security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,373 Commits 1 Branch 0 Tags
539cd945a9e8d73e89e723c2c265bd511ab9bd45
Commit Graph

1028 Commits

Author SHA1 Message Date
shashank-elastic 539cd945a9 New Rule to identify iptables or firewall disabling. (#2591) 2023-03-01 17:14:45 +05:30
Ruben Groenewoud 66359012c3 [Rule Tuning] Potential Shadow File Read via CLI (#2594) 2023-02-28 18:26:38 +01:00
Jonhnathan c3d8bac402 [Security Content] Add Investigation Guides to Windows rules (#2521) 
* [Security Content] Add Investigation Guides to Windows rules

* .

* Add IG tag

* Apply suggestions from review

* Address reviews

* address note

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_powershell.toml
 2023-02-22 18:13:13 -03:00
Jonhnathan f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) 
* [Security Content] Fix verbiage used on Osquery Note

* Adjust verbiage

* date bump

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-02-22 12:33:23 -03:00
Isai 9bef3857f9 [Rule Tuning] Remote System Discovery Commands (#2500) 
* [Rule Tuning] Remote System Discovery Commands

- Added to query to add additional remote system discovery tools : nltest, dsquery, net

* Update discovery_remote_system_discovery_commands_windows.toml

-added dsget.exe

* update date

* removed git comments

* removed extra ( from query
 2023-02-21 18:39:51 -05:00
Isai f04ebf277c [Rule Tuning] (#2537) 
add t1018 Remote system discovery
 2023-02-15 14:58:29 -05:00
Isai 7df801f5c2 [Rule Tuning] Add missing techniques (#2482) 
* tune for missing techniques

-added missing techniques to rules

* added same missing techniques to another rule

- updated_date for all files - added missing techniques to a 3rd rule

* added T1057 technique

added T1057 technique for Process discovery
 2023-02-10 15:07:19 -05:00
shashank-elastic f8e97da549 Rule Tuning Update MITRE Details (#2526) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-02-10 23:05:28 +05:30
Isai 443478c8c0 [Rule Tuning] Rule Tunings to add T1078 technique and subtechniques (#2530) 
- add sub-techniques and techniques
 2023-02-08 11:18:13 -05:00
Nic 54b2f7582e Update defense_evasion_unusual_ads_file_creation.toml (#2522) 2023-02-07 09:40:42 -03:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Samirbous cd2307ba7d [New Rule] FirstTimeSeen User Performing DCSync (#2433) 
* Create credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-02-02 15:44:31 +00:00
Jonhnathan 4bfcbeab36 [Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509) 
* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
 2023-02-01 13:19:28 -03:00
Isai 748bdbf8b1 [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 10:27:42 -05:00
Samirbous c6125004c1 [New Rules] WSL Related Rules (#2463) 
* Create defense_evasion_wsl_registry_modification.toml

* Create defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_child_process.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Create defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_kalilinux.toml
 2023-02-01 15:10:28 +00:00
Samirbous 7fe08e7856 Update persistence_service_windows_service_winlog.toml (#2516) 2023-02-01 14:34:30 +00:00
Ruben Groenewoud be5cd23a64 [New Rules] Code Signing Policy Modification (#2510) 
* [New Rules] Code Signing Policy Modification

* Fixed description & tags

* cleaned the query syntax

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 15:30:15 +01:00
Jonhnathan 5a31cb250d [Rule Tuning] Unusual File Modification by dns.exe (#2505) 2023-02-01 11:10:05 -03:00
Jonhnathan 8c2cbae5a8 [New Rule] Potential PowerShell HackTool Script by Function Names (#2474) 
* [New Rule] Potential PowerShell HackTool Script by Function Names

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml
 2023-01-31 17:21:36 -03:00
Jonhnathan 8e02c60ef6 [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) 2023-01-31 16:56:19 -03:00
Jonhnathan 99f177a5ae [Rule Tuning] Potential Credential Access via DCSync (#2501) 2023-01-31 16:50:39 -03:00
Jonhnathan 8519fad243 [Rule Tuning] Potential Remote Credential Access via Registry (#2511) 
* [Rule Tuning] Potential Remote Credential Access via Registry

* Remove WEF index
 2023-01-31 15:09:32 -03:00
Isai d636f2d465 [Rule Tuning] T1069 and T1087 - admin wildcard (#2484) 
Tuned both rules:relax the conditions by adding a wildcard to admin
 2023-01-30 22:01:52 -05:00
Jonhnathan 5575400ee9 [Security Content] Add Investigation Guides for ML rules (#2405) 
* [Security Content] Add Investigation Guides for ML rules

* .

