security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

1834 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus 894e34f82c [Bug] Add new-package argument to bump-pkg-versions CLI (#2703) 
* initial changes to release fleet workflow and CLI

* changed the default value of package version for 8.8

* changed how true/false is passed into CLI command

* reverted changes to packages.yml
 2023-04-12 13:48:58 -04:00
Terrance DeJesus d6f277e379 [New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677) 
* adding new rule 'Google Workspace New OAuth Login from Custom Application'

* changed name and 'custom' to 'third-party'

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* updated non-ecs
 2023-04-12 09:40:31 -04:00
Terrance DeJesus 4511ab0666 [Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674) 
* tuning rule to add token sequence

* updated date

* updated non-ecs, integration schemas and manifests

* added investigation guide

* Updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updated false positive description

* updating manifest and schemas with main to resolve conflicts

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-04-12 09:15:58 -04:00
Jonhnathan 16749e45ae [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process (#2704) 
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process

* Update impact_backup_file_deletion.toml
 2023-04-11 13:47:52 -03:00
Mika Ayenson e9ebb1f2d8 [Bug] Rename 8.7 schemas from *.master and strip build time fields (#2707) 2023-04-11 10:56:20 -04:00
github-actions[bot] 6edfb32160 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 (#2702) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7

* kicking off testing

* removed change to kickoff testing

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-04-10 11:24:16 -04:00
Eric d1aadde671 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#2671) (#2672) 
* --amend

* --amend

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-04-06 15:15:57 -03:00
Karl Godard d0ea8c6f98 [New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679) 
* new CWP rule to surface alerts from the cloud_defend integration

* created new rule uuid

* updated version info. removed risk level overrides and endpoint exception list

* added event.module

* removed rule name override

* updated_date and min_stack_comments updated

* updated external alerts updated_date. added kubernetes to cwp rule tags

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-04-05 21:31:03 -03:00
Jonhnathan 1a9b0e732c [Rule Tuning] Potential PowerShell HackTool Script by Function Names (#2692) 2023-04-05 16:48:33 -03:00
Jonhnathan eafe54c2cc [Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot (#2691) 2023-04-05 13:28:57 -03:00
Jonhnathan 5aaac84f3a [Rule Tuning] Suspicious service was installed in the system (#2693) 
* [Rule Tuning] Suspicious service was installed in the system

* Update persistence_service_windows_service_winlog.toml
 2023-04-05 13:23:47 -03:00
Samirbous 0c8d0bfd3d [New Rule] Suspicious Execution via Microsoft Office Add-Ins (#2651) 
* Create

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update rules/windows/initial_access_execution_via_office_addins.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-05 17:02:04 +01:00
Terrance DeJesus e878f4b820 adding fix for unit testing that broke in 8.3 (#2683) 2023-04-03 10:11:26 -04:00
Terrance DeJesus 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) 
* add promotion to rulemeta schema class and updated promotion rules

* add promotion to rulemeta schema class and updated promotion rules

* adjusted test_integration_tag and okta rule missing dataset

* fixed flake errors

* updated manifests and schemas to include cloud defend
 2023-04-03 09:42:40 -04:00
Samirbous 51d50b7d8a [New Rule] Lsass Process Access - Generic (#2613) 
* Create credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-04-03 14:34:30 +01:00
Charlie Pichette 9713384888 Add Rule Id and Rule Name to the RTA Test List Function (#2680) 2023-03-31 16:08:42 -04:00
eric-forte-elastic 94621d7567 Update layer version to 4.4 (#2676) 2023-03-30 12:29:17 -04:00
Samirbous 892757f4a4 [New Rule] Potential Pass The Hash (#2670) 
* Create lateral_movement_alternate_creds_pth.toml

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-29 19:37:27 +01:00
Jonhnathan 5ed2120e3f [Rule Tuning] Potential Credential Access via Windows Utilities (#2659) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Update credential_access_cmdline_dump_tool.toml
 2023-03-29 09:32:36 -03:00
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Terrance DeJesus 7e28b8fc50 [FR] Support Rule Alert Suppression in Rule Schema (#2660) 
* adding initial solution for alert suppression support in rule schema

* reverting rule changes

* fixing flake errors

* reverting rule changes

* adding unit tests

* addressing flake errors

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* adjusting rule.py after commits

* adjusted test_group_field_in_schemas to check integrations

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* nested AlertSuppressDuration class under mapping class

* adjusted dataclass naming

* added unit test to ensure rule is KQL

* fixing flake errors

* added docstrings

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-03-27 15:37:35 -04:00
Jonhnathan 192047f46d [Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell (#2663) 2023-03-27 11:50:53 -03:00
Ruben Groenewoud 3bfe3060a2 [Rule Tuning] Uncommon Registry Persistence Change (#2538) 
* [Rule Tuning] Uncommon Registry Persistence Change

* updated updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-26 00:35:23 +01:00
Mika Ayenson 11d79912f1 [FR] Add new macOS RTAs for Endpoint Rules - 2 (#2661) 2023-03-24 17:29:22 -04:00
Mika Ayenson 62ec0ae086 [FR] Add new macOS RTAs for Endpoint Rules (#2632) 2023-03-24 16:53:37 -04:00
Terrance DeJesus 76500f0d46 [New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654) 
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'

* updated MITRE ATT&CK mappings
 2023-03-24 12:21:56 -04:00
Jonhnathan fd0d7a1d00 [RTA] Adds RTAs to Windows Rules - 2 (#2628) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-03-24 10:13:12 -03:00
Jonhnathan 95b8b1688b [RTA] Add RTAs for Endpoint Rules - 2 (#2633) 
* [RTA] Add RTAs for Endpoint Rules - 2

