sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	020fff3aea	[Rule Tuning] Linux Rules (#3092 ) * [Rule Tuning] [WIP] Linux DR * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Fixed tag * Added additional tuning * unit test fix * Additional tuning * tuning * added max signals * Added max_signals=1 to brute force rules * Cross-Platform Tuning * Small fix * new_terms conversion * typo * new_terms conversion * Ransomware rule tuning * performance tuning * new_terms conversion for auditd_manager * tune * Need coffee * kql/eql stuff * formatting improvement * new_terms sudo hijacking conversion * exclusion * Deprecations that were added last tuning * Deprecations that were added last tuning * Increased max timespan for brute force rules * version bump * added domain tag * Two tunings * More tuning * Additional tuning * updated_date bump * query optimization * Tuning * Readded the exclusions for this one * Changed int comparison * Some tunings * Update persistence_systemd_scheduled_timer_created.toml * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml * Update rules/linux/command_and_control_cat_network_activity.toml * Update persistence_message_of_the_day_execution.toml * Changed max_signals * Revert "Merge branch 'main' into rule-tuning-ongoing-dr" This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8. * Revertable merge * Update defense_evasion_ld_preload_env_variable_process_injection.toml * File name change --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-23 16:28:58 +02:00
Terrance DeJesus	b8ae2218f8	[Rule Tuning] Add `filebeat` Compatibility to Network Rules (#2925 ) * add beats compatability to NPC rules * added filebeat compatibility to 'Accepted Default Telnet Port Connection' * added filebeat compatibility to 'Cobalt Strike Command and Control Beacon' * added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate' * added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet' * added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior' * added filebeat compatibility to 'Halfbaked Command and Control Beacon' * added filebeat compatibility to 'IPSEC NAT Traversal Port Activity' * added filebeat compatibility to 'SMTP on Port 26/TCP' * added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet' * added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet' * added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet' * added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet' * added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet' * added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet' * removed extra space in query * added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node' * added filebeat compatibility to 'Abnormally Large DNS Response' * fixed missing ending parenthesis * added auditbeat to compatible rules * addressed feedback * removed filebeat and auditbeat due to incompatibility * Update rules/network/command_and_control_cobalt_strike_beacon.toml * Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-10-03 15:05:41 -04:00
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Remco Sprooten	1283a21fb7	[New Rules] Potential portscan detected (#2817 ) * [New Rules] Potential portscan detected * Updated descriptions * Update rules/network/discovery_potential_syn_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_network_sweep_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updating integration manifests and schemas --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-07-09 09:49:32 +02:00

4 Commits