security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
4ed2fbe9327f1490b668a791c333db366bb8fa31
Commit Graph

3 Commits

Author SHA1 Message Date
Jonhnathan 4ed2fbe932 [Security Content] Adjust Investigation Guides to be less generic (#1805) 
* PowerShell Suspicious Script with Audio Capture Capabilities

* PowerShell Keylogging Script

* PowerShell MiniDump Script

* Potential Process Injection via PowerShell

* PowerShell Suspicious Discovery Related Windows API Functions

* Suspicious Portable Executable Encoded in Powershell Script

* PowerShell PSReflect Script

* Startup/Logon Script added to Group Policy Object

* Group Policy Abuse for Privilege Addition

* Scheduled Task Execution at Scale via GPO

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Adjust Posh desc

* .

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* .

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_group_policy_scheduled_task.toml

* Update rules/windows/privilege_escalation_group_policy_iniscript.toml

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 8a59b49fea)
 2022-03-31 14:31:43 +00:00
Jonhnathan 5a263b253d [Security Content] Add Investigation Guides - 2 (#1822) 
* Add Investigation Guides for Windows Rules - First half

* + 1/2

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update credential_access_mod_wdigest_security_provider.toml

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_amsienable_key_mod.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update command_and_control_certutil_network_connection.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update collection_winrar_encryption.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

(cherry picked from commit a3d7427d29)
 2022-03-30 17:46:02 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00