security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,373 Commits 1 Branch 0 Tags
539cd945a9e8d73e89e723c2c265bd511ab9bd45
Commit Graph

1373 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
shashank-elastic 539cd945a9 New Rule to identify iptables or firewall disabling. (#2591) 2023-03-01 17:14:45 +05:30
Ruben Groenewoud 66359012c3 [Rule Tuning] Potential Shadow File Read via CLI (#2594) 2023-02-28 18:26:38 +01:00
Mika Ayenson fd0120d98b [FR] Use Read token on branch status checks (#2598) 2023-02-24 09:17:07 -05:00
Jonhnathan c3d8bac402 [Security Content] Add Investigation Guides to Windows rules (#2521) 
* [Security Content] Add Investigation Guides to Windows rules

* .

* Add IG tag

* Apply suggestions from review

* Address reviews

* address note

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_powershell.toml
 2023-02-22 18:13:13 -03:00
Jonhnathan f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) 
* [Security Content] Fix verbiage used on Osquery Note

* Adjust verbiage

* date bump

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-02-22 12:33:23 -03:00
Isai 9bef3857f9 [Rule Tuning] Remote System Discovery Commands (#2500) 
* [Rule Tuning] Remote System Discovery Commands

- Added to query to add additional remote system discovery tools : nltest, dsquery, net

* Update discovery_remote_system_discovery_commands_windows.toml

-added dsget.exe

* update date

* removed git comments

* removed extra ( from query
 2023-02-21 18:39:51 -05:00
Isai f04ebf277c [Rule Tuning] (#2537) 
add t1018 Remote system discovery
 2023-02-15 14:58:29 -05:00
Terrance DeJesus 73d581500c [Bug] Change YAML Dump Parameters for Integrations Changelog (#2545) 
* changed yamp.dump parameters to have correct order for changelog

* adjusted note in changelog
 2023-02-14 12:10:41 -05:00
Isai 7df801f5c2 [Rule Tuning] Add missing techniques (#2482) 
* tune for missing techniques

-added missing techniques to rules

* added same missing techniques to another rule

- updated_date for all files - added missing techniques to a 3rd rule

* added T1057 technique

added T1057 technique for Process discovery
 2023-02-10 15:07:19 -05:00
github-actions[bot] c07ced2ce4 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 (#2542) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7

* newline in version lock file to start CI

* removed newline in version lock file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-02-10 14:11:33 -05:00
Terrance DeJesus f8d26f4ce0 [Bug] Removed Strip Calls in Favor of F-Strings with Major and Minor Versions (#2541) 
* removed strip calls in favor of f-strings with major and minor versions

* changed variable reference in minor_release of bump-pkg-versions
 2023-02-10 13:18:53 -05:00
shashank-elastic f8e97da549 Rule Tuning Update MITRE Details (#2526) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-02-10 23:05:28 +05:30
Terrance DeJesus 8a7ad13611 [FR] 8.7 Release Preparation and Update Main Branch to 8.8 (#2533) 
* adding preparations for 8.8 release

* addressed flake single new line error

* froze and updated API schemas

* updated get_intregration_manifests

* adjusted boolean in find_latest_integration_version
 2023-02-08 17:27:21 -05:00
Mika Ayenson 60115443a4 Validate against beats and integrations schemas (#2524) 2023-02-08 12:01:31 -05:00
Isai 443478c8c0 [Rule Tuning] Rule Tunings to add T1078 technique and subtechniques (#2530) 
- add sub-techniques and techniques
 2023-02-08 11:18:13 -05:00
Terrance DeJesus 58ba72d5bf patch fix for 2503 update addressing separate bugs (#2528) 2023-02-07 16:09:17 -05:00
Terrance DeJesus 4054eb43d1 patch fix for 2503 (#2527) 2023-02-07 15:40:51 -05:00
Terrance DeJesus fb2b4529c5 [FR] Adapt PyPi semver Library and Remove Custom (#2503) 
* removed custom semver and replaced with pypi

* updated beats.py version references

* updated bump-versions CLI command to use semver and change logic

* updated schemas __init__, test_version_lock and unstage incompatible rules CLI

* updated test_stack_schema_map in TestVersions unittest

* updated test_all_rules unit testing Version() references

* updated stack_compat.py for get_restricted_field references)

* updated version_lock.py Version() references

* updated docs.py Version() reference for parse_registry

* updated devtools.py Version() reference for trim-version-lock

* updated mixins.py Version() reference in validate_field_compatibility

* adjusted schemas.__init__ Version() reference in get_stack_schemas

* adjusted ecs.py Version() references

* adjusted integrations.py Version() references

* adjusted rule.py Version() references

* sorted imports

* replaced custom semver with pypi semver in unit test files

* addressed unit test and flake errors

* changed semver strings casted to version_lock.py

* fixed sorting in integrations.py

* updated bump-pkgs-versions CLI command

* adjusted semantic version in unstage-incompatible-rules command

* adjusted semver import to VersionInfo

* added semver 3 and adjusted import names

* added option_minor_and_patch parameter where version is major.minor

* updated bump-pkg-versions to always save to packages.yml

* removed leftover split call & updated find latest compatible version command

* updated integrations.py, version_lock.py and schemas.__init__.py

* changed fstring reference in downgrade function

* reverted formatting changes for detection_rules __init__.py

* added newline to detection_rules __init__.py

* adjusted finding latest_release for attack package logic

* adjusted unstage-incompatible-rules command logic comparing versions

* removing changes from misc.py related to auto-formatting

* adding newline to misc.py

* fixed bug in downgrade function calling decorators

* added semantic version validation on migrate decorator function

* added expected type returned from find_latest_integration_version in integrations.py

