security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,569 Commits 1 Branch 0 Tags
4e95bc78919febd2dd20df815aa23d29f71f9118
Commit Graph

2569 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus 4e95bc7891 [New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity (#4409) 
* new hunt 'unusual aviatrix default role activity'

* added additional investigation notes
 2025-01-28 12:09:29 -05:00
Ruben Groenewoud fed7b216d5 [Rule Tuning] Linux DR Tuning - Part 1 (#4416) 2025-01-28 14:43:00 +01:00
Ruben Groenewoud bbcf0c7c34 [New Hunt] Persistence via Initramfs (#4402) 
* [New Hunt] Persistence via Initramfs

* Update index.yml
 2025-01-27 10:19:44 +01:00
Ruben Groenewoud 80fe96109b [New & Tuning] Persistence via GRUB Bootloader (#4401) 
* [New & Tuning] Persistence via GRUB Bootloader

* testing github version code workflow update

* testing github version code workflow re-order

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-01-27 09:58:43 +01:00
Samirbous 4e6625ae40 [Tuning] Unusual Instance Metadata Service (IMDS) API Request (#4418) 
* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-24 17:23:32 +00:00
Jonhnathan fccfafea6b [Rule Tuning] Improve Detection Compatibility with Non-English Logs (#4410) 
* [Rule Tuning] Improve Detection Compatibility with Non-English Logs

* Update rules/windows/persistence_dontexpirepasswd_account.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_disable_kerberos_preauth.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2025-01-23 16:12:42 -03:00
shashank-elastic d6f1a75f11 Fix S1 minstack version (#4415) 2025-01-23 17:59:40 +05:30
Mika Ayenson 7c6c77932c [FR] Add Remaining Guides (#4412) 2025-01-22 14:43:30 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Jonhnathan d55d5d9695 [New Rule] File with Right-to-Left Override Character Created/Executed (#4396) 
* [New Rule] File with Right-to-Left Override Character Created/Executed

* Update defense_evasion_right_to_left_override.toml

* Update defense_evasion_right_to_left_override.toml
 2025-01-21 16:41:49 -03:00
github-actions[bot] 8093655f76 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4400) 2025-01-21 19:35:57 +05:30
github-actions[bot] 9b8b917598 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4398) 2025-01-21 17:32:14 +05:30
Ruben Groenewoud b708e09f2b [New Rule] Unusual D-Bus Daemon Child Process (#4397) 2025-01-21 12:24:06 +01:00
Terrance DeJesus fb13b89f8d [New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Access by Rare Source (#4315) 
* adding new rule 'AWS S3 Unauthenticated Object Retrieval by Rare Source'

* adjusted logic to capture multiple event calls

* updated verbiage

* updated MITRE mappings

* fixing date
 2025-01-20 13:36:09 -05:00
Terrance DeJesus 7be96ec64d [Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public (#4335) 
* removing detection gap for EBS snapshots that are made public

* reverted logic; added investigation note about public snapshots
 2025-01-20 13:15:41 -05:00
Ruben Groenewoud cf183579b4 [New Rule] Polkit Version Discovery (#4378) 2025-01-20 15:58:27 +01:00
Ruben Groenewoud 2e6ec33141 [New Rule] Polkit Policy Creation (#4379) 
* [New Rule] Polkit Policy Creation

* Update persistence_polkit_policy_creation.toml
 2025-01-20 15:47:18 +01:00
Ruben Groenewoud 3e655abfef [New Rule] Unusual Pkexec Execution (#4380) 
* [New Rule] Unusual Pkexec Execution

* Update execution_unusual_pkexec_execution.toml
 2025-01-20 15:35:29 +01:00
Ruben Groenewoud 4294ed8981 [New Rule] NetworkManager Dispatcher Script Creation (#4381) 
* [New Rule] NetworkManager Dispatcher Script Creation

* ++
 2025-01-20 15:18:55 +01:00
Ruben Groenewoud 89c113560b [New Rule] D-Bus Service Created (#4382) 2025-01-20 15:07:06 +01:00
Ruben Groenewoud 6cc5184f70 [New Rule] Manual Dracut Execution (#4383) 2025-01-20 14:41:44 +01:00
Ruben Groenewoud abd199a9bc [New Rule] Dracut Module Creation (#4384) 2025-01-20 14:31:16 +01:00
Ruben Groenewoud 2bb46899ae [New Rule] OpenSSL Password Hash Generation (#4385) 
* [New Rule] OpenSSL Password Hash Generation

* Update rules/linux/persistence_openssl_passwd_hash_generation.toml
 2025-01-20 14:14:12 +01:00
Ruben Groenewoud 1fce3fd22a [New Rule] Boot File Copy (#4386) 
* [New Rule] Boot File Copy

* Update persistence_boot_file_copy.toml

* Update rules/linux/persistence_boot_file_copy.toml
 2025-01-20 14:04:02 +01:00
Ruben Groenewoud b633987e5b [New Rule] Initramfs Unpacking via unmkinitramfs (#4387) 
* [New Rule] Initramfs Unpacking via unmkinitramfs

* Update rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
 2025-01-20 13:43:54 +01:00
Ruben Groenewoud 971049957e [New Rule] Initramfs Extraction via CPIO (#4389) 
* [New Rule] Initramfs Extraction via CPIO

* Update rules/linux/persistence_extract_initramfs_via_cpio.toml
 2025-01-20 13:32:48 +01:00
Samirbous 1dfc84c37d [Tuning] Powershell Rules (#4395) 
* [Tuning] Powershell Rules

few complementary tuning to add some extra patterns.

