security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,087 Commits 1 Branch 0 Tags
89d89f15d22f5068fb7ce505aaeb8a6c2e49ff4a
Commit Graph

300 Commits

Author SHA1 Message Date
Ruben Groenewoud c87c4c9f5d [New Rules] PAM Module Creation & Unusual PAM Grantor (#3743) 
* [New Rules] PAM Module Creation & Unusual PAM Grantor

* Update persistence_unusual_pam_grantor.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update persistence_unusual_pam_grantor.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
 2024-06-11 11:51:33 +02:00
Ruben Groenewoud 4cf0c2b9af [Rule Tuning] Systemd-udevd Rule File Creation (#3738) 
* [Rule Tuning] Systemd-udevd Rule File Creation

* Incompatible endgame field

* Update rules/linux/persistence_udev_rule_creation.toml

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_udev_rule_creation.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-11 11:40:54 +02:00
Ruben Groenewoud 4003219aa1 [New Rule] APT Package Manager Configuration File Creation (#3739) 
* [New Rule] APT Package Manager Configuration File Creation

* Update rules/linux/persistence_apt_package_manager_file_creation.toml

* Update persistence_apt_package_manager_file_creation.toml
 2024-06-11 09:43:35 +02:00
Ruben Groenewoud 74f049cc7c [New Rule] Network Connection Initiated by SSH Parent Process (#3759) 
* [New Rule] Network Connection Initiated by SSH Parent Process

* Update persistence_ssh_netcon.toml

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_ssh_netcon.toml

* Update persistence_ssh_netcon.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-10 10:30:45 +02:00
Ruben Groenewoud 29bb52d2fb [New Rule] Netcon through XDG Autostart Entry (#3741) 
* [New Rule] Netcon through XDG Autostart Entry

* Update rules/linux/persistence_xdg_autostart_netcon.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_xdg_autostart_netcon.toml

* Update persistence_xdg_autostart_netcon.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-10 10:17:09 +02:00
Ruben Groenewoud 70496f813f [New Rule] Executable Bit Set for rc.local/rc.common (#3736) 
* [New Rule] Executable Bit Set for rc.local/rc.common

* Endgame compatibility

* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
 2024-06-10 09:57:14 +02:00
Ruben Groenewoud d3e2f70ce2 [New Rule] Process Capability Set via setcap Utility (#3744) 
* [New Rule] Process Capability Set via setcap Utility

* ++

* Update rules/linux/persistence_process_capability_set_via_setcap.toml
 2024-06-06 12:44:31 +02:00
Ruben Groenewoud 8e6114f76c [Rule Tuning] System Binary Moved or Copied (#3742) 
* [Rule Tuning] System Binary Moved or Copied

* Added reference

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-06-06 12:24:48 +02:00
Ruben Groenewoud 61ab035f41 [Rule Tuning] Potential Sudo Hijacking (#3745) 
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml
 2024-06-06 11:59:26 +02:00
Ruben Groenewoud 342fde097f [New Rule] SSH Key Generated via ssh-keygen (#3731) 
* [New Rule] SSH Key Generated via ssh-keygen

* ++

* Update rules/linux/persistence_ssh_key_generation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-06-06 11:50:38 +02:00
Ruben Groenewoud 5f36f3a03e [Rule Tuning] Shell Configuration Creation or Modification (#3732) 
* [Rule Tuning] Shell Configuration Creation or Modification

* Incompatible endgame field

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:28:13 +02:00
Ruben Groenewoud e41a57f2ad [Rule Tuning] Message-of-the-Day (MOTD) (#3730) 
* [Rule Tuning] Message-of-the-Day (MOTD)

* Update persistence_message_of_the_day_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:18:30 +02:00
Ruben Groenewoud bebf671881 [Rule Tuning] Systemd Service & Timer (#3728) 
* [Rule Tuning] Systemd Service & Timer

* Update

* Update persistence_systemd_scheduled_timer_created.toml

* Update persistence_systemd_service_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_systemd_service_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:01:15 +02:00
Ruben Groenewoud 81ee6380ec [New Rule & Tuning] (Ana)Cron & At Job Creation (#3726) 
* [New Rule & Tuning] (Ana)Cron & At Job Creation

* Update persistence_at_job_creation.toml

* Update persistence_cron_job_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_at_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_cron_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 09:53:42 +02:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
Ruben Groenewoud 390629da4e [New Rule & Tunings] Linux Springtail Backdoor (#3692) 
* [New Rules and Tuning] Springtail backdoor

