sigma-rules

Author	SHA1	Message	Date
Isai	0eed8ce27f	[New Rule] SSH Process Launched From Inside A Container (#2794 ) * [New Rule] SSH Process Launched From Inside A Container new toml rule file * changed "not" query changed query to != --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-05-16 17:32:58 -04:00
Isai	b0838cc2cb	[New Rule] SSH Connection Established Inside A Running Container (#2793 ) * [New Rule] SSH Connection Established Inside A Running Container new rule toml * Update initial_access_ssh_connection_established_inside_a_container.toml moved order of tactics * Apply suggestions from code review updated spacing based on code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 16:56:52 -04:00
Isai	515d393828	[New Rule] SSH Authorized Keys File Modified Inside a Container (#2792 ) * [New Rule] SSH Authorized Keys File Modified Inside a Container new rule toml * toml file name change changed duplicate toml file name * Update persistence_ssh_authorized_keys_modification_inside_a_container.toml added time intervals * removed redundant event.type removed event.type fields * added back event.type and removed event.action per reviewer suggestion removed redundant event.action fields	2023-05-16 16:30:17 -04:00
Isai	648dd8b3ed	[New Rule] Interactive Exec Command Launched Against A Running Container (#2791 ) * [New Rule] Interactive Exec Command Launched Against A Running Container new rule toml * Update execution_interactive_exec_to_container.toml updated reference links * Update execution_interactive_exec_to_container.toml fixed the comments * Update execution_interactive_exec_to_container.toml * Update execution_interactive_exec_to_container.toml removed process.session_leader.same_as_process * Update execution_interactive_exec_to_container.toml added time intervals * Apply suggestions from code review updated spacing Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 16:09:10 -04:00
Isai	9e3dc112b3	[New Rule] Sensitive Files Compression Inside A Container (#2790 ) new rule toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:49:42 -04:00
Isai	d8e9874d54	[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789 ) * [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container new rule toml * description update Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * added locate and mlocate based on review suggestion --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 15:29:54 -04:00
Isai	73f87ad7e6	[New Rule] Suspicious Network Tool Launched Inside A Container (#2759 ) * [New Rule] Suspicious Network Tool Launched Inside A Container new rule * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * update based on reviews added additional tools, added false positives section, raised risk score * Update discovery_suspicious_network_tool_launched_inside_a_container.toml adjusted tags --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:21:42 -04:00
Isai	5fd155849e	[New Rule] File Made Executable via Chmod Inside A Container (#2757 ) * [New Rule] File Made Executable via Chmod Inside A Container new rule * edit threat matrix urls add final / to reference urls * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update execution_file_made_executable_via_chmod_inside_a_container.toml rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique * Update execution_file_made_executable_via_chmod_inside_a_container.toml added Defense Evasion tag * Update execution_file_made_executable_via_chmod_inside_a_container.toml * Update execution_file_made_executable_via_chmod_inside_a_container.toml adjusted tags * Update execution_file_made_executable_via_chmod_inside_a_container.toml changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 15:15:49 -04:00
Isai	4c996490ec	[New Rule] Netcat Listener Established Inside A Container (#2756 ) * [New Rule] Netcat Listener Established Inside A Container new rule toml * remove references Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * remove false_positives Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * adjust from field from s to m for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update execution_netcat_listener_established_inside_a_container.toml updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables * optimized query optimized query to deduplicate fields based on review feedback * Update execution_netcat_listener_established_inside_a_container.toml updated query comment * Update execution_netcat_listener_established_inside_a_container.toml added false positive section * Update execution_netcat_listener_established_inside_a_container.toml adjusted tags * removed the != end query parameter removed the exclusion of end events for this to account for short-lived netcat listener processes --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-16 15:08:20 -04:00
Isai	e954b6d7eb	[New Rule] Interactive Shell Spawned From Inside a Container (#2752 ) * Create execution_interactive_shell_spawned_from_inside_a_container.toml new rule * Update execution_interactive_shell_spawned_from_inside_a_container.toml edited threat matrix * Update execution_interactive_shell_spawned_from_inside_a_container.toml changed boolean in query from string type * Update execution_interactive_shell_spawned_from_inside_a_container.toml added timestamp_override field * Apply suggestions from code review readability from field change, removed references field Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review index spacing, rule name, comment change Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update execution_interactive_shell_spawned_from_inside_a_container.toml updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query. * Update rule query updated rule query to use process.executable and an or field for event.action * Update execution_interactive_shell_spawned_from_inside_a_container.toml adjusted tags * changed "not" in query event.action != end based on review suggestion * spacing around comments * removed ending wildcard causing FPs removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-05-16 15:02:20 -04:00
Isai	ee86144565	[New Rule] Container Management Binary Run Inside A Container (#2754 ) * [New Rule] Container Management Binary Run Inside A Container new rule * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review description change, name change, index spacing Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update false_positives and query added false positives section and updated query with container.id field * Update execution_container_management_binary_launched_inside_a_container.toml adjusted tags --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-05-16 14:41:27 -04:00
Karl Godard	7435ac39d2	[Rule Tuning] added rule name override for cloud_defend integration rule (#2767 )	2023-05-02 00:05:24 -04:00
Karl Godard	d0ea8c6f98	[New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679 ) * new CWP rule to surface alerts from the cloud_defend integration * created new rule uuid * updated version info. removed risk level overrides and endpoint exception list * added event.module * removed rule name override * updated_date and min_stack_comments updated * updated external alerts updated_date. added kubernetes to cwp rule tags --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-04-05 21:31:03 -03:00

13 Commits