* Update defense_evasion_amsi_bypass_powershell.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-20 12:12:37 +00:00
Ruben Groenewoud 01eda44298 [Rule Tuning] Linux Persistence Rules (#4393) 
* [Rule Tuning] Linux Persistence Rules

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
 2025-01-20 09:51:49 +01:00
Ruben Groenewoud cf929554a6 [New Rule] Systemd Shell Execution During Boot (#4392) 2025-01-20 09:33:46 +01:00
Eric Forte 2ea674ce84 [Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions (#4285) 
* Add stub for solution

* Add date and maturity logic

* Add date and maturity logic

* Version Bump

* Remove Date Inheritance

* Remove Datetime import
 2025-01-17 12:16:32 -05:00
Ruben Groenewoud f029e9a171 [New Rule] GRUB Configuration Generation through Built-in Utilities (#4391) 2025-01-17 18:00:01 +01:00
Ruben Groenewoud 0ef7f3a83e [New Rule] GRUB Configuration File Creation (#4390) 
* [New Rule] Grub Configuration File Creation

* Update persistence_grub_configuration_creation.toml
 2025-01-17 17:49:41 +01:00
Ruben Groenewoud 28c3d074b8 [New Rule] Process Started with Executable Stack (#4340) 
* [New Rule] Process Started with Executable Stack

* [New Rule] Process Started with Executable Stack

* Update execution_executable_stack_execution.toml

* Update rules/linux/execution_executable_stack_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-17 17:36:39 +01:00
Terrance DeJesus ca3994af0d [Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts (#4394) 
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'

* adding 'Deprecated - Suspicious JAVA Child Process'

* updated dates

* changed to deprecated maturity
 2025-01-17 10:52:13 -05:00
Ruben Groenewoud ac541f0b18 [New Rules] Kernel Seeking/Unpacking Activity (#4341) 
* [New Rules] Kernel Seeking/Unpacking Activity

* ++
 2025-01-16 12:04:04 +01:00
Ruben Groenewoud bba5096efa [New Rule] System Binary Path File Permission Modification (#4339) 2025-01-16 10:32:23 +01:00
Ruben Groenewoud 75c7c09595 [New Rule] Suspicious Path Invocation from Command Line (#4338) 2025-01-16 10:20:37 +01:00
Ruben Groenewoud 9186c5e14a [New BBR] Linux System Information Discovery via Getconf (#4337) 
* [New BBR] Linux System Information Discovery via Getconf

* ++

* Update discovery_linux_sysctl_enumeration.toml
 2025-01-16 10:05:29 +01:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus c04ae6d444 [New Rule] Adding Coverage for SNS Topic Message Publish by Rare User (#4350) 
* new rule 'SNS Topic Message Publish by Rare User'

* added new terms note

* added investigation guide tag

* fixed tag, added investigation fiedls

* toml lint

* fixed mitre ATT&CK mapping
 2025-01-15 13:55:45 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
shashank-elastic 32f596629d Provide Deprecate Warnings for Experimental ML commands (#4365) 2025-01-15 21:53:16 +05:30
Terrance DeJesus f8312cc5b0 [Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded (#4334) 
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* updating subtechnique ID

* added mitre tag lateral movement

* changing sequence of mitre ATT&CK
 2025-01-15 11:12:53 -05:00
Terrance DeJesus f97007f3a8 [New Rule] Adding Coverage for AWS SQS Queue Purge (#4354) 
* new rule 'AWS SQS Queue Purge'

* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml

* added investigation guide tag; fixed file name
 2025-01-15 10:52:22 -05:00
Jonhnathan 447fce3b08 [Rule Tuning] Suspicious Communication App Child Process (#4369) 2025-01-15 12:13:10 -03:00
Eric Forte cc00963fc3 [Bug] [DaC] Actions Connector Defaults to None (#4376) 
* Add explicit calls to pass directories

* Bump Version
 2025-01-15 09:31:23 -05:00
Jonhnathan 74f11dbf7f [Rule Tuning] Posh BBRs (#4372) 2025-01-15 11:00:21 -03:00
Terrance DeJesus c912b78586 maintenance - remove hunting TOML files from repo version checks (#4374) 2025-01-14 14:45:53 -05:00
Samirbous bcca0a2016 [New] Sensitive Audit Policy Sub-Category Disabled (#4373) 
* [New] Sensitive Audit Policy Sub-Category Disabled

https://elasticstack.slack.com/archives/C016E72DWDS/p1736784727633579

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-14 12:13:45 -03:00
Ruben Groenewoud e822af47a4 [Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351) 
* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
 2025-01-13 16:53:09 +01:00