security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,161 Commits 1 Branch 0 Tags
6e7ece43847f450b7ee4d4116a35cc382e2dd912
Commit Graph

255 Commits

Author SHA1 Message Date
Terrance DeJesus 7f3c977192 [Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account (#3860) 
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'

* added reference

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-08 13:07:44 -04:00
Isai 215d5a0861 [New Rule] AWS S3 Object Encryption Using External KMS Key (#3861) 
* [New Rule] AWS S3 Object Encryption Using External KMS Key

Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.

* Update impact_s3_object_encryption_with_external_key.toml

* Update impact_s3_object_encryption_with_external_key.toml

* missing coma after tag

* missing backslash on technique reference
 2024-07-05 12:25:55 -04:00
Samirbous cd716e5248 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3685) 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 05:46:40 +01:00
Isai 83be212632 [New Rule] AWS RDS DB Instance Made Public (#3836) 
* [New Rule] AWS RDS DB Instance Made Public

...

* Apply suggestions from code review

* added coverage for instances created with public access

* rule review edits

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 01:01:52 -04:00
Isai 3a5c5c20a8 [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) 
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed

...

* insert rule_id

* rule name change
 2024-07-02 17:22:03 -04:00
Isai 9f4956f542 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) 
* [New Rule] AWS RDS DB Instance or Cluster Password Modified

..

* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-02 16:14:51 -04:00
Isai 43fbf94d8a [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) 
* [New Rule] AWS RDS DB Snapshot Shared with Another Account

...

* Update exfiltration_rds_snapshot_shared_with_another_account.toml

* edit threat matrix format

* Apply suggestions from code review

* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-02 15:36:44 -04:00
Isai aaf014390b [New Rule] AWS RDS Snapshot Deleted (#3852) 
* [New Rule] AWS RDS Snapshot Deleted

* added coverage for backupRetentionPeriod set to 0
 2024-07-02 14:01:15 -04:00
Terrance DeJesus d59d462956 [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#3854) 
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'

* adding filter to ignore common AWS object path strings
 2024-07-02 13:02:52 -04:00
Terrance DeJesus 5fe7833312 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) 
* tuning google workspace rules

* removed verbiage about runtime
 2024-07-01 15:50:12 -04:00
Terrance DeJesus 99a4d629c9 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-07-01 10:31:26 -04:00
Isai f62644887e [Rule Tuning] AWS RDS Snapshot Restored (#3809) 
* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
 2024-06-28 20:42:36 -04:00
Terrance DeJesus 2e3aca62f0 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) 
* tuning 'Multiple Device Token Hashes for Single Okta Session'

* adjusted file name

* updated tags

* updated file name extension

* updated min-stack comments
 2024-06-28 12:59:24 -04:00
Isai 2708a89f20 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) 
* [New Rule] AWS IAM User Created Access Keys for Another User

...

* updated min_stack and removed index field

* reversed tactic order

* added AWS documentation as reference

* Apply suggestions from code review

updated_date, query format change, removed keep from query
 2024-06-25 00:11:48 -04:00
Terrance DeJesus da8f3e4880 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) 
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'

* adding new rule 'Multiple Okta User Authentication Events with Client Address'

* updating UUIDs

* removed indexes

* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'

* added okta outcome reason 'INVALID_CREDENTIALS' to queries

* updated risk score

* made all rules low risk score

* added user session start to rule

* updated min-stack comments
 2024-06-21 13:11:23 -04:00
Terrance DeJesus 11aab028dc [Rule Tuning] Okta User Sessions Started from Different Geolocations (#3799) 
* tuning 'Okta User Sessions Started from Different Geolocations'

* TOML linting

* updated min-stack comments

* added setup

* Removed some blank spaces
 2024-06-20 16:52:26 -04:00
Kirti Sodhi 51b9717ac0 Adding setup templates to the ML rules (#3798) 
* Added setup instructions for ml rules
 2024-06-19 10:04:41 -04:00
Anthony c1dcd21531 Closes #2216 (#2855) 
* Update privilege_escalation_sts_assumerole_usage.toml

* Update privilege_escalation_sts_assumerole_usage.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-06-13 16:52:54 -04:00
shashank-elastic 89d89f15d2 Update FIM integration Setup sequence (#3781) 2024-06-12 16:40:45 +05:30
James Valente 8baf5dc2d8 Add exceptions to C2 Beaconing Activity (#3771) 2024-06-11 18:43:46 +05:30
Ruben Groenewoud ec223a4a05 [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-11 13:03:20 +02:00
Terrance DeJesus 62eea772d0 [New Rule] AWS S3 Bucket Ransom Note Uploaded (#3604) 
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'

* fixed technique mapping

* added investigation guide; added more ransom note extensions

* adjusted lookback and maxspan

* added  API call to second sequence

* updating date

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* changed rule to ESQL; updated investigation guide

* changed file name

* removed txt, ecc, and note

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-10 10:47:20 -04:00
Isai e1cbf9f684 [New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) (#3735) 
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User

issue...

