security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,162 Commits 1 Branch 0 Tags
70411664cf4b0fca03cc43cbc78e11a2f4c201da
Commit Graph

1550 Commits

Author SHA1 Message Date
Jonhnathan 6e7ece4384 [Rule Tuning] Fix event.action conditions - AD Rules (#3874) 2024-07-10 10:33:14 -03:00
ar3diu b303b8296b [Rule Tuning] LSASS Memory Dump Creation (#3810) 
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
 2024-07-10 06:12:38 -05:00
shashank-elastic b66d6e06aa Fix Double Bump For Rule Microsoft Management Console File from Unusual Path (#3878) 2024-07-09 17:59:51 +05:30
Terrance DeJesus 7f3c977192 [Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account (#3860) 
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'

* added reference

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-08 13:07:44 -04:00
Joe Desimone 6a2f5e7138 [Bug] Persistence ssh key generation index pattern (#3873) 
* fix persistence_ssh_key_generation.toml

* Update persistence_ssh_key_generation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-08 10:27:52 -03:00
Isai 215d5a0861 [New Rule] AWS S3 Object Encryption Using External KMS Key (#3861) 
* [New Rule] AWS S3 Object Encryption Using External KMS Key

Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.

* Update impact_s3_object_encryption_with_external_key.toml

* Update impact_s3_object_encryption_with_external_key.toml

* missing coma after tag

* missing backslash on technique reference
 2024-07-05 12:25:55 -04:00
Samirbous 1d57e0c779 Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614) 
* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 12:58:07 +01:00
Ruben Groenewoud 64f0e258cb [New Rule] Linux Shadow File Modification (#3737) 
* [New Rule] Linux User Account Password Change

* Update rules/linux/persistence_user_password_change.toml

* Update persistence_user_password_change.toml

* Update persistence_user_password_change.toml

* Update persistence_user_password_change.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 10:03:24 +02:00
Samirbous 801aab82cc [New] Sensitive Registry Hive Access via RegBack (#3855) 
* Create credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Apply suggestions from code review

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-05 07:50:23 +01:00
Samirbous 15e9c9aa5e [Tuning] Ransomware over SMB (#3808) 
* [Tuning] Ransomware over SMB

* Update impact_ransomware_file_rename_smb.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 07:26:57 +01:00
Samirbous cd716e5248 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3685) 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 05:46:40 +01:00
Joe Desimone 8dc0963ae6 [Rule Tuning] LSASS Process Access via Windows API (#3824) 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* fix merge

* newline

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 21:45:46 +01:00
Jonhnathan 208e330b44 [New Rule] Potential PowerShell Obfuscated Script (#3864) 
* [New Rule[ Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml

* Update rules/windows/defense_evasion_posh_obfuscation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 09:26:32 -03:00
ar3diu 5048bc26bd [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) 
* Add "by host.id" argument to the sequence command in the rule query.

* Update collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 10:39:15 -04:00
Isai 83be212632 [New Rule] AWS RDS DB Instance Made Public (#3836) 
* [New Rule] AWS RDS DB Instance Made Public

...

* Apply suggestions from code review

* added coverage for instances created with public access

* rule review edits

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 01:01:52 -04:00
Isai 3a5c5c20a8 [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) 
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed

...

* insert rule_id

* rule name change
 2024-07-02 17:22:03 -04:00
Isai 9f4956f542 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) 
* [New Rule] AWS RDS DB Instance or Cluster Password Modified

..

* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-02 16:14:51 -04:00
Isai 43fbf94d8a [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) 
* [New Rule] AWS RDS DB Snapshot Shared with Another Account

...

* Update exfiltration_rds_snapshot_shared_with_another_account.toml

* edit threat matrix format

* Apply suggestions from code review

* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-02 15:36:44 -04:00
Isai aaf014390b [New Rule] AWS RDS Snapshot Deleted (#3852) 
* [New Rule] AWS RDS Snapshot Deleted

* added coverage for backupRetentionPeriod set to 0
 2024-07-02 14:01:15 -04:00
Terrance DeJesus d59d462956 [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#3854) 
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'

* adding filter to ignore common AWS object path strings
 2024-07-02 13:02:52 -04:00
Terrance DeJesus 5fe7833312 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) 
* tuning google workspace rules

* removed verbiage about runtime
 2024-07-01 15:50:12 -04:00
Jonhnathan d5c34b5750 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) 2024-07-01 13:45:19 -03:00
Terrance DeJesus 99a4d629c9 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-07-01 10:31:26 -04:00
Isai f62644887e [Rule Tuning] AWS RDS Snapshot Restored (#3809) 
* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
 2024-06-28 20:42:36 -04:00
Terrance DeJesus 2e3aca62f0 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) 
* tuning 'Multiple Device Token Hashes for Single Okta Session'

* adjusted file name

* updated tags

* updated file name extension

* updated min-stack comments
 2024-06-28 12:59:24 -04:00
Ruben Groenewoud b311d49c2a [New Rules] Git Hook Execution/File Creation (#3832) 
* [New Rules] Git Hook Execution/File Creation