* consistency formatting

* update

* unit testing formatting change

* Update persistence_systemd_service_started.toml

* Update persistence_systemd_service_started.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
 2024-05-24 10:10:11 +02:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Justin Ibarra ce21acef9c [Bug] Fix test_os_and_platform_in_query test and rules (#3695) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-05-20 08:43:30 -07:00
Ruben Groenewoud e29994c338 [New Rule] Shell Configuration Modification (#3629) 
* [New Rule] Shell Configuration Modification

* description update

* uuid update

* query update

* query update

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-04-30 13:41:13 +02:00
Ruben Groenewoud 115c3a6dfd [Rule Tuning] Linux DRs (#3628) 2024-04-30 13:26:09 +02:00
Mirko Bez 153657029b Add filebeat-* index pattern to rules based on system.auth dataset (#3561) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-03 11:27:31 +02:00
Samirbous f2490007e8 [New] Potential Execution via XZBackdoor (#3555) 
* [New] Potential Execution via XZBackdoor

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-02 05:15:04 +01:00
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00
Ruben Groenewoud 4179180fcb [New Rules] mprotect() RWX Binary Execution (#3507) 
* [New Rules] mprotect() RWX Binary Execution

* Added rule names

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml
 2024-03-13 22:11:44 +01:00
Ruben Groenewoud 9f8638a004 [Tuning] event.action and event.type change (#3495) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-13 10:11:21 +01:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Ruben Groenewoud 9c4ba4559d [Tuning] Linux DR Tuning - Part 12 (#3464) 
* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:09:38 +01:00
Ruben Groenewoud ed4a7fc15b [Tuning] Linux DR Tuning - Part 14 (#3467) 
* [Tuning] Linux DR Tuning - Part 14

* Update privilege_escalation_sudo_cve_2019_14287.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 16:45:47 +01:00
Ruben Groenewoud 60fda8d756 [Tuning] Linux DR Tuning - Part 13 (#3465) 
* [Tuning] Linux DR Tuning - Part 13

* updated date bump

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update privilege_escalation_netcon_via_sudo_binary.toml

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update rules/linux/privilege_escalation_shadow_file_read.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-03-07 16:28:06 +01:00
Ruben Groenewoud ef66c57030 [Tuning] Linux DR Tuning - Part 11 (#3463) 
* [Tuning] Linux DR Tuning - Part 11

* Update persistence_message_of_the_day_creation.toml

* Update persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update persistence_linux_user_added_to_privileged_group.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 12:20:31 +01:00
Ruben Groenewoud a76a3755d9 [Tuning] Linux DR Tuning - Part 10 (#3462) 
* [Tuning] Linux DR Tuning - Part 10

* updated_date bump

* Update persistence_kworker_file_creation.toml

* Update persistence_linux_backdoor_user_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:45:17 +01:00
Ruben Groenewoud fd84573212 [Tuning] Linux DR Tuning - Part 9 (#3461) 
* [Tuning] Linux DR Tuning - Part 9

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update lateral_movement_ssh_it_worm_download.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:33:28 +01:00
Ruben Groenewoud 08f946b394 [Tuning] Linux DR Tuning - Part 8 (#3460) 
* [Tuning] Linux DR Tuning - Part 8

* Update impact_esxi_process_kill.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:01:08 +01:00
Ruben Groenewoud c537fb9c22 [Tuning] Linux DR Tuning - Part 7 (#3458) 
* [Tuning] Linux DR Tuning - Part 7

* Update execution_potential_hack_tool_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:46:48 +01:00
Ruben Groenewoud f37a3bfd48 [Tuning] Linux DR Tuning - Part 6 (#3457) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:09:14 +01:00
Ruben Groenewoud ae3f4737ab [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 09:53:46 +01:00
Ruben Groenewoud 83abf8d42c [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 15:28:28 +01:00
Ruben Groenewoud 5a80423003 [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 10:49:42 -03:00
Ruben Groenewoud 089e6671aa [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml
 2024-02-20 15:38:54 +01:00
Ruben Groenewoud 3484cac7eb [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:18:27 +01:00
Ruben Groenewoud 5e6e4a359b [Tuning] Linux DR Tuning - Part 3 (#3454) 2024-02-20 14:50:58 +01:00
Ruben Groenewoud 1dc7fd6a42 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml
 2024-02-20 14:38:19 +01:00
Ruben Groenewoud 0e48747aa6 [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
 2024-02-20 14:17:17 +01:00
Ruben Groenewoud d41855a2ac [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-06 14:47:37 +01:00
Ruben Groenewoud 90d64f0714 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now
 2024-02-06 10:49:36 +01:00
Ruben Groenewoud 208b2e999c [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence
 2024-02-06 10:29:27 +01:00
Ruben Groenewoud 4f303ab77e [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query
 2024-02-06 10:19:42 +01:00
Ruben Groenewoud 381ccf43ed [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-26 09:36:56 +01:00