security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,162 Commits 1 Branch 0 Tags
4f55e9b05f044131f6c19f553f2e06fcc7486bf5
Commit Graph

9 Commits

Author SHA1 Message Date
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Jonhnathan 817b97f428 [Security Content] Refactor Existing Investigation Guides (#1959) 
* Initial commit

* Update Investigation guides - security-docs review

* Update command_and_control_dns_tunneling_nslookup.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply security-docs review

* Remove dot

* Update rules/windows/command_and_control_rdp_tunnel_plink.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply changes from review

* Apply the suggestion

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2022-05-18 12:59:39 -03:00
Jonhnathan 8a59b49fea [Security Content] Adjust Investigation Guides to be less generic (#1805) 
* PowerShell Suspicious Script with Audio Capture Capabilities

* PowerShell Keylogging Script

* PowerShell MiniDump Script

* Potential Process Injection via PowerShell

* PowerShell Suspicious Discovery Related Windows API Functions

* Suspicious Portable Executable Encoded in Powershell Script

* PowerShell PSReflect Script

* Startup/Logon Script added to Group Policy Object

* Group Policy Abuse for Privilege Addition

* Scheduled Task Execution at Scale via GPO

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Adjust Posh desc

* .

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* .

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_group_policy_scheduled_task.toml

* Update rules/windows/privilege_escalation_group_policy_iniscript.toml

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-03-31 11:29:30 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Jonhnathan dec4243db0 [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-16 07:42:06 -09:00
Jonhnathan 49854aaae2 [Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610) 
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script

* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule

* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule

* Add logging policy reference

* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"

* Add Related Rules GUIDs

* Add Investigation Guide/config for "Potential Process Injection via PowerShell"

* Adjust Response and remediation

* Add Investigation Guide/config for "PowerShell Keylogging Script"

* bump updated_date

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions

* Revise line from investigation guides

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-01-20 08:56:53 -03:00
Jonhnathan 851c566730 [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) 
* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 21:32:39 -09:00
Justin Ibarra 14c46f50b9 [Rule Tuning] updates from documentation review for 7.16 (#1645) 2021-12-07 15:42:58 -09:00
Jonhnathan f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-18 17:50:16 -03:00