377.

* restored rule name in version.lock

* fixed typo

* removed winlogbeat index

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 23:54:39 +02:00
Brent Murphy c1fd3b3374 [Rule Tuning] AWS Config Service Tampering (#1108) 
* Update defense_evasion_config_service_rule_deletion.toml
 2021-04-14 17:13:27 -04:00
Brent Murphy 4a46b2f03b Create collection_microsoft_365_new_inbox_rule.toml (#1068) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-04-14 17:06:39 -04:00
Samirbous 7408133f79 [New Rule] Potential Remote Desktop Shadowing Activity (#1101) 
* [New Rule] Potential Remote Desktop Shadowing Activity

* added event.ingested

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 22:09:49 +02:00
dstepanic17 66dff28498 [Rule Tuning] Public IP Reconnaissance Activity (#1091) 
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml

* Updated ip lookup rule

* Modified index field

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 09:58:00 -05:00
Brent Murphy c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) 
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 10:49:28 -04:00
Samirbous 00923dcde1 [Rule Tuning] Setuid / Setgid Bit Set via chmod (#1032) 
* [Rule Tuning] Setuid / Setgid Bit Set via chmod

* update date

* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:41:37 +02:00
Samirbous 2926e98c5d [Rule Tuning] Startup or Run Key Registry Modification (#1086) 
* [Rule Tuning] Startup or Run Key Registry Modification

* update date

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:38:00 +02:00
Samirbous 1354d8059c [New Rule] Network Logon Providers Registry Modification (#1053) 
* [New Rule] Network Logon Providers Registry Modification

* fix mitre filename mapping error

* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 16:31:46 +02:00
Samirbous dc774517bf [New Rule] Persistence via Scheduled Job Creation (#1038) 
* [New Rule] Persistence via Scheduled Job Creation

* Update rules/windows/persistence_local_scheduled_job_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_local_scheduled_job_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 16:15:54 +02:00
Samirbous 731d2b2a54 [Rule Tuning] Unusual Persistence via Services Registry (#1077) 
* [Rule Tuning] Unusual Persistence via Services Registry

* update date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 16:09:46 +02:00
Justin Ibarra 462fab3ff8 Update threshold rule schema to disallow empty field string (#1098) 
* Update threshold rule schema to disallow empty field string
* lock versions for rule changes
 2021-04-14 04:56:38 -08:00