* Update rules/linux/persistence_git_hook_file_creation.toml

* Update persistence_git_hook_process_execution.toml
 2024-06-28 11:34:32 +02:00
Ruben Groenewoud f33c25b118 [New Rule] DNF Package Manager Plugin File Creation (#3822) 
* [New Rule] DNF Package Manager Plugin File Creation

* Update persistence_dnf_package_manager_plugin_file_creation.toml
 2024-06-28 11:14:48 +02:00
Ruben Groenewoud edc501accf [New Rules] rc.local Execution Rules (#3813) 
* [New Rules] rc.local Execution Rules

* ++

* Update rules/linux/persistence_rc_local_error_via_syslog.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-28 09:59:26 +02:00
Samirbous b97069c3e9 Update defense_evasion_microsoft_defender_tampering.toml (#3840) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-06-28 08:16:11 +01:00
Ruben Groenewoud cd4fe07c2c [New Rule & Tuning] Systemd Generator Created (#3801) 2024-06-27 22:00:48 +02:00
Ruben Groenewoud e941645b2f [Rule Tuning] rc.local/rc.common File Creation (#3805) 2024-06-27 21:50:49 +02:00
Ruben Groenewoud 68bf4e453e [Rule Tuning] System V Init Script Created (#3811) 2024-06-27 21:38:34 +02:00
Ruben Groenewoud 460b314f49 [Rule Tuning] Executable Bit Set for Potential Persistence Script (#3812) 
* [Rule Tuning] Executable Bit Set for Potential Persistence Script

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml

* Update persistence_potential_persistence_script_executable_bit_set.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-06-27 21:29:30 +02:00
Jonhnathan 7693d785aa [Rule Tuning] LSASS Process Access via Windows API (#3839) 2024-06-27 12:22:13 -03:00
Ruben Groenewoud c3ba7b1262 [New Rule] Privilege Escalation via SUID/SGID (#3793) 
* [New Rule] Privilege Escalation via SUID/SGID

* unit test error fix?

* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
 2024-06-27 16:50:09 +02:00
Ruben Groenewoud 0ca16a1516 [New Rule] User or Group Creation/Modification (#3804) 2024-06-27 16:35:25 +02:00
Ruben Groenewoud 8d063e1a47 [Rule Tuning] SUID/SGID Bit Set (#3802) 2024-06-27 16:27:00 +02:00
Samirbous 17a07020f3 [New] Microsoft Management Console File from Unusual Path (#3834) 
* [New] Windows Script Execution via MMC Console File

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-06-27 11:32:45 +01:00
Jonhnathan deb08fd28d [New Rule] AD Group Modification by SYSTEM (#3833) 
* [New Rule] AD Group Modification by SYSTEM

* .

* Update rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Tighten up indexes

* Update persistence_group_modification_by_system.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-26 18:56:01 -03:00
Jonhnathan 54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests
 2024-06-26 11:06:27 -03:00
Ruben Groenewoud 6746a421c4 [New Rules] Yum Plugin Creation / Discovery (#3820) 
* [New Rules] Yum Plugin Creation / Discovery

* Update discovery_yum_plugin_detection.toml

* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml
 2024-06-25 16:14:28 +02:00
James Valente 0726ce41bf Tune rule to exclude forwarded events. (#3790) 
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-25 13:22:07 +02:00
Isai 2708a89f20 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) 
* [New Rule] AWS IAM User Created Access Keys for Another User

...

* updated min_stack and removed index field

* reversed tactic order

* added AWS documentation as reference

* Apply suggestions from code review

updated_date, query format change, removed keep from query
 2024-06-25 00:11:48 -04:00
Terrance DeJesus da8f3e4880 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) 
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'

* adding new rule 'Multiple Okta User Authentication Events with Client Address'

* updating UUIDs

* removed indexes

* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'

* added okta outcome reason 'INVALID_CREDENTIALS' to queries

* updated risk score

* made all rules low risk score

* added user session start to rule

* updated min-stack comments
 2024-06-21 13:11:23 -04:00
Terrance DeJesus 11aab028dc [Rule Tuning] Okta User Sessions Started from Different Geolocations (#3799) 
* tuning 'Okta User Sessions Started from Different Geolocations'

* TOML linting

* updated min-stack comments

* added setup

* Removed some blank spaces
 2024-06-20 16:52:26 -04:00
Krishna Chaitanya Reddy Burri e9d7ddfa35 [Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800) 
* Fix index and filters in Rapid7 CVE rule

* change updated date

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-20 15:17:06 -04:00
Jonhnathan c20318d0d0 [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) 
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification

* Update privilege_escalation_reg_service_imagepath_mod.toml

* [New Rule] NTDS Dump via Wbadmin

* Revert "[New Rule] NTDS Dump via Wbadmin"

This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update privilege_escalation_reg_service_imagepath_mod.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-20 10:41:53 -03:00
Jonhnathan 236444200b [New Rule] NTDS Dump via Wbadmin (#3758) 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-20 09:55:07 -03:00
Jonhnathan 3fd9bae611 [New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748) 2024-06-20 09:34:27 -03:00
Jonhnathan 6a0ac563a0 Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#3734) 2024-06-20 09:23:06 -03:00