security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
70 Commits 1 Branch 0 Tags
8564185a7d95052f8fc8f3d6200235df7dee41bf
Commit Graph

8 Commits

Author SHA1 Message Date
Justin Ibarra 8564185a7d [Bug] resolves bug in Rule version methods (#2021) 
* [Bug] resolves bug in Rule version methods

* comment out unused code with notes

(cherry picked from commit 744f56d98e)
 2022-06-07 23:41:40 +00:00
Justin Ibarra 3a1a5fe12b Collapse unsupported previous version entries (#2013) 
* Collapse unsupported previous version entries
* drop the last entry in the matrix test

(cherry picked from commit f57950a3c9)
 2022-06-02 23:18:45 +00:00
Terrance DeJesus 220996b1b8 Prep for Creation of 8.4 Branch (#2001) 
* prepping for 8.4 branch

* adjusted schemas init file

* adjusted target matrix to only backport to 7.16, updated api schemas

* adjusted the lock-versions workflow to account for 7.16 and up support only

* Add test for version lock to schema map correlation

* decouple from static 7.13 references

* keep patch version for lock

* Update detection_rules/etc/packages.yml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 35b1a69ff5)
 2022-06-02 18:59:56 +00:00
Justin Ibarra 6199bd4524 Refresh ECS/beats schemas up to 8.2 (#1995) 
(cherry picked from commit 0428e161a8)
 2022-05-25 19:53:52 +00:00
Samirbous ca7a148f5a [New rule] Remote Computer Account DnsHostName Update (#1962) 
* [New rule] Remote Computer Account DnsHostName Update

Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges :

* added MS ref url

* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 19ff825a91)
 2022-05-11 17:42:44 +00:00
Justin Ibarra 4b92b42b45 Manually reconciled versions from forked rule package generation bug (#1950) 
(cherry picked from commit 8168551c59)
 2022-05-04 18:06:16 +00:00
Mika Ayenson 2ccbdcb773 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-05-02 14:06:33 -04:00
Mika Ayenson cc8af968e3 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 6219fc06b9)
 2022-05-02 14:13:36 +00:00