security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
409 Commits 1 Branch 0 Tags
6177458bd8ea65e01acecde9842a01ac1a472d08
Commit Graph

23 Commits

Author SHA1 Message Date
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Andrew Pease 17cf79d076 [New Rule] Default Cobalt Strike Team Server Certificate (#358) 
* initial commit

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updated to include sub-techniques

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-09 14:49:31 -06:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
David French ee82ada716 [Rule Tuning] Update IP Address Ranges in Multiple Rules (#576) 
* add additional IP ranges and format for readability

* remove superfluous "or" operators
 2020-12-01 13:38:47 -07:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 758e4a2c5b Add unit tests for rule tags (#359) 2020-10-07 19:29:19 -08:00
Andrew Pease 5ba848552a [New Rule] Post Exploitation Public IP Reconnaissance (#270) 2020-09-30 15:36:22 -08:00
Andrew Pease e753162fe2 [New Rule] Detecting Unsecure Elasticsearch Nodes (#109) 2020-09-30 15:34:38 -08:00
Andrew Pease 1a260536d4 [New Rule] RAR and PowerShell Downloaded from the Internet (#30) 2020-09-30 15:32:44 -08:00
Andrew Pease faeac00465 [New Rule] Possible FIN7 Command and Control Behavior (#28) 2020-09-30 15:26:13 -08:00
Andrew Pease 1620559f1f [New Rule] Halfbaked C2 Beacon (#23) 2020-09-30 15:21:33 -08:00
Andrew Pease 8caf897a73 [New Rule] Cobalt Strike Beacon (#21) 2020-09-30 14:58:24 -08:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Andrew Pease e0f2e8b4a9 Add dataset and index to network rules (#15) 
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 13:19:35 -06:00
Erkin Djindjiev 1fac018f10 Update MySQL port to 3306 not 3336 (#2) 2020-07-01 09:52:04 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00