security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

1322 Commits

Author SHA1 Message Date
Ruben Groenewoud 4bcec3397c [New Rule] Potential Suspicious DebugFS Root Device Access (#2982) 
* [New Rule] Potential DebugFS Privilege Escalation

* Changed rule name

* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 16:13:34 +02:00
Ruben Groenewoud 207d94e51c [New Rule] Potential Sudo Token Manipulation via Process Injection (#2984) 
* [New Rule] Sudo Token Access via Process Injection

* [New Rule] Sudo Token Manipulation via Proc Inject

* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml

* Update privilege_escalation_sudo_token_via_process_injection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:58:25 +02:00
Ruben Groenewoud 7cc841cc87 [New Rule] PE via UID INT_MAX Bug (#2971) 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:51:06 +02:00
Ruben Groenewoud a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) 
* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml
 2023-08-03 15:25:33 +02:00
Ruben Groenewoud 03110fb24c [New Rule] SUID/SGUID Enumeration Detected (#2956) 
* [New Rule] SUID/SGUID Enumeration Detected

* Remove endgame compatibility

* readded endgame support after troubleshooting

* Update discovery_suid_sguid_enumeration.toml

* Update rules/linux/discovery_suid_sguid_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:57:30 +02:00
Ruben Groenewoud 716b621af2 [New Rule] Potential Sudo Hijacking Detected (#2966) 
* [New Rule] Potential Sudo Hijacking Detected

* Update privilege_escalation_sudo_hijacking.toml
 2023-08-03 09:49:14 +02:00
Ruben Groenewoud 18c2214956 [New Rule] Sudo Command Enumeration Detected (#2946) 
* [New Rule] Sudo Command Enumeration Detected

* Update discovery_sudo_allowed_command_enumeration.toml

* revert endgame support due to unit testing fail

* Update discovery_sudo_allowed_command_enumeration.toml

* Update discovery_sudo_allowed_command_enumeration.toml

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:39:16 +02:00
Ruben Groenewoud b8bb2da932 [New Rule] Potential Privilege Escalation via OverlayFS (#2974) 
* [New Rule] Privilege Escalation via OverlayFS

* Layout change

* Revert "[New Rule] Privilege Escalation via OverlayFS"

This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.

* Made rule broader

* Update privilege_escalation_overlayfs_local_privesc.toml

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

* Update user.id to strings

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-07-31 19:15:11 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Jonhnathan 9387a081bc [Security Content] Add Investigation Guides to Threat Intel rules (#2827) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* [Security Content] Add Investigation Guides to Threat Intel rules

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

* Apply suggestions from review, adds Setup guide

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2023-07-27 11:30:14 -03:00
Ruben Groenewoud bbb24704b6 [New Rule] PE through Writable Docker Socket (#2958) 
* [New Rule] PE through Writable Docker Socket

* simplified query

* Update privilege_escalation_writable_docker_socket.toml

* Update privilege_escalation_writable_docker_socket.toml

* Update rules/linux/privilege_escalation_writable_docker_socket.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-27 10:01:29 +02:00
Ruben Groenewoud 0666b594c6 [New Rule] Linux Local Account Brute Force (#2965) 2023-07-27 09:43:53 +02:00
Jonhnathan 0ff50acfd2 [Rule Tuning] Tune Threat Indicator Match Rules (#2957) 
* [Rule Tuning] Tune Threat Indicator Match Rules

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-26 15:12:28 -03:00
Ruben Groenewoud b330cf9438 [New Rule] Pspy Process Monitoring Detected (#2945) 
* [New Rule] Pspy Process Monitoring Detected

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 15:58:33 +02:00
shashank-elastic 6527eb0500 Rule Tuning File Permission Modification in Writable Directory (#2961) 2023-07-26 17:47:00 +05:30
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Ruben Groenewoud 056db6003e [Security Content] Added Compatibility note to all IGs (#2943) 
* added investigation guide note

* added ig notes

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* implemented note feedback

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 12:54:50 +02:00
Ruben Groenewoud dbd7ed65a9 [Tuning] Reverse Shell Rules (#2959) 
* [Rule Tuning] Reverse Shell Rule destination.ip tuning

* Updated updated_date
 2023-07-25 14:55:56 +02:00
Ruben Groenewoud 8de2684498 [Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868) 
* [Investigation Guide] 10 new Linux IG's 8.9

* Added 4 more IG tags

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* implemented feedback

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-19 17:13:24 +02:00
Samirbous 97d429e314 [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) 
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId

Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml
 2023-07-19 16:05:13 +01:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan d1491c3ce1 [Rule Tuning] Threat Intel URL Indicator Match (#2902) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-18 20:21:15 -03:00
Jonhnathan f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-18 20:12:53 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Isai 80e2b699b6 [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837) 
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container

new rule

* removed priv_esc tag

removed priv_esc tag

* adjusted tags

adjusted tags

* updated tags

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 15:03:24 -04:00
Isai db90345fd5 [Rule Tuning] Kubernetes Anonymous Request Authorized (#2865) 
* rule tuning for exclusions

