security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,104 Commits 1 Branch 0 Tags
617991db0bc07a433bb943a98a98b2cb820fef44
Commit Graph

1512 Commits

Author SHA1 Message Date
Isai e36686570f [New Rule] AWS RDS DB Instance Made Public (#3836) 
* [New Rule] AWS RDS DB Instance Made Public

...

* Apply suggestions from code review

* added coverage for instances created with public access

* rule review edits

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 83be212632)
 2024-07-03 05:04:37 +00:00
Isai 85f949539c [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) 
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed

...

* insert rule_id

* rule name change

(cherry picked from commit 3a5c5c20a8)
 2024-07-02 21:25:12 +00:00
Isai 634a3f50d5 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) 
* [New Rule] AWS RDS DB Instance or Cluster Password Modified

..

* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 9f4956f542)
 2024-07-02 20:18:06 +00:00
Isai 8e9f3659ed [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) 
* [New Rule] AWS RDS DB Snapshot Shared with Another Account

...

* Update exfiltration_rds_snapshot_shared_with_another_account.toml

* edit threat matrix format

* Apply suggestions from code review

* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 43fbf94d8a)
 2024-07-02 19:39:56 +00:00
Isai 594b8a1574 [New Rule] AWS RDS Snapshot Deleted (#3852) 
* [New Rule] AWS RDS Snapshot Deleted

* added coverage for backupRetentionPeriod set to 0

(cherry picked from commit aaf014390b)
 2024-07-02 18:04:22 +00:00
Terrance DeJesus 6fb82a87e4 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) 
* tuning google workspace rules

* removed verbiage about runtime

(cherry picked from commit 5fe7833312)
 2024-07-01 19:53:27 +00:00
Jonhnathan c4caabfe07 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) 
(cherry picked from commit d5c34b5750)
 2024-07-01 16:48:41 +00:00
Terrance DeJesus 0b808211f6 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 99a4d629c9)
 2024-07-01 14:34:42 +00:00
Isai d47d87386c [Rule Tuning] AWS RDS Snapshot Restored (#3809) 
* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.

(cherry picked from commit f62644887e)
 2024-06-29 00:46:01 +00:00
Terrance DeJesus 408442e185 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) 
* tuning 'Multiple Device Token Hashes for Single Okta Session'

* adjusted file name

* updated tags

* updated file name extension

* updated min-stack comments

(cherry picked from commit 2e3aca62f0)
 2024-06-28 17:02:28 +00:00
Ruben Groenewoud c46e92791f [New Rules] Git Hook Execution/File Creation (#3832) 
* [New Rules] Git Hook Execution/File Creation

* Update rules/linux/persistence_git_hook_file_creation.toml

* Update persistence_git_hook_process_execution.toml

(cherry picked from commit b311d49c2a)
 2024-06-28 09:37:47 +00:00
Ruben Groenewoud 1c404b7861 [New Rule] DNF Package Manager Plugin File Creation (#3822) 
* [New Rule] DNF Package Manager Plugin File Creation

* Update persistence_dnf_package_manager_plugin_file_creation.toml

(cherry picked from commit f33c25b118)
 2024-06-28 09:18:02 +00:00
Ruben Groenewoud 1dad651fcc [New Rules] rc.local Execution Rules (#3813) 
* [New Rules] rc.local Execution Rules

* ++

* Update rules/linux/persistence_rc_local_error_via_syslog.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit edc501accf)
 2024-06-28 08:02:25 +00:00
Samirbous 96060d50fa Update defense_evasion_microsoft_defender_tampering.toml (#3840) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit b97069c3e9)
 2024-06-28 07:19:18 +00:00
Ruben Groenewoud 733c138b18 [New Rule & Tuning] Systemd Generator Created (#3801) 
(cherry picked from commit cd4fe07c2c)
 2024-06-27 20:03:51 +00:00
Ruben Groenewoud 4b88408acf [Rule Tuning] rc.local/rc.common File Creation (#3805) 
(cherry picked from commit e941645b2f)
 2024-06-27 19:53:55 +00:00
Ruben Groenewoud 2f292dacb4 [Rule Tuning] System V Init Script Created (#3811) 
(cherry picked from commit 68bf4e453e)
 2024-06-27 19:41:41 +00:00
Ruben Groenewoud efd192d5f6 [Rule Tuning] Executable Bit Set for Potential Persistence Script (#3812) 
* [Rule Tuning] Executable Bit Set for Potential Persistence Script

