security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,465 Commits 1 Branch 0 Tags
511c108ba156e256fb33ce4f7164bbff779d1a13
Commit Graph

1741 Commits

Author SHA1 Message Date
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00
shashank-elastic 801efb3d93 Protections for AWS Bedrock (#4270) 2024-12-03 21:56:39 +05:30
shashank-elastic 53cfeb76e3 Add event dataset for missing rule in Github integration (#4278) 2024-12-03 20:32:55 +05:30
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Ruben Groenewoud 4e28895e66 [Rule Tuning] Kernel Module Removal (#4269) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-11-25 21:13:44 +01:00
Terrance DeJesus 2d79494068 new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271) 2024-11-25 10:28:43 -05:00
Samirbous f36845318e [New] First Time Seen User Auth via DeviceCode Protocol (#4153) 
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-11 13:04:18 +00:00
Samirbous b66d0e0a0d [New] Remote Desktop File Opened from Suspicious Path (#4251) 2024-11-11 18:08:48 +05:30
Terrance DeJesus ef453d8f4d [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) 
* adding investigation fields to specific aws rules

* updated patch

* removing min-stack requirements

* removed user.name redundancy

* adjusted order of investigation fields

* adding source address
 2024-11-08 23:11:18 -05:00
Terrance DeJesus 33d832d4e4 [Rule Tuning] Tuning Process Termination followed by Deletion (#4173) 
* adding rule tuning

* adjusted operators; fixed missing quotes

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-11-08 16:38:17 -03:00
Ruben Groenewoud 56e61a6321 [New Rule] Potential Hex Payload Execution (#4241) 
* [New Rule] Potential Hex Payload Execution

* Update rules/linux/defense_evasion_hex_payload_execution.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:15:17 +01:00
Ruben Groenewoud 54bb319f7b [New Rule] Memory Swap Modification (#4239) 
* [New Rule] Memory Swap Modification

* Update rules/linux/impact_memory_swap_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:06:55 +01:00
Ruben Groenewoud 3207ca37e4 [New Rule] Unusual Interactive Shell Launched from System User (#4238) 
* [New Rule] Unusual Interactive Shell Launched from System User

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:24:30 +01:00
Ruben Groenewoud 267a6b6fa6 [New Rule] Web Server Spawned via Python (#4236) 
* [New Rule] Web Server Spawned via Python

* Update execution_python_webserver_spawned.toml

* Update rules/linux/execution_python_webserver_spawned.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_python_webserver_spawned.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:16:19 +01:00
Ruben Groenewoud 83f31e1640 [New Rule] Directory Creation in /bin directory (#4227) 
* [New Rule] Directory Creation in /bin directory

* Description fix

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:07:06 +01:00
Ruben Groenewoud 6040b6aee4 [New Rule] Hidden Directory Creation via Unusual Parent (#4226) 
* [New Rule] Hidden Directory Creation via Unusual Parent

* Update rules/linux/defense_evasion_hidden_directory_creation.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:58:13 +01:00
Ruben Groenewoud 43148a72f4 [New Rule] Security File Access via Common Utilities (#4243) 
* [New Rule] Security File Access via Common Utilities

* [New Rule] Security File Access via Common Utilities

* Update discovery_security_file_access_via_common_utility.toml
 2024-11-08 17:41:33 +01:00
Ruben Groenewoud f89e245e29 [New Rule] Potential Data Splitting Detected (#4235) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:32:59 +01:00
Ruben Groenewoud 3e268282d1 [New Rule] Private Key Searching Activity (#4242) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:13:55 +01:00
Ruben Groenewoud 40118186fb [New Rule] IPv4/IPv6 Forwarding Activity (#4240) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:06:07 +01:00
Ruben Groenewoud 993c60decb [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) 
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent

* OS Type update

* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 16:51:18 +01:00
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Jonhnathan d1b102730c [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8

* Update defense_evasion_powershell_windows_firewall_disabled.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:38:27 -03:00
Jonhnathan ef0f96c874 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:27:47 -03:00
Samirbous d2dfd46b3e Update credential_access_suspicious_lsass_access_generic.toml (#4188) 2024-11-07 13:56:53 +00:00
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
shashank-elastic 6a39009402 Add investigation guide for Amazon Bedrock Rules (#4247) 
* Add investigation guide for Amazon Bedrock Rules

