security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
951 Commits 1 Branch 0 Tags
758784d4d5d3bfb5162bf50de78e7b5bfbf7b14c
Commit Graph

951 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
shashank-elastic 758784d4d5 env binary shell evasion threat (#1793) 
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat

* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat

* Update rules/linux/env_binary_shell_evasion.toml

* Update rules/linux/env_binary_shell_evasion.toml

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* Update rules/linux/privilege_escalation_env_binary.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/privilege_escalation_env_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_env_binary.toml

* Update rules/linux/privilege_escalation_env_binary.toml

* new:rule:issue-1786 Review Comments

* Update rules/linux/defense_evasion_env_binary.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-02 21:47:01 +05:30
Samirbous f48144c6b3 [New Rule] Registry Hive File Creation via SMB (#1779) 
* [New Rule] Registry Hive File Creation via SMB

Identifies the creation or modification of a medium size registry hive file via the SMB protocol :

* Update credential_access_moving_registry_hive_via_smb.toml

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-02 10:12:17 +01:00
Jonhnathan 8a9b52f7e1 Update impact_azure_service_principal_credentials_added.toml (#1802) 2022-03-02 05:36:21 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Apoorva Joshi 0122e1e65f Updating Host Risk Score docs (#1716) 
* Updating host risk score docs

* Small update

* Add host risk documentation for Kibana 8.1 features

* Update host-risk-score.md

* Rearranging some stuff

* Improve host risk SS

* Adding stack version info where applicable

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

* Update host-risk-score.md

Add host by risk table note

* Update host-risk-score.md

Co-authored-by: Pablo Neves Machado <pablo.nevesmachado@elastic.co>
 2022-02-28 15:19:31 -08:00
Justin Ibarra a5eb02ac28 Refresh ATT&CK to v10.1 (#1791) 2022-02-24 16:37:23 -09:00
Justin Ibarra d373db7659 Ensure github module is installed before running PR commands (#1777) 
* Ensure github module is installed before running PR commands

* move go and elastic-package assertions to top of command

* update error msg for missing pkg

* remove redundant github assertion

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-02-24 14:49:01 -09:00
Mika Ayenson aa7d79cc53 [New Rule] LSASS Memory Dump (#1784) 
* Add new event_data fields (ObjectName, ProcessName)

* Add detection for LSASS Memory Dump Handle Access

* Reference an example of 120089 AccessMask presence

* modify query to increase performance and update the description to remove ("This rule").

* expand path to Elastic Agent ensure syntax consistency

* Optimize rule based on AccessMaskDescription and additional False Positives.

* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used

* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription

* cleanup
 2022-02-24 08:14:01 -05:00
Mika Ayenson 0aeb7399d4 [Bug] Fix toml-lint ordering of Mitre metadata #1249 (#1774) 
* Order the MITRE metadata by recursively sorting the rule object before writing.

* Refactor order_rule into the rule_formatter module.

* sort test_toml.json according to rule_formatter spec

* rename var to obj since this will traverse all data in the rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-22 13:57:49 -05:00
Jonhnathan 8664ef59f4 Update persistence_azure_conditional_access_policy_modified.toml (#1788) 2022-02-22 15:26:28 -03:00
github-actions[bot] 5e073af69d Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
 2022-02-16 08:25:31 -09:00
Jonhnathan dec4243db0 [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-16 07:42:06 -09:00
Jonhnathan 3227d65cd8 [Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773) 
* Remove Windows Integration & Winlogbeat Support

* Update lateral_movement_service_control_spawned_script_int.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 23:04:55 -03:00
Jonhnathan 03f60cc11c [Rule Tuning] Potential Command and Control via Internet Explorer (#1771) 
* Use user.name on the sequence instead of user.id

* Update command_and_control_iexplore_via_com.toml

* Remove min_stack and comment "with runs"

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 22:58:01 -03:00
Jonhnathan 42436d3364 [New Rule] Potential Credential Access via DCSync (#1763) 
* "Potential Credential Access via DCSync" Initial Rule

* replace unintentional bracket removal

* json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 21:40:26 -03:00
Jonhnathan fd678dc5cb Modified to use Integrity fields instead of user.id (#1772) 2022-02-15 15:22:49 -09:00
Jonhnathan 9bbe26fec0 [Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775) 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml
 2022-02-15 09:56:37 -03:00
Jonhnathan c646a18efb Update discovery_net_command_system_account.toml (#1769) 2022-02-14 12:11:12 -03:00
Samirbous 326aa64ff6 [New Rule] Windows Service Installed via an Unusual Client (#1759) 
* [New Rule] Windows Service Installed via an Unusual Client

https://www.x86matthew.com/view_post?id=create_svc_rpc

* Update non-ecs-schema.json

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add ```s

* Update privilege_escalation_windows_service_via_unusual_client.toml

* add missing comma to schema

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-11 21:56:59 +01:00
Jonhnathan 9c56b00429 Modification of AmsiEnable Registry Key - Sysmon support (#1760) 2022-02-11 17:49:38 -03:00
Jonhnathan aa9fedd18d Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757) 2022-02-11 08:15:49 -09:00
github-actions[bot] 8f36346139 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1768) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1

* Trigger Build

* Remove change to trigger build

Co-authored-by: DefSecSentinel <DefSecSentinel@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-02-10 15:06:49 -06:00
Khristinin Nikita b1121da237 [Rule Tuning] Fix IM query (#1767) 
* Fix IM quer

* Add update date
 2022-02-10 09:30:13 -09:00
Jonhnathan 5a16a222ad [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) 
* Adjust Integration Name

* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

* Update integration name

* .

