security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,777 Commits 1 Branch 0 Tags
608e02e27e4df2d94c7bbc850edaab4e937c7d37
Commit Graph

1966 Commits

Author SHA1 Message Date
Ruben Groenewoud 608e02e27e [New Rule] Linux Telegram API Request (#4677) 2025-05-06 21:53:19 +05:30
Jonhnathan d3aa4b2f38 [Rule Tuning] Reduce Severity from Critical to High (#4637) 2025-05-06 21:37:47 +05:30
Ruben Groenewoud 944428d81e [New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (#4685) 2025-05-06 21:21:58 +05:30
Jonhnathan e028bf7954 [New Rule] Potential Dynamic IEX Reconstruction via Environment Variables (#4633) 2025-05-06 21:06:06 +05:30
Terrance DeJesus a34a26ddec [Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity (#4700) 
* tuning rule to exclude service principals added by MSFT

* added additional exclusions

* updated rule name and file name

* updated investigation guide and mitre
 2025-05-06 11:19:50 -04:00
Jonhnathan 0cd7de6862 [New Rule] Potential PowerShell Obfuscation via Special Character Overuse (#4632) 2025-05-06 20:29:19 +05:30
Jonhnathan b7016253ae [New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion (#4631) 2025-05-06 20:13:34 +05:30
Jonhnathan 5d8f0c2ffe [New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (#4630) 2025-05-06 19:58:01 +05:30
Jonhnathan dc6cb3e811 [New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (#4615) 2025-05-06 19:26:15 +05:30
Jonhnathan 5ab73943a1 [New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences (#4614) 2025-05-06 19:10:10 +05:30
Jonhnathan b5ac9707ba [New Rule] PowerShell Obfuscation via Negative Index String Reversal (#4610) 2025-05-06 18:54:22 +05:30
Jonhnathan c291638521 [New Rule] Potential PowerShell Obfuscation via Reverse Keywords (#4609) 2025-05-06 18:36:13 +05:30
Jonhnathan 7b9cd77bc2 [New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction (#4608) 2025-05-06 18:18:29 +05:30
Jonhnathan ebe77f2d86 [New Rule] Potential PowerShell Obfuscation via String Concatenation (#4607) 2025-05-06 18:02:35 +05:30
Ruben Groenewoud fdc6b09d54 [New Rule] System Binary Symlink to Suspicious Location (#4682) 2025-05-06 17:46:47 +05:30
Ruben Groenewoud 25dc8498ae [New Rule] Suspicious Named Pipe Creation (#4681) 2025-05-06 17:30:38 +05:30
Ruben Groenewoud 8b08795e00 [New Rule] Suspicious Kernel Feature Activity (#4676) 2025-05-06 17:13:24 +05:30
Ruben Groenewoud 0193af2842 [New Rule] Potential Data Exfiltration Through Curl (#4678) 2025-05-06 16:57:59 +05:30
Ruben Groenewoud 4030de9295 [New/Tuning] Potential Hex Payload Execution via Command-Line (#4675) 2025-05-06 16:29:03 +05:30
Ruben Groenewoud eb3520a63b [New Rule] Potential Backdoor Execution Through PAM_EXEC (#4674) 2025-05-06 16:13:23 +05:30
Samirbous 91acb4e9ce [New] Windows Sandbox with Sensitive Configuration (#4606) 
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
 2025-05-06 15:58:39 +05:30
Samirbous 04f15aa08c [New] Rare Connection to WebDAV Target (#4667) 2025-05-06 15:41:30 +05:30
Samirbous 70f758d9ad [New] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4673) 2025-05-06 15:21:11 +05:30
Ruben Groenewoud 403e20c2c6 [New Rule] Git Repository or File Download to Suspicious Directory (#4663) 2025-05-06 15:05:27 +05:30
Ruben Groenewoud 3f9e2edcb5 [New Rule] Manual Mount Discovery via /etc/exports (#4662) 2025-05-06 14:48:55 +05:30
Ruben Groenewoud a9e8a78c09 [New Rule] Docker Release File Creation (#4661) 2025-05-06 14:31:52 +05:30
Ruben Groenewoud 13cf424ef5 [New Rule] Manual Memory Dumping via Proc Filesystem (#4660) 2025-05-06 14:16:15 +05:30
Ruben Groenewoud c9c41747fc [FN Tuning] Suspicious /proc/maps Discovery (#4659) 2025-05-06 13:59:44 +05:30
Ruben Groenewoud 1150271372 [New Rule] Suspicious Path Mounted (#4664) 2025-05-06 13:43:00 +05:30
Samirbous bcff3f95d5 Update command_and_control_common_webservices.toml (#4686) 2025-05-06 13:27:21 +05:30
Samirbous f480e98f16 [New] Concurrent Azure SignIns with Suspicious Properties (#4670) 2025-05-06 13:09:54 +05:30
Samirbous 6e3b38c645 [New] Suspicious Microsoft 365 UserLoggedIn via OAuth Code (#4691) 2025-05-06 12:53:33 +05:30
Terrance DeJesus 57be590d73 [New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User (#4687) 2025-05-06 12:41:57 +05:30
Terrance DeJesus 58d03d4043 [New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker (#4695) 
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'