* add source.address and source.geo.location

* fix threat tactic ids

* AdministratorAccess Policy Attached to Group

* AdminstratoAccess Policy Attached to Role

* reduce severity to medium

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-07 18:31:06 -04:00
Terrance DeJesus 9f67585332 [New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded (#3634) 
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* changed tactic to privilege escalation

* added additional reference

* added investigation guide

* updated summary

* changed risk score to medium; adjusted tags

* fixed mitre mapping

* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-05 10:33:42 -04:00
Terrance DeJesus 05ac4e1bd3 [New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag (#3590) 
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'

* updated rule contents

* added investigation guide; changed new terms to uder.id

* adjusted time window

* adjusted rule name

* updated query, adjusted new terms value
 2024-06-05 10:22:38 -04:00
Terrance DeJesus c77eb1d915 [New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created (#3609) 
* new rule 'AWS IAM Roles Anywhere Role Creation'

* adjusted rule to focus on Roles Anywhere profile creation

* added rule for roles anywhere trusted anchor; updated rule file naming

* added investigation guide

* added investigation guide

* adjusted rule and file name

* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-05 10:10:53 -04:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
Terrance DeJesus 59b7e3bde4 [New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589) 
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'

* updated user identity arn to user.id for cross-service password retrieval

* added investigation guides; bumped dates; adjusted threshold value

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-04 09:20:04 -04:00
Terrance DeJesus 0885032b2c [New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation (#3632) 
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'

* updated rule UUID

* added investigation guide

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-03 11:42:38 -04:00
Terrance DeJesus 856c6c5a1f [New Rule] AWS EC2 EBS Snapshot Shared with Another Account (#3601) 
* new rule 'AWS EC2 EBS Snapshot Shared with Another Account'

* added investigation guide

* updated rule name

* converted to ES|QL

* reverting non-ecs update
 2024-06-02 10:30:08 -04:00
Terrance DeJesus 70469b4cdb [New Rule] AWS Lambda Layer Added to Existing Function (#3631) 
* new rule 'AWS Lambda Layer Added to Existing Function'

* updated query logic; added investigation note
 2024-06-02 08:41:04 -04:00
Terrance DeJesus 7c82e75cf4 [New Rule] AWS S3 Bucket Policy Added to Share with External Account (#3603) 
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'

* added investigation guide

* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
 2024-06-01 10:31:41 -04:00
Isai 23ce41d8af [New Rule] AWS GetCallerIdentity API Called for the First Time (#3711) 
* [New Rule] AWS GetCallerIdentity API Called for the First Time

issue

* Apply suggestions from code review

name change, false positive additions, remove Setup, change new_terms window from 15d to 10d

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml

fixed missing closing quotes

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-31 17:55:06 -04:00
shashank-elastic 418a95205e Remove unwanted backticks (#3724) 2024-05-31 21:46:24 +05:30
James Valente 34294fbe6d Add exceptions to brute force threshold rule. (#3712) 
High volume, machine generated failures or MFA interruptions have been added to the rule.

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-30 10:12:36 +02:00
Gus Carlock 8b28a515c1 Update rule setup instructions for UEBA packages (#3652) 
* update detection-rules instructions for UEBA packages

---------

Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2024-05-28 14:21:46 -05:00
Terrance DeJesus d5c57463e1 [New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598) 
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'

* added investigation guide

* changed file name to match tactic

* changed reference

* updated tags

* updated investigation notes

* changed new terms value; adjusted rule name
 2024-05-28 11:23:17 -04:00
Terrance DeJesus 527f785a60 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-28 10:49:20 -04:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson 58ba0713fe [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3700) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-21 16:33:17 -05:00
Mika Ayenson ed0038ee1d Revert "[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591)" 
This reverts commit 137b74c3aa.
 2024-05-21 15:53:02 -05:00
Terrance DeJesus 137b74c3aa [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic
 2024-05-20 16:15:46 -04:00
Samirbous f0b226c2b0 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3677) 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-15 18:11:49 +01:00
Mika Ayenson f07a9e6fbc [FR] Add max_signal note, unit test, and rule tuning (#3669) 2024-05-14 11:15:12 -05:00
Terrance DeJesus 2375297879 [New Rule] Route53 Resolver Query Log Configuration Deleted (#3592) 
* new rule 'Route53 Resolver Query Log Configuration Deleted'

* added investigation guide

* adjusted investigation notes

* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 10:24:20 -04:00
Terrance DeJesus d505b95f3c [New Rule] AWS EC2 AMI Shared with Another Account (#3600) 
* new rule 'AWS EC2 AMI Shared with Another Account'

* linted; updated UUID

* added investigation guide

* updated description

* fixed spelling errors

* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* fixed spacing issue

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 01:56:26 -04:00
Terrance DeJesus 38e0f13e23 [New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586) 
* new rule 'First Occurrence of User Identity Sending  Requests to EC2 Instance'

* updated description and name

* added investigation guide; adjusted description

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated query logic

* fixed spacing issue

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-13 23:07:39 -04:00
Jonhnathan 6cc39a538f [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-09 18:41:56 -07:00