* Case

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-09 19:03:30 -03:00
Colson Wilhoit e0dda91f26 Prep for creation of 8.2 branch (#1762) 2022-02-08 18:43:55 -09:00
Justin Ibarra 97835bc5c5 Move misplaced rule to proper folder (#1756) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-02-04 11:35:29 -09:00
Jonhnathan 85b72256c2 [New Rule] Potential Shadow Credentials added to AD Object (#1729) 
* Potential Shadow Credentials added to AD Object Initial Rule

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_shadow_credentials.toml

* Add AD tag

* Update credential_access_shadow_credentials.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-04 15:49:04 -03:00
Jonhnathan 7dac52f1cf [New Rule] PowerShell Script Block Logging Disabled (#1749) 
* PowerShell Script Block Logging Disabled

* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_disable_posh_scriptblocklogging.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-04 15:44:27 -03:00
Jonhnathan 40095d95bf Update credential_access_mod_wdigest_security_provider.toml (#1751) 2022-02-04 15:38:12 -03:00
Jonhnathan 9ce5d0b92a [New Rule] AdminSDHolder Backdoor (#1745) 
* AdminSDHolder Backdoor

* Update rules/windows/persistence_ad_adminsdholder.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-01 10:14:39 -03:00
Jonhnathan d949fefe0c [New Rule] KRBTGT Delegation Backdoor (#1743) 
* KRBTGT Delegation Backdoor

* Update persistence_msds_alloweddelegateto_krbtgt.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* refresh rule_id with new uuid

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-01 10:08:54 -03:00
Justin Ibarra 2828633919 [Bug] Fix AttributeError in RuleCollection dupe check (#1747) 2022-01-31 15:57:46 -09:00
Jonhnathan 26d5bad914 [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741) 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year
 2022-01-31 21:02:02 -03:00
Jonhnathan 6e3f4b2824 [New Rule] Kerberos Preauthentication Disabled for User (#1717) 
* Initial "Kerberos Preauthentication Disabled for User" Rule

* Update credential_access_disable_kerberos_preauth.toml

* Update credential_access_disable_kerberos_preauth.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Add config directives

* Update rules/windows/credential_access_disable_kerberos_preauth.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-31 12:31:20 -03:00
Jonhnathan 25ec71579d [New Rule] SeEnableDelegationPrivilege assigned to User (#1737) 
* SeEnableDelegationPrivilege assigned to User

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix logging policy name

* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-31 12:22:54 -03:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Khristinin Nikita 87c7210aab [Rule Tuning] Change default time query for rounding days (#1713) 
* Change default time query for rounding days

* Udpate date

* Revert rule updated_data

* Restore threat_query
 2022-01-28 10:34:14 -09:00
Jonhnathan edd0df5e1a [New Rule] PowerShell Kerberos Ticket Request (#1715) 
* PowerShell Kerberos Ticket Request Initial Rule

* bump date
 2022-01-27 16:36:02 -03:00
Jonhnathan 189c2b152c [New Rule] Email Reported by User as Malware or Phish (#1699) 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 16:30:46 -03:00
Jonhnathan b6cbdbd416 [New Rule] MS Office Macro Security Registry Modifications (#1696) 
* "MS Office Macro Security Registry Modifications" Initial Rule

* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 16:24:41 -03:00
Jonhnathan f7bc13b437 [New Rule] OneDrive Malware File Upload (#1693) 
* "OneDrive Malware File Upload" Initial Rule

* bump severity
 2022-01-27 16:19:16 -03:00
Jonhnathan 1676844640 [New Rule] SharePoint Malware File Upload (#1691) 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity
 2022-01-27 16:12:17 -03:00
Samirbous 26fb8e83a5 [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660) 
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 15:46:27 +01:00
Jonhnathan 14252d45ee [New Rule] Global Administrator Role Assigned (#1686) 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:53:02 -03:00
Jonhnathan 7e4325dd7a Create credential_access_mfa_push_brute_force.toml (#1682) 2022-01-27 09:37:49 -03:00
Jonhnathan 38ae64f729 [Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:31:51 -03:00
Jonhnathan 1699f50beb Update credential_access_suspicious_lsass_access_memdump.toml (#1714) 2022-01-27 09:28:16 -03:00
Jonhnathan 4ac824192f Update source.ip condition (#1712) 2022-01-27 09:24:55 -03:00
Jonhnathan 0a23d820c9 [Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687) 
* Tune rule query

* Update credential_access_microsoft_365_potential_password_spraying_attack.toml

* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml

* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"

This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
 2022-01-27 09:22:42 -03:00
Jonhnathan 50c7d5f262 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683) 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json
 2022-01-27 09:20:49 -03:00