* updated severity

* added new terms note
 2025-05-05 16:45:47 -04:00
shashank-elastic e4856d3c2c Refresh ecs, beats, integration manifests & schemas (#4699) 2025-05-05 23:06:40 +05:30
Ruben Groenewoud 18e1103c51 [New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option (#4658) 2025-05-05 09:59:08 +02:00
Samirbous dddc2a7bb9 [New] Microsoft 365 OAuth Redirect to Device Registration for User (#4694) 
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal

https://github.com/elastic/ia-trade-team/issues/590

* Update non-ecs-schema.json

* Update pyproject.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* fixed investigation guide formatting; fixed unit test failure

* updated patch version

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-05-02 08:36:10 +01:00
Terrance DeJesus ce66f52aad [New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection (#4689) 
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'

* updating description

* adding index

* updating mitre tactic mapping

* updating file name
 2025-05-01 23:03:50 -04:00
Terrance DeJesus bae7835f6a [New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client (#4642) 
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365

* changed m365 file name

* fixed duplicate tactics

* updaing non-ecs for graph activity logs

* updating rules; investigation guides; formatting, linting errors
 2025-05-01 22:38:41 -04:00
Terrance DeJesus ff2ecad573 [New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded (#4617) 
* new rule 'AWS S3 Static Site JavaScript File Uploaded'

* adjusting name

* updated keep command

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-30 16:25:03 -04:00
Terrance DeJesus f02ccfef64 [New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens (#4628) 
* adding new rule 'AWS IAM or STS API Calls via Temporary Session Tokens'

* updated name and query logic

* updated query logic

* changed rule to new terms

* fixed logic

* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml

* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml

* updated investigation guide; scoped to IAM only; updated naming

* updating file name

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-04-24 15:39:51 -04:00
Isai b429be2bda [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4648) 2025-04-24 10:19:06 +05:30
shashank-elastic 34231160ee Fix versions for changes in required_fileds (#4640) 2025-04-24 06:28:18 +05:30
Jonhnathan b9ed05562d [Rule Tuning] User Added to Privileged Group in Active Directory (#4646) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 06:12:33 +05:30
Jonhnathan e8e76972f5 [Rule Tuning] Replace legacy winlog.api usage (#4647) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 05:52:38 +05:30
Samirbous ea31143b83 [New] Suspicious Azure Sign-in via Visual Studio Code (#4639) 
* Create initial_access_entra_login_visual_code_phish.toml

* Update non-ecs-schema.json

* Update initial_access_entra_susp_visual_code_signin.toml

* Update pyproject.toml

* Update initial_access_entra_susp_visual_code_signin.toml

* Update non-ecs-schema.json
 2025-04-23 14:06:05 +01:00
Samirbous f8e91be329 [New] RemoteMonologue Attack rules (#4604) 
* [New] RemoteMonologue Attack rules

https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
    https://github.com/xforcered/RemoteMonologue

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-22 15:26:57 -03:00
Jonhnathan 1bab74179e [New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635) 
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation

* Update execution_posh_malicious_script_agg.toml
 2025-04-22 13:36:04 -03:00
Colson Wilhoit c80319d462 [Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547) 2025-04-22 21:23:01 +05:30
Jonhnathan 8361cfd205 [New Rule] Potential PowerShell Obfuscation via String Reordering (#4595) 
* [New Rule] Potential PowerShell Obfuscation via String Reordering

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
 2025-04-22 12:26:55 -03:00