security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

1834 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan 9f213cc9f7 [New Rule] Potential Masquerading as Browser Process (#2995) 
* [New Rule] Potential Masquerading as Browser Process

* Update rules_building_block/defense_evasion_masquerading_browsers.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_masquerading_browsers.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-28 13:28:26 -03:00
Samirbous 22931d6afb Update credential_access_lsass_openprocess_api.toml (#3047) 2023-08-28 16:22:08 +01:00
Jonhnathan 7496c5cb68 [New Rule] Potential Masquerading as Windows System32 DLL (#3021) 
* [New Rule] Potential Masquerading as Windows System32 DLL

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Restrict logic

* Update defense_evasion_masquerading_windows_dll.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-28 08:31:20 -03:00
Jonhnathan ffa60f2d03 [New Rule] Network-Level Authentication (NLA) Disabled (#3039) 
* [New Rule] Network-Level Authentication (NLA) Disabled

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-28 08:05:21 -03:00
Jonhnathan de32287889 [Rule Tuning] High Number of Process and/or Service Terminations (#2940) 2023-08-25 19:19:25 -03:00
shashank-elastic d21ed24e4f BBR Rules Addition (#3027) 2023-08-25 19:10:12 +05:30
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-25 14:03:29 +02:00
Eric 17d0e5cda8 [Rule Tuning] Threat Intel Hash Indicator Match (#3031) 
* Remove impash matches due to rate of false positives

* Update rules/cross-platform/threat_intel_indicator_match_hash.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-25 06:21:16 -03:00
Jonhnathan 17f6537e44 [Rule Tuning] Windows BBR Rules (#3018) 
* [Rule Tuning] Windows BBR Rules

* Update discovery_generic_process_discovery.toml
 2023-08-25 05:21:16 -03:00
Jonhnathan 460919a9d7 [Rule Tuning] Compression DLL Loaded by Unusual Process (#3017) 2023-08-25 05:08:36 -03:00
Mika Ayenson 7887392eaf Merge branch 'main' of github.com:elastic/detection-rules 2023-08-24 15:26:45 -05:00
Mika Ayenson 5bb5994c6f [Bug] Fix RTA Metadata (#3036) 2023-08-24 11:12:16 -05:00
Mika Ayenson 7ad30125fd Merge branch 'main' of github.com:elastic/detection-rules 2023-08-24 10:34:28 -05:00
Mika Ayenson c72ec4da90 [Bug] Set session cookie key to sid (#3010) 2023-08-22 16:02:20 -05:00
Apoorva Joshi 9482bda414 Adding related integrations to ML rules (#2972) 
* Adding related integrations to ML rules

* added adjustments to determine related integrations for ML rules

* fixed lint errors

* Empty commit

* Empty commit

* Empty commit

---------

Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box>
 2023-08-22 14:39:18 -04:00
Terrance DeJesus 2ddcf7817e [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) 
* adding tuning to ignore windows update

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-22 13:04:25 -04:00
Jonhnathan 0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) 2023-08-22 07:45:00 -03:00
Jonhnathan f8df53626e [New Rule] Potential Masquerading as Windows System32 Executable (#3022) 
* [New Rule] Potential Masquerading as Windows System32 Executable

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-21 15:14:22 -03:00
Samirbous 5e801b2edf [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-21 16:23:34 +01:00
Steve Ross 4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-21 10:42:47 -04:00
Jonhnathan 72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-20 17:29:16 -03:00
Joe Desimone b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-17 13:52:26 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
github-actions[bot] 4cf70654ad Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3019) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/deprecated_rules.json

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-17 09:09:05 -04:00
Terrance DeJesus 08b646aa94 [FR] 8.10 Release Preparation and Update Main Branch to 8.11 (#3012) 
* prepping for 8.11 branch

* fixed lint errors

* added 8.11 to stack schema map

* trimmed version lock file; adjusted new terms validation

* reverting changes to version lock, stack schema and workflow
 2023-08-16 14:23:44 -04:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Mika Ayenson f589ad4a4b Merge branch 'main' of github.com:elastic/detection-rules 2023-08-11 08:58:51 -05:00
Ruben Groenewoud e938ed28a0 [Rule Tuning] added additional event action (#3008) 2023-08-10 16:59:07 +02:00
Jonhnathan 2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) 
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities

