security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
714 Commits 1 Branch 0 Tags
64977b01bdb2d27b1d4d85ed5acb7bbf1eb06af2
Commit Graph

714 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ross Wolf 64977b01bd Fix kibana_pr for click.Context (#1385) 2021-07-27 16:03:28 -06:00
Ross Wolf c31a344593 Disable missing rule check for the version lock (#1384) 2021-07-27 13:48:28 -06:00
Ross Wolf 5eccaf0cd5 Update the version lock for 7.14.0 and 0.13.3 (#1383) 2021-07-27 12:25:12 -06:00
Justin Ibarra 7759fa2500 Ensure EQL rules with maxspan have a long enough lookback window (#1361) 
* Add the following properties to EQLRuleData:
   - max_span
   - look_back
   - interval_ratio

* Add the following tests:
   - test_eql_lookback
   - test_eql_interval_to_maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-07-22 13:53:13 -08:00
Ross Wolf 7b62fe296d [Rule Tuning] Remove \Program Files*\ style wildcards (#1369) 
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
 2021-07-22 11:55:22 -06:00
Justin Ibarra 4aab1278bf [Rule Tuning] Update EQL rules with lookback < maxspan (#1362) 
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-07-22 09:08:58 -08:00
Ross Wolf 5ba1c26cf1 Fix metadata.extended (#1377) 2021-07-22 10:29:30 -06:00
Ross Wolf 1882f4456c [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
 2021-07-21 15:24:56 -06:00
Ross Wolf 9f3d5328f4 [Rule Tuning] Convert unusual extension rule to regex (#1368) 
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
 2021-07-21 11:49:32 -06:00
Ross Wolf 9b559d0cd9 [Rule Tuning] Creation of Hidden Files and Directories (#1357) 
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
 2021-07-21 11:47:40 -06:00
David French 23626b814c [Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374) 
* use google_workspace event schema

* update to use google_workspace schema
 2021-07-21 11:38:43 -06:00
dstepanic17 fbd4cf2117 [New Rule] Windows Defender Exclusions Added via PowerShell (#1370) 
* Added new rule

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Added pwsh.exe to original name

* Added PowerShell MITRE reference

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-07-21 11:54:11 -05:00
Justin Ibarra 163d9e3864 Update cardinality field in schema for threshold rules (#1349) 
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing


Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-07-21 08:32:54 -08:00
Austin Songer 95e6458c6e [Rule Tuning] Mimikatz powershell module activity detected (#1297) 
* update query
* add indexes
 2021-07-20 23:08:04 -08:00
Andrew Pease 34df7c6b89 [Rule Tuning] Add Filebeat and Auditbeat to Network Rules (#1282) 
* standardized indices and added the from field
 2021-07-20 22:59:22 -08:00
Austin Songer 64c3f7cdc5 [New Rule] O365 Excessive SSO Logon Errors (#1215) 2021-07-20 22:55:00 -08:00
Austin Songer c82790f588 [New Rule] Disable Windows Event and Security Logs (#1181) 2021-07-20 22:44:35 -08:00
Austin Songer 4a11ef9514 [Rule Tuning] Suspicious CertUtil Commands (#1180) 
* update name to Suspicious CertUtil Commands
* update description, query, and filename
 2021-07-20 22:26:36 -08:00
Austin Songer 920d973064 [Rule Tuning] External IP Lookup from Non-Browser Process (#1147) 
* Added a couple domains

ipapi.co
ip-lookup.net
ipstack.com
 2021-07-20 21:47:39 -08:00
Justin Ibarra f3c794c48a [New Rule] CyberArkPas promotion rules (#1336) 
* add cyberarkpas promotion rules

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-07-20 10:01:02 -08:00
Ross Wolf 816e31cd38 Add optional integration field to the schema (#1359) 2021-07-19 12:52:44 -06:00
Samirbous 81ab43898c [New Rule] Parent Process PID Spoofing (#1338) 
* [New Rule] Parent Process PID Spoofing

* excluding sihost FPs

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* relinted and added 2 non ecs fields