* updated date

* review comments

* review comments

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-06 12:58:02 -05:00
Terrance DeJesus 1cc160fe2e [Rule Tuning] Add Investigation Guides to AWS Rules (#4249) 
* adding investigation guides for existing AWS rules

* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning

* adding back newline

* adjusted mitre att&ck mapping

* adjusted query and rule name

* updating date
 2024-11-06 12:29:14 -05:00
Terrance DeJesus c602042954 [New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource (#4246) 
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'

* adjusted name

* adjusted ESQL functions

* changed query comment

* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

* adjusted query

* added min-stack

* adjusted query
 2024-11-06 12:14:38 -05:00
Terrance DeJesus ef6344f5e6 [Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole (#4228) 
* tuning 'AWS STS Temporary Credentials via AssumeRole'

* linted; adjusted OR in quer

* added investigation guide

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* added new rule 'AWS STS Role Assumption by User'

* adjusted UUID

* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 12:01:07 -05:00
Terrance DeJesus f486571dc6 [New Rule] Adding Coverage for AWS SSM Command Document Created by Rare User (#4229) 
* new rule 'AWS SSM Command Document Created by Rare User'

* added another reference

* added investigation guide

* removed min-stack

* Update rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
 2024-11-06 11:53:51 -05:00
Terrance DeJesus 1c9177ef6f [New Rule] Adding Coverage for AWS IAM Create User via Assumed Role on EC2 Instance (#4244) 
* adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance'

* adding false-positive note

* changed file name

* added event.provider

* tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR

* updated query

* added BBR tag

* moved rule to BBR

* fixed BBR query

* moved rule to BBR
 2024-11-06 11:28:41 -05:00
Terrance DeJesus d5f36b3619 [New Rule] Adding Coverage for AWS SNS Email Subscription by Rare User (#4224) 
* adding new rule 'AWS SNS Email Subscription by Rare User'

* updated mitre; adjusted non-ecs schema; fixed query

* removed protocol inclusion in query

* fixed risk score

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 11:19:30 -05:00
Jonhnathan 6c2dad966a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9 (#4234) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9

* .

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:39:32 -03:00
Jonhnathan a743b9c8c4 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 (#4231) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6

* Update credential_access_cmdline_dump_tool.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Revert "Update defense_evasion_powershell_windows_firewall_disabled.toml"

This reverts commit d2df2a848290425ebfe0bb5157332ad0611f726f.

* Update lateral_movement_via_wsus_update.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:00:43 -03:00
Jonhnathan d5b5ba387d [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 (#4230) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5

* Update collection_winrar_encryption.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 14:46:10 -03:00
Jonhnathan 63956a6f51 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225) 2024-11-05 14:22:14 -03:00
Isai 09ea35f33a [New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210) 
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device

New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"

* add serialNumber to non-ecs schema file

* fixed misspelled toml file name

* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-11-05 02:09:05 -05:00
Jonhnathan 2b6116e0ce [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222) 2024-11-04 11:55:04 -03:00
Jonhnathan 80841b5619 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2 (#4221) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 2

* Update rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-11-04 11:47:43 -03:00
Jonhnathan 81292aee8a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1 (#4220) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 1

* Update Integrations unit tests

* Update test_all_rules.py
 2024-11-04 11:32:22 -03:00
Isai b6847c7a48 [New Rule] AWS STS Role Chaining (#4209) 
* [New Rule] AWS STS Role Chaining

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.

* adding metadata query fields

* removing index field
 2024-10-30 12:18:04 -04:00
shashank-elastic 123e090e7d Fix Minstack version for windows integration - Pahse 2 (#4216) 2024-10-28 20:25:02 +05:30
shashank-elastic 92fe46b8ff Fix Minstack version for windows integration (#4214) 2024-10-28 19:28:10 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
shashank-elastic be656ae740 Tune Bedrock rule to accept multivalued column (#4205) 2024-10-23 20:48:56 +05:30
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00