* add comment about stripped versions for version lock file

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-02-07 14:26:29 -05:00
eric-forte-elastic 9ce8faebea Updated ECS mappings from keyword to wildcard (#2518) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-02-07 09:43:19 -05:00
Nic 54b2f7582e Update defense_evasion_unusual_ads_file_creation.toml (#2522) 2023-02-07 09:40:42 -03:00
Mika Ayenson 51b7df8613 Check integrations cross major versions for older release support (#2520) 2023-02-02 18:17:02 -05:00
Mika Ayenson e6ba0055fb Resolve backport checks on 2470 by checking Version min_stack (#2519) 2023-02-02 17:29:30 -05:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Samirbous cd2307ba7d [New Rule] FirstTimeSeen User Performing DCSync (#2433) 
* Create credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-02-02 15:44:31 +00:00
Jonhnathan 4bfcbeab36 [Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509) 
* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
 2023-02-01 13:19:28 -03:00
Isai 748bdbf8b1 [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 10:27:42 -05:00
Samirbous c6125004c1 [New Rules] WSL Related Rules (#2463) 
* Create defense_evasion_wsl_registry_modification.toml

* Create defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_child_process.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Create defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_kalilinux.toml
 2023-02-01 15:10:28 +00:00
Samirbous 7fe08e7856 Update persistence_service_windows_service_winlog.toml (#2516) 2023-02-01 14:34:30 +00:00
Ruben Groenewoud be5cd23a64 [New Rules] Code Signing Policy Modification (#2510) 
* [New Rules] Code Signing Policy Modification

* Fixed description & tags

* cleaned the query syntax

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 15:30:15 +01:00
Jonhnathan 5a31cb250d [Rule Tuning] Unusual File Modification by dns.exe (#2505) 2023-02-01 11:10:05 -03:00
Jonhnathan 8c2cbae5a8 [New Rule] Potential PowerShell HackTool Script by Function Names (#2474) 
* [New Rule] Potential PowerShell HackTool Script by Function Names

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml
 2023-01-31 17:21:36 -03:00
Jonhnathan 8e02c60ef6 [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) 2023-01-31 16:56:19 -03:00
Jonhnathan 99f177a5ae [Rule Tuning] Potential Credential Access via DCSync (#2501) 2023-01-31 16:50:39 -03:00
Jonhnathan 8519fad243 [Rule Tuning] Potential Remote Credential Access via Registry (#2511) 
* [Rule Tuning] Potential Remote Credential Access via Registry

* Remove WEF index
 2023-01-31 15:09:32 -03:00
Isai d636f2d465 [Rule Tuning] T1069 and T1087 - admin wildcard (#2484) 
Tuned both rules:relax the conditions by adding a wildcard to admin
 2023-01-30 22:01:52 -05:00
Jonhnathan 5575400ee9 [Security Content] Add Investigation Guides for ML rules (#2405) 
* [Security Content] Add Investigation Guides for ML rules

* .

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Place the guide in the correct rule

* Update guides to address IG refactor, and address sugestions

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-01-30 13:12:45 -03:00
Jonhnathan 54f65abdb0 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2498) 2023-01-30 09:14:23 -03:00
Ruben Groenewoud b8adffa469 [New Rule] System Service Discovery through built-in Windows Utilities (#2491) 
* [New Rule] System Service Discovery through built-in Windows Utilities

* added pe.original_file_name to net.exe

* fixed query style mistake

* fixed detection logic mistake

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-29 19:15:17 +01:00
Samirbous c5ce910d3a Create defense_evasion_timestomp_sysmon.toml (#2476) 2023-01-27 21:32:03 +00:00
Samirbous b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) 
* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-27 20:17:36 +00:00
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Samirbous a1df310e56 [New Rule] T1553.006 - Untrusted Driver Loaded (#2499) 
* Create defense_evasion_untrusted_driver_loaded.toml

* Update defense_evasion_untrusted_driver_loaded.toml
 2023-01-27 19:46:35 +00:00
Samirbous 2372602c4e [New Rules] Amsi Bypass (#2473) 
* Create defense_evasion_amsi_bypass_powershell.toml

* Create defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml
 2023-01-26 06:03:53 +00:00
Samirbous 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) 
* Create collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:44:32 +00:00
Samirbous 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) 
* Create persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

* Update persistence_service_dll_unsigned.toml

* Update rules/windows/persistence_service_dll_unsigned.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update persistence_service_dll_unsigned.toml

* Update persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:11:38 +00:00
Samirbous bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) 
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update non-ecs-schema.json

* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 13:23:20 +00:00
Samirbous 8427c8cd22 Create credential_access_suspicious_lsass_access_generic.toml (#2487) 2023-01-25 09:43:35 +00:00
Terrance DeJesus 3b2d1af051 new guided onboarding rule (#2492) 2023-01-24 11:26:28 -05:00
Jonhnathan f804c29f6d [New Rule] PowerShell Script with Encryption/Decryption Capabilities (#2489) 
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities

* Update defense_evasion_posh_encryption.toml
 2023-01-24 12:26:11 -03:00
Ruben Groenewoud 644a094503 Group Policy Object Discovery through gpresult.exe (#2483) 
* [New  Rule] Group Policy Discovery Through gpresult.exe

* Fixed typo

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-24 12:10:57 +01:00