* Update exec_conhost_indirect.py

* Update msoffice_file_dll_sideload.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-03-24 09:55:32 -03:00
Jonhnathan 5c792b86d7 [RTA] Adds RTAs for endpoint rules (#2621) 
* [RTA] Adds RTAs for endpoint rules

* Update exec_cscript_archive_args.py

* Review RTAs 1/2

* Update suspicious_msiexec_child.py

* Update rta/exec_cscript_archive_args.py

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-03-23 18:14:06 -03:00
Jonhnathan 32ca0001ff [Rule Tuning] Untrusted Driver Loaded (#2656) 2023-03-23 08:26:52 -03:00
Ruben Groenewoud 0d1fca454a New Rule: Suspicious Mining Process Creation Event (#2531) 
* New Rule: Suspicious Mining Process Creation Event

* added host.os.type==linux

* trying to fix unit testing

* Revert "trying to fix unit testing"

This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.

* unit testing fix attempt

* Revert "unit testing fix attempt"

This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.

* added endgame support

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-21 16:35:25 +01:00
Terrance DeJesus 7be5788945 [New Rule] Google Workspace Resource Copied from External Drive (#2627) 
* added new rule 'Google Workspace Resource Copied from External Drive'

* adjusted mitre att&ck subtechnique ID
 2023-03-20 14:37:58 -04:00
Terrance DeJesus 2c5470349c [New Rule] External User Added to Private Organization Group (#2577) 
* new rule 'External User Added to Google Workspace Group'

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added Investigation Guide tag

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-20 14:32:42 -04:00
Jonhnathan f41c5288cc [RTA] New RTAs for Windows Rules (#2426) 
* Part 1

* Part 2

* Part3

* Part4

* Final Part

* Dedup RTA where Office app loads wmiutils

* Add techniques

* Remove helper

* Update exec_cmd_set_mppreference.py
 2023-03-20 07:56:51 -03:00
Ruben Groenewoud eab30d7456 [Rule Tuning] Namespace Manipulation Using Unshare (#2599) 
* [Rule Tuning] Namespace Manipulation Using Unshare

* reverted updated_date change

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-20 07:36:47 -03:00
Terrance DeJesus f40ad93224 [Bug] Failed CI Unit Tests from Marshmallow Dataclass and Typing Updates (#2645) 2023-03-17 16:38:35 -04:00
Ruben Groenewoud 672211500c [Rule Fix] Privileged SSH Brute Force Detected (#2595) 2023-03-14 15:42:58 -04:00
Ruben Groenewoud f52a744259 [New Rule] RC Script Creation (#2607) 
* [New Rule] RC Script Creation

* fixed unit testing error

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.os.type==linux

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-03-14 15:03:41 -04:00
Ruben Groenewoud 295fc323a1 [Rule Tunings] System Time & Service Discovery (#2589) 
* [Rule Tuning] System Time Discovery

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-14 14:43:21 -04:00
Ruben Groenewoud 1a5bc7e924 [Rule Tuning] Abnormal PID or Lock File Created (#2600) 2023-03-14 14:37:00 -04:00
Mika Ayenson 87c66f923e Update commit-and-push.sh (#2640) 2023-03-09 17:31:19 -05:00
Mika Ayenson 40eff15fbe Update manual-backport.yml (#2639) 2023-03-09 14:42:09 -07:00
Mika Ayenson 0a637a3d86 Update manual-backport.yml (#2638) 2023-03-09 14:09:59 -07:00
Mika Ayenson 2b7d249125 Update manual-backport.yml (#2637) 2023-03-09 15:31:44 -05:00
Mika Ayenson 73555c737d Update manual-backport.yml (#2636) 2023-03-09 15:11:07 -05:00
Mika Ayenson 41ca459532 Update manual-backport.yml (#2635) 2023-03-09 14:15:12 -05:00
Terrance DeJesus 9cb7123a72 [FR] Add enhancements to release-fleet workflow (#2612) 
* added commit hash option

* adjusted commit hash if expression

* add step to retrieve latest locked versions commit; set default

* added change directory to lock versions retrieval

* added echo output

* removed attempt to dynamically pull commit

* added create release tag

* added capability to dynamically create release tag

* adjusted version parsing and reference

* fixed misspelling for packages.yml file

* adjusted the regex pattern for release tag

* added another job to check commit hash

* removed set env variable in check-commit job

* adjusted check commit hash steps

* fixed job references

* adjusted job references for fleet-pr

* checking inverse if statement for second job

* changed how check message is stored

* reverting change for job check

* adjusted check commit step

* adjusted if statement in check_commit step

* added default value for check_commit variable

* removed unecessary step in check-commit job

* added else statement to github actions

* changed output name

* set default output

* testing without if statement

* testing without grep statement

* added environment variable

* testing commit message variable

* changing condition statement

* trying to call environment variable differently

* added more steps to abstract functionality

* reverted changes

* removed bug
 2023-03-08 17:34:31 -05:00
Justin Ibarra 00102812b4 [Tweak] Use global constants to speed up tests (#2629) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2023-03-07 19:19:59 -09:00
Terrance DeJesus 181b56c636 [Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) (#2622) 2023-03-07 19:57:34 -05:00
Justin Ibarra cd6a5983c6 Speed up unit tests (#2626) 
* cache rule loader; skip rule tests on RL failure

-------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2023-03-07 16:40:41 -07:00