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml

* Update persistence_potential_persistence_script_executable_bit_set.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 460b314f49)
 2024-06-27 19:32:47 +00:00
Jonhnathan 61be78d1f6 [Rule Tuning] LSASS Process Access via Windows API (#3839) 
(cherry picked from commit 7693d785aa)
 2024-06-27 15:25:21 +00:00
Ruben Groenewoud 2bf7df1890 [New Rule] Privilege Escalation via SUID/SGID (#3793) 
* [New Rule] Privilege Escalation via SUID/SGID

* unit test error fix?

* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml

(cherry picked from commit c3ba7b1262)
 2024-06-27 14:53:31 +00:00
Ruben Groenewoud de7e0c7e38 [New Rule] User or Group Creation/Modification (#3804) 
(cherry picked from commit 0ca16a1516)
 2024-06-27 14:39:17 +00:00
Ruben Groenewoud 2c798a1d18 [Rule Tuning] SUID/SGID Bit Set (#3802) 
(cherry picked from commit 8d063e1a47)
 2024-06-27 14:31:05 +00:00
Samirbous 4daed66479 [New] Microsoft Management Console File from Unusual Path (#3834) 
* [New] Windows Script Execution via MMC Console File

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 17a07020f3)
 2024-06-27 10:35:57 +00:00
Jonhnathan 0e6ec1f961 [New Rule] AD Group Modification by SYSTEM (#3833) 
* [New Rule] AD Group Modification by SYSTEM

* .

* Update rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Tighten up indexes

* Update persistence_group_modification_by_system.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit deb08fd28d)
 2024-06-26 21:59:15 +00:00
Jonhnathan 8bab0df7bf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml

(selectively cherry picked from commit 54d5b442cf)
 2024-06-26 14:09:43 +00:00
Ruben Groenewoud a8a6562872 [New Rules] Yum Plugin Creation / Discovery (#3820) 
* [New Rules] Yum Plugin Creation / Discovery

* Update discovery_yum_plugin_detection.toml

* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml

(cherry picked from commit 6746a421c4)
 2024-06-25 14:17:34 +00:00
James Valente a995f27c13 Tune rule to exclude forwarded events. (#3790) 
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0726ce41bf)
 2024-06-25 11:25:08 +00:00
Krishna Chaitanya Reddy Burri 24358ceb79 [Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800) 
* Fix index and filters in Rapid7 CVE rule

* change updated date

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit e9d7ddfa35)
 2024-06-20 19:20:05 +00:00
Jonhnathan 0ab0ea4d10 [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) 
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification

* Update privilege_escalation_reg_service_imagepath_mod.toml

* [New Rule] NTDS Dump via Wbadmin

* Revert "[New Rule] NTDS Dump via Wbadmin"

This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update privilege_escalation_reg_service_imagepath_mod.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit c20318d0d0)
 2024-06-20 13:45:08 +00:00
Jonhnathan 0e6ebd6e7a [New Rule] NTDS Dump via Wbadmin (#3758) 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 236444200b)
 2024-06-20 12:58:34 +00:00
Jonhnathan b8c63b0999 [New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748) 
(cherry picked from commit 3fd9bae611)
 2024-06-20 12:38:06 +00:00
Jonhnathan b0c0fa4e35 Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#3734) 
(cherry picked from commit 6a0ac563a0)
 2024-06-20 12:26:17 +00:00
Kirti Sodhi cbc7fb5224 Adding setup templates to the ML rules (#3798) 
* Added setup instructions for ml rules

(cherry picked from commit 51b9717ac0)
 2024-06-19 14:08:24 +00:00
Anthony 96c7509c20 Closes #2216 (#2855) 
* Update privilege_escalation_sts_assumerole_usage.toml