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-07-15 22:55:46 +02:00
Ross Wolf 809c06ad5f Add 7.14 to the list of target backport branches (#1341) 2021-07-14 16:29:23 -06:00
Ross Wolf 77c23da1db [CI] Publish to integrations from on-demand job (#1340) 
* Add command to publish integrations PR
* Add workflow_dispatch job to publish package
* Get working directory dynamically
* Fix the repo settings
* Get the absolute path for local-repo
* Filter out 'main' branch
* Update the description for target_branch
* Fix workflow definition
* Move 'if' into job
* Update ref format
* Remove unnecessary E501 suppression
* Add a link to the full commit hash
* s/partial_args/prefix_args
 2021-07-14 16:19:41 -06:00
Oliver Gupte 7ec97e622f [APM] Adds APM data stream 'traces-apm*' to apm rules (#105334) (#1335) 2021-07-13 07:04:58 -06:00
Ross Wolf 1e6e5ef0a0 [CI] Update backport job to filter out incompatible rules (#1332) 
* Update backport job to filter out incompatible rules
* Make $NEEDS_BACKPORT more honest
 2021-07-12 14:41:48 -06:00
Ross Wolf 5b0f72ffc3 [CI/CD] Create on-demand job to release from Kibana (#1334) 
* Add on-demand job to release to Kibana
* Update the inputs structure
* Archive the artifacts
 2021-07-12 14:34:54 -06:00
Ross Wolf cf736046f1 Add command to unstage incompatible rules from git (#1317) 
* Add devtools unstage-incompatible-rules command
* Create ephemeral GitChangeEntry for R->D+A
* Undo changes to Github job
* Fix typo in comment
* s/previous_path/original_path
 2021-07-08 13:44:04 -06:00
Ross Wolf 42957129ad Lock versions for Fleet package 0.13.2 (#1330) 2021-07-07 15:43:40 -06:00
Samirbous 89420ae976 [New Rule] Potential PrintNightmare Exploitation rules (#1326) 
* [New Rule] Potential PrintNightmare Exploitation rules

* added Potential PrintNightmare File Modification

* added spoolsv as process name to narrow more the scope

* added Suspicious Print Spooler File Deletion

* removed Suspicious Print Driver Registry Modification cuz of potential noise

* Update privilege_escalation_printspooler_malicious_registry_modification.toml

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted description and added a comment for sysmon compatibility

* added FP note and relinted all files

* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-07-07 18:56:39 +02:00
Samirbous 9fadc4c1dc [New Rule] Complementary Rules for Recent REvil TTPs (#1329) 
* [New Rule] Complementary Rules for Recent REvil TTPs

* added OFN

* relinted and added T1574.002

* removed new line

* Update defense_evasion_disabling_windows_defender_powershell.toml

* corrected rule name

* added a reference url

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-07-07 17:02:40 +02:00
Justin Ibarra 63a39665e3 Make "config" in note field consistent (#1310) 
* Add test to ensure consistent config in note field
* Update inconsistent rule
 2021-07-06 15:54:01 -08:00
Ross Wolf c82e89ad34 Add min_stack_version to 7.14+ only rules (#1321) 2021-07-06 13:42:09 -06:00
Ross Wolf 3120252982 Update the pythonpackage.yml job to only upload artifacts for 'push' (#1322) 2021-07-06 13:40:39 -06:00
Ross Wolf b677264876 [DOCS] Update branching steps (#1290) 2021-07-02 09:48:25 -06:00
Justin Ibarra 781953a0a0 Add min_stack_version to rule metadata (#1173) 
* Add min_stack_version to metadata of rule structure
* validate all "stack versions" between defined and current package
* Use master schemas if min_stack_version > current_package

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-06-30 13:26:27 -08:00
Ross Wolf f1476b1637 Extend metadata with [metadata.extended] section (#1306) 
* Extend metadata with `[metadata.extended]` section
* Remove whitespace
* Comment that it's a dict
 2021-06-25 17:02:11 -06:00
Justin Ibarra 1099f181f9 Add new ECS and beats schemas (#1303) 2021-06-23 14:08:23 -08:00
Austin Songer 8e451f2318 [New Rule] AWS RDS Security Group Created (#1260) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:14:56 -08:00
Austin Songer fe14cd23ed [New Rule] AWS RDS Security Group Deleted (#1261) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:09:15 -08:00
Austin Songer 9d4574b267 [New Rule] AWS RDS Instance Creation (#1269) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:02:48 -08:00
Austin Songer ccae1dc841 [New Rule] AWS RDS Snapshot Export (#1270) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 15:58:13 -08:00
Austin Songer c215c44809 [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-22 13:36:13 -04:00
Ross Wolf 31f63e728e Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
 2021-06-22 09:10:28 -06:00
Brent Murphy d8ef9a81ef [Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251) 
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors
 2021-06-22 08:38:49 -06:00
Brent Murphy a8c9d7174f Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml (#1225) 2021-06-22 10:22:01 -04:00
Austin Songer ea9a23af8d [New Rule] AWS Route 53 Domain Transferred to Another Account (#1198) 2021-06-21 22:08:59 -08:00
Austin Songer 2cadee1718 [New Rule] AWS Route 53 Domain Transfer Lock Disabled (#1197) 2021-06-21 22:05:53 -08:00
Austin Songer d7e0e37e54 [New Rule] EC2 Full Network Packet Capture Detected (#1175) 2021-06-21 22:00:48 -08:00
Austin Songer 6986f28af6 [New Rule] Azure Service Principal Credentials Added (#1169) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-06-21 21:49:45 -08:00