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Place the guide in the correct rule

* Update guides to address IG refactor, and address sugestions

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-01-30 13:12:45 -03:00
Jonhnathan 54f65abdb0 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2498) 2023-01-30 09:14:23 -03:00
Ruben Groenewoud b8adffa469 [New Rule] System Service Discovery through built-in Windows Utilities (#2491) 
* [New Rule] System Service Discovery through built-in Windows Utilities

* added pe.original_file_name to net.exe

* fixed query style mistake

* fixed detection logic mistake

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-29 19:15:17 +01:00
Samirbous c5ce910d3a Create defense_evasion_timestomp_sysmon.toml (#2476) 2023-01-27 21:32:03 +00:00
Samirbous b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) 
* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-27 20:17:36 +00:00
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Samirbous a1df310e56 [New Rule] T1553.006 - Untrusted Driver Loaded (#2499) 
* Create defense_evasion_untrusted_driver_loaded.toml

* Update defense_evasion_untrusted_driver_loaded.toml
 2023-01-27 19:46:35 +00:00
Samirbous 2372602c4e [New Rules] Amsi Bypass (#2473) 
* Create defense_evasion_amsi_bypass_powershell.toml

* Create defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml
 2023-01-26 06:03:53 +00:00
Samirbous 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) 
* Create collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:44:32 +00:00
Samirbous 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) 
* Create persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

* Update persistence_service_dll_unsigned.toml

* Update rules/windows/persistence_service_dll_unsigned.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update persistence_service_dll_unsigned.toml

* Update persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:11:38 +00:00
Samirbous bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) 
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update non-ecs-schema.json

* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 13:23:20 +00:00
Samirbous 8427c8cd22 Create credential_access_suspicious_lsass_access_generic.toml (#2487) 2023-01-25 09:43:35 +00:00
Terrance DeJesus 3b2d1af051 new guided onboarding rule (#2492) 2023-01-24 11:26:28 -05:00
Jonhnathan f804c29f6d [New Rule] PowerShell Script with Encryption/Decryption Capabilities (#2489) 
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities

* Update defense_evasion_posh_encryption.toml
 2023-01-24 12:26:11 -03:00
Ruben Groenewoud 644a094503 Group Policy Object Discovery through gpresult.exe (#2483) 
* [New  Rule] Group Policy Discovery Through gpresult.exe

* Fixed typo

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-24 12:10:57 +01:00
Jonhnathan fc30b5881f [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities (#2465) 
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities

* Bump sev

* Update rules/windows/collection_posh_clipboard_capture.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-24 07:58:48 -03:00
Jonhnathan 92ae27600f [New Rule] PowerShell Mailbox Collection Script (#2461) 2023-01-24 07:54:55 -03:00
Jonhnathan 0aa87d7f4a [Rule Tuning] Unusual Process For a Linux Host (#2445) 
* [Rule Tuning] Unusual Process For a Linux Host

* .
 2023-01-23 21:03:29 -03:00
Jonhnathan 77c8665f11 [Rule Tuning] Add endgame support for Linux Rules (#2436) 
* [Rule Tuning] Add endgame support for Linux Rules

* [Rule Tuning] Add endgame support for Linux Rules

* .

* Update persistence_insmod_kernel_module_load.toml
 2023-01-23 20:53:15 -03:00
Jonhnathan 7cde7901e3 [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions (#2478) 
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions

* Update discovery_posh_suspicious_api_functions.toml
 2023-01-23 20:35:43 -03:00
Jonhnathan 729ecf8b58 [New Rule] PowerShell Invoke-NinjaCopy script (#2488) 
* [New Rule] PowerShell Invoke-NinjaCopy script

* Update credential_access_posh_invoke_ninjacopy.toml

* Update credential_access_posh_invoke_ninjacopy.toml
 2023-01-23 20:00:57 -03:00
Ruben Groenewoud e3ff45e20c [New Rule] System Time Discovery (#2475) 
* [New Rule] System Time Discovery

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-18 13:01:57 +01:00
Terrance DeJesus e5d81e77f7 [New Rule] Add Google Workspace Alert Center Promotional Rule (#2471) 
* Add Google Workspace Alert Center Promotional Rule

* added severity mapping overrides
 2023-01-17 12:09:13 -05:00
Terrance DeJesus b61da98f97 [Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 (#2467) 
* Bumping min-stack version for Google Workspace to 8.4

* changed 'updated_date' values
 2023-01-13 13:29:28 -05:00
Jonhnathan 0e535e5931 [Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-12 12:10:59 -03:00
Samirbous cb88ad715c [New Rule] Exchange Mailbox via PowerShell (#2459) 
* Create collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-11 16:45:20 +00:00
Samirbous 8afda66487 [Rule Tuning] Suspicious WerFault Child Process (#2437) 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
 2023-01-11 16:41:57 +00:00