* Update privilege_escalation_sts_assumerole_usage.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit c1dcd21531)
 2024-06-13 20:56:04 +00:00
Terrance DeJesus 37ea64baf4 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 020ca4be24)
 2024-06-12 22:04:56 +00:00
Jonhnathan c4a427178b [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll (#3717) 
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 4eff7c6c87)
 2024-06-12 18:21:54 +00:00
shashank-elastic bc578b5464 Update FIM integration Setup sequence (#3781) 
(cherry picked from commit 89d89f15d2)
 2024-06-12 11:14:29 +00:00
James Valente d8131f9c60 Add exceptions to C2 Beaconing Activity (#3771) 
(cherry picked from commit 8baf5dc2d8)
 2024-06-11 13:17:09 +00:00
Ruben Groenewoud d26951d94e [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4a05)
 2024-06-11 11:06:39 +00:00
Ruben Groenewoud 14de5313e8 [New Rules] PAM Module Creation & Unusual PAM Grantor (#3743) 
* [New Rules] PAM Module Creation & Unusual PAM Grantor

* Update persistence_unusual_pam_grantor.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update persistence_unusual_pam_grantor.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml

(cherry picked from commit c87c4c9f5d)
 2024-06-11 09:54:34 +00:00
Ruben Groenewoud b6d29a6775 [Rule Tuning] Systemd-udevd Rule File Creation (#3738) 
* [Rule Tuning] Systemd-udevd Rule File Creation

* Incompatible endgame field

* Update rules/linux/persistence_udev_rule_creation.toml

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_udev_rule_creation.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 4cf0c2b9af)
 2024-06-11 09:43:57 +00:00
Ruben Groenewoud 1e16e806c7 [New Rule] APT Package Manager Configuration File Creation (#3739) 
* [New Rule] APT Package Manager Configuration File Creation

* Update rules/linux/persistence_apt_package_manager_file_creation.toml

* Update persistence_apt_package_manager_file_creation.toml

(cherry picked from commit 4003219aa1)
 2024-06-11 07:46:33 +00:00
Ruben Groenewoud 6fadd533fe [New Rule] Network Connection Initiated by SSH Parent Process (#3759) 
* [New Rule] Network Connection Initiated by SSH Parent Process

* Update persistence_ssh_netcon.toml

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_ssh_netcon.toml

* Update persistence_ssh_netcon.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 74f049cc7c)
 2024-06-10 08:33:52 +00:00
Ruben Groenewoud 9f5c795ea5 [New Rule] Netcon through XDG Autostart Entry (#3741) 
* [New Rule] Netcon through XDG Autostart Entry

* Update rules/linux/persistence_xdg_autostart_netcon.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_xdg_autostart_netcon.toml

* Update persistence_xdg_autostart_netcon.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 29bb52d2fb)
 2024-06-10 08:20:29 +00:00
Ruben Groenewoud 7ba1a863b5 [New Rule] Executable Bit Set for rc.local/rc.common (#3736) 
* [New Rule] Executable Bit Set for rc.local/rc.common

* Endgame compatibility

* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml

(cherry picked from commit 70496f813f)
 2024-06-10 08:00:14 +00:00
Jonhnathan fff49e7f09 [Rule Tuning] User Added to Privileged Group (#3763) 
* [New Rule] User Added to Privileged Group

* add more groups

* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_user_account_added_to_privileged_group_ad.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 087e8a6e85)
 2024-06-07 16:46:52 +00:00
Ruben Groenewoud 886ce70678 [New Rule] Process Capability Set via setcap Utility (#3744) 
* [New Rule] Process Capability Set via setcap Utility

* ++

* Update rules/linux/persistence_process_capability_set_via_setcap.toml

(cherry picked from commit d3e2f70ce2)
 2024-06-06 10:47:40 +00:00
Ruben Groenewoud 71394edb86 [Rule Tuning] System Binary Moved or Copied (#3742) 
* [Rule Tuning] System Binary Moved or Copied

* Added reference

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

(cherry picked from commit 8e6114f76c)
 2024-06-06 10:27:50 +00:00
Ruben Groenewoud fb82c0fe1b [Rule Tuning] Potential Sudo Hijacking (#3745) 
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035f41)
 2024-06-06 10:02:23 +00:00
Ruben Groenewoud 1d6361dece [New Rule] SSH Key Generated via ssh-keygen (#3731) 
* [New Rule] SSH Key Generated via ssh-keygen

* ++

* Update rules/linux/persistence_ssh_key_generation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 342fde097f)
 2024-06-06 09:53:51 +00:00