* Update collection_posh_webcam_video_capture.toml

* Update rules_building_block/collection_posh_webcam_video_capture.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-09 15:17:15 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Ruben Groenewoud 4cbfd7c4ae [Rule Tuning] Restricted Shell Breakout (#2999) 2023-08-04 19:30:18 +02:00
Ruben Groenewoud e904ebb760 [New Rule] PE via Container Misconfiguration (#2983) 
* [New Rule] PE via Container Misconfiguration

* fixed boolean comparison unit test error

* Update privilege_escalation_container_util_misconfiguration.toml

* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-04 16:39:40 +02:00
Ruben Groenewoud ef49709c7d [New Rules] Linux Wildcard Injection (#2973) 
* [New Rules] Linux Wildcard Injection

* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-04 16:32:34 +02:00
Ruben Groenewoud c6eba3e4e6 [New Rule] Suspicious Symbolic Link Created (#2969) 
* [New Rule] Suspicious Symbolic Link Created

* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* fixed unit testing issues after suggestion commit

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 23:23:23 +02:00
Ruben Groenewoud 4bcec3397c [New Rule] Potential Suspicious DebugFS Root Device Access (#2982) 
* [New Rule] Potential DebugFS Privilege Escalation

* Changed rule name

* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 16:13:34 +02:00
Ruben Groenewoud 207d94e51c [New Rule] Potential Sudo Token Manipulation via Process Injection (#2984) 
* [New Rule] Sudo Token Access via Process Injection

* [New Rule] Sudo Token Manipulation via Proc Inject

* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml

* Update privilege_escalation_sudo_token_via_process_injection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:58:25 +02:00
Ruben Groenewoud 7cc841cc87 [New Rule] PE via UID INT_MAX Bug (#2971) 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:51:06 +02:00
Ruben Groenewoud ef1fa94c52 [New BBR] Suspicious Clipboard Activity (#2970) 
* [New BBR] Suspicious Clipboard Activity

* Added new line to end of file

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 15:41:23 +02:00
Ruben Groenewoud a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) 
* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml
 2023-08-03 15:25:33 +02:00
Ruben Groenewoud 03110fb24c [New Rule] SUID/SGUID Enumeration Detected (#2956) 
* [New Rule] SUID/SGUID Enumeration Detected

* Remove endgame compatibility

* readded endgame support after troubleshooting

* Update discovery_suid_sguid_enumeration.toml

* Update rules/linux/discovery_suid_sguid_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:57:30 +02:00
Ruben Groenewoud 716b621af2 [New Rule] Potential Sudo Hijacking Detected (#2966) 
* [New Rule] Potential Sudo Hijacking Detected

* Update privilege_escalation_sudo_hijacking.toml
 2023-08-03 09:49:14 +02:00
Ruben Groenewoud 18c2214956 [New Rule] Sudo Command Enumeration Detected (#2946) 
* [New Rule] Sudo Command Enumeration Detected

* Update discovery_sudo_allowed_command_enumeration.toml

* revert endgame support due to unit testing fail

* Update discovery_sudo_allowed_command_enumeration.toml

* Update discovery_sudo_allowed_command_enumeration.toml

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:39:16 +02:00
Mika Ayenson 3f9e7aced1 [Bug] Strip Non-Public Fields Prior to Uploading Rules (#2986) 2023-08-02 12:38:48 -05:00
eric-forte-elastic 29fc61d55b updated pyproject.toml (#2991) 2023-08-02 10:16:12 -04:00
github-actions[bot] 1cb5c174ce Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2988) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9

* Update detection_rules/etc/version.lock.json

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-01 10:12:29 -04:00
Mika Ayenson b245d5b46b Merge branch 'main' of github.com:elastic/detection-rules 2023-08-01 08:49:22 -05:00
eric-forte-elastic ea26ea77d7 [FR] Update build-release to support bbr release (#2987) 
* Fixes bug in unit tests

* fix rule paths

* removed unused import
 2023-07-31 15:20:18 -04:00
Ruben Groenewoud b8bb2da932 [New Rule] Potential Privilege Escalation via OverlayFS (#2974) 
* [New Rule] Privilege Escalation via OverlayFS

* Layout change

* Revert "[New Rule] Privilege Escalation via OverlayFS"

This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.

* Made rule broader

* Update privilege_escalation_overlayfs_local_privesc.toml

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

* Update user.id to strings

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-07-31 19:15:11 +02:00
Jonhnathan d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) 
* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml
 2023-07-31 11:03:57 -03:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00