* optimized query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 13:03:05 -04:00
Isai 0b64638bf7 [New Rule] AWS Credentials Searched For Inside a Container (#2887) 
* new rule toml

* Updated query

updated query based on review and added additional search queries

* updated rule query based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 12:29:02 -04:00
Terrance DeJesus 0f5b5a3551 [Rule Tuning] Add Okta Investigation Guides Part 1 (#2899) 
* adding investigation guides for Okta rules

* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added MFA to investigation guide for brute forcing

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 11:47:02 -04:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
shashank-elastic 3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-10 20:02:42 +05:30
Remco Sprooten 1283a21fb7 [New Rules] Potential portscan detected (#2817) 
* [New Rules] Potential portscan detected

* Updated descriptions

* Update rules/network/discovery_potential_syn_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_network_sweep_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating integration manifests and schemas

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-07-09 09:49:32 +02:00
Ruben Groenewoud e5d6d6e4a7 [New Rule] sus cmds executed by unknown executable (#2858) 
* [New Rule] sus cmds executed by unknown executable

* added an event.action filter

* Added endgame support, fixed stack version comment

* Update execution_suspicious_executable_running_system_commands.toml

* Update rules/linux/execution_suspicious_executable_running_system_commands.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_suspicious_executable_running_system_commands.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-06 17:32:56 +02:00
Ruben Groenewoud 4e0b7427b7 [New Rules] ftp/rdp bruteforce (#2910) 
* [New Rules] ftp/rdp bruteforce

* Update credential_access_potential_successful_linux_ftp_bruteforce.toml

* Update credential_access_potential_successful_linux_rdp_bruteforce.toml

* Update non-ecs-schema.json

* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-06 17:16:01 +02:00
Ruben Groenewoud d5dee5a6c8 [New Rules] sysctl and modprobe enumeration (#2844) 
* [New Rules] sysctl and modprobe enumeration

* Update discovery_linux_modprobe_enumeration.toml

* Update discovery_linux_sysctl_enumeration.toml

* reverted manifest/schema update

* updated tags

* Update discovery_linux_modprobe_enumeration.toml
 2023-07-06 16:46:54 +02:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Ruben Groenewoud 64b3fa8d1d [New Rule] Kernel Load/Unload via Kexec Detected (#2846) 
* [New Rule] Kernel Load/Unload via Kexec

* Added additional references

* changed rule name

* changed the query to be more precise

* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* changed description based on feedback

* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-07-06 16:03:27 +02:00
Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905) 
* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-07-06 15:27:57 +02:00
Ruben Groenewoud 78055bbeee [New Rule] Suspicious Proc Enumeration (#2845) 
* [New Rule] Suspicious Proc Enumeration

* Update rules/linux/discovery_suspicious_proc_enumeration.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/discovery_suspicious_proc_enumeration.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* fix tags

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-07-04 11:34:56 +02:00
Eric df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) 
* Tune WMI Incoming Lateral Movement

* Tune WMI Incoming Lateral Movement

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 17:12:05 -04:00
Eric f78de8c9d4 Add MS Office exceptions to query (#2836) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 16:09:17 -04:00
Ruben Groenewoud 7a1f376a34 [New Rules] Conversion of deprecated ERs over to DRs (#2877) 
* [Conversion] Data Encrypted via OpenSSL

* [Conversion] sus funzip extraction/decompression

* [Conversion] LD_PRELOAD env var process injection

* fix unit testing failure

* suspecting endgame incompatibility

* fixed typo

* added LD_LIBRARY_PATH

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* Added exclusions for FPs

* Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/impact_data_encrypted_via_openssl.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-07-02 10:39:44 +02:00
Eric 35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) 2023-06-30 18:01:35 -04:00
Samirbous 7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) 
* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 18:57:00 +01:00
Jonhnathan d5dddae0ef [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) 
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-30 10:56:13 -03:00
Samirbous 2a4749d3d0 [New Rule] New Term Rule for USB Devices (#2644) 
* Create

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-30 10:41:38 -03:00
Ruben Groenewoud 9794f8f0af [New Rule] Postgresql Code Execution (#2863) 
* [New Rule] Postgresql Code Execution

* Update rules/linux/execution_remote_code_execution_via_postgresql.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_remote_code_execution_via_postgresql.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 13:17:24 +02:00
Jonhnathan a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) 
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823

* Add exception to unit test

* fixed linting

* proper linting fix

* updated to add to definitions.py

* fix linting

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-06-28 15:55:43 -03:00
Ruben Groenewoud 8703c65f87 [Tuning] Azure Network Packet Capture Detected (#2888) 2023-06-28 16:32:56 +02:00
Jonhnathan 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-28 10:22:24 -03:00
Terrance DeJesus 48cf95c8eb [Rule Tuning] Change Network Rules to Use Network Packet Capture Integration (#2665) 
* updated indexes and updated dates

* added network_traffic integration tag to rules

* reverting changes to resolve conflicts

* metadata changes; indexes changed; schemas and manifest updated

* updated default telnet port connection rule

* updating integration manifests

* adjusted rules; updated integrations; deduplicate packages
 2023-06-26 17:35:49 -04:00