security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
740 Commits 1 Branch 0 Tags
8a3220ef6a29d7b599ed56ba6790e170fe4d3bea
Commit Graph

740 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ross Wolf 8a3220ef6a Track multiple stacks in lock (#1434) 
* Save the stack versions in the lock file
* Support tracking of multiple stacks in the lock
* Update the version locking logic
* Fix bugs and test lock file
* Restore version lock
* Fix lint errors
* Call both click.echo and verbose echo separately
* Change when the change_rules message is output

(cherry picked from commit 0d47cb324a)
 2021-08-24 22:57:14 +00:00
dstepanic17 689e690f8c [New rule] Webshell Detection (#1448) 
* [new-rule] Webshell Detection

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added FP note section

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 8ddffc298b)
 2021-08-24 20:19:32 +00:00
Justin Ibarra cc75f645b6 [Rule Tuning] Add technique T1005 to 2 rules (#1405) 
(cherry picked from commit 8099e1c733)
 2021-08-20 08:20:32 +00:00
Ross Wolf 632a322431 Fix encoding of 'Any' type in jsonschema (#1438) 
(cherry picked from commit 11c443ba26)
 2021-08-19 16:16:40 +00:00
Justin Ibarra 60caedc026 Bump package versions (#1418) 
* Bump package versions
* Add 7.14 migration; use master schema map if one does not exist
* add test to ensure an entry exists in the stack-schema-map for the current package version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 2d517432e3)
 2021-08-19 05:26:47 +00:00
Ross Wolf c1b774cdb6 Skip etc/packages.yml from backport: auto (#1437) 
(cherry picked from commit d647c7b809)
 2021-08-18 22:57:34 +00:00
Austin Songer 94190321c1 [Rule Tuning] AWS Security Group Configuration Change Detection (#1426) 
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration

(cherry picked from commit 3b29498907)
 2021-08-15 04:35:07 +00:00
Christian Clauss 604fd2a18f Fix typos discovered by codespell (#1430) 
(cherry picked from commit ddec37b731)
 2021-08-15 04:30:11 +00:00
Justin Ibarra 16bc2a24f1 Remove labeling from community workflow (#1432) 
(cherry picked from commit 4a3bacae48)
 2021-08-14 10:44:37 +00:00
Justin Ibarra 52dee0d0c6 Add revised workflow for community label (#1431) 
(cherry picked from commit f63a72f1ac)
 2021-08-14 10:19:55 +00:00
Justin Ibarra 986a515a62 Add label workflow for community issues and pulls (#1406) 
* Add label workflow for community issues and pulls
* run on label changes

(cherry picked from commit 006cb0e702)
 2021-08-14 06:37:59 +00:00
Justin Ibarra 4bd62ef5c9 Add botelastic workflow for stale issues and PRs (#1414) 
(cherry picked from commit 5c8029ad55)
 2021-08-14 06:25:51 +00:00
Justin Ibarra 764cb5d0b4 Add paths-labeller workflow (#1407) 
* add botelastic workflow

(cherry picked from commit 75d6d76926)
 2021-08-14 06:14:32 +00:00
Justin Ibarra c2b7b22496 Pull latest ECS+beats schemas and update schema-map (#1417) 
(cherry picked from commit b27a20fc3a)
 2021-08-12 21:10:22 +00:00
Austin Songer e170935f1f [New Rule] AWS EC2 Security Group Configuration Change Detection (#1144) 
(cherry picked from commit 67ba66c8e7)
 2021-08-12 19:38:05 +00:00
David French 9e6c107de5 [New Rule] Whitespace Padding in Process Command Line (#1392) 
* Create defense_evasion_whitespace_padding_in_command_line.toml

* add newline

* update description

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14493689b9)
 2021-08-11 16:16:05 +00:00
Justin Ibarra dca8f2b712 [Bug] Flatten method improperly added subtechniques (#1404) 
(cherry picked from commit 95486ecfdf)
 2021-08-05 19:17:17 +00:00
Ross Wolf 5a33f634a7 Add RuleCollection.load_git_branch (#1403) 
(cherry picked from commit 17bf3c1e16)
 2021-08-05 07:16:38 +00:00
dishadasgupta 91e1d1abfc Adding docs for URL Spoofing (#1400) 
* Adding docs for urlspoof

* Fixing typo in readme

* Editing documentation to reflect rule upload process

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 7be58b7b09)
 2021-08-05 00:14:12 +00:00
Justin Ibarra 121431b40b Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes

(cherry picked from commit d31ea6253e)
 2021-08-04 22:17:11 +00:00
Justin Ibarra 742253c61d [Rule tuning] Revise rule description and other text (#1398) 
(cherry picked from commit f8f643041a)
 2021-08-03 21:08:48 +00:00
Austin Songer fcd2071ca9 [Rule Tuning] NTDS or SAM Database File Copied (#1378) 
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit d2365783fa)
 2021-08-03 20:29:19 +00:00
Apoorva Joshi 99c9995967 Update Host Risk Score docs (#1397) 
(cherry picked from commit 06a9ba6463)
 2021-08-03 04:53:06 +00:00
Apoorva Joshi 197bb86459 Adding host risk score docs (#1390) 
* Adding host risk score docs
* Highlighting caveats around hostname
* Update host-risk-score.md
* Adding host risk score to the experimental detections readme

(cherry picked from commit c283d2a2f3)
 2021-08-02 21:44:26 +00:00
Justin Ibarra 05d01bbfe0 [Rule Tuning] Rule description tweaks (#1388) 
(cherry picked from commit b736d6e748)
 2021-07-29 18:57:11 +00:00
Ross Wolf 06849a82d8 [CI] Add missing clone for Fleet on-demand job (#1387) 
(cherry picked from commit 2e8f7cd13f)
 2021-07-27 22:56:37 +00:00
Ross Wolf f6d9295ead [CI] Fix kibana PR command again (#1386) 
(cherry picked from commit 92937a1ad1)
 2021-07-27 22:30:54 +00:00
Ross Wolf 51f8ea7526 Fix kibana_pr for click.Context (#1385) 
(cherry picked from commit 64977b01bd)
 2021-07-27 22:04:31 +00:00
Ross Wolf 32c0e9fff5 Disable missing rule check for the version lock (#1384) 
(cherry picked from commit c31a344593)
 2021-07-27 19:49:31 +00:00
Ross Wolf a534cd4e85 Update the version lock for 7.14.0 and 0.13.3 (#1383) 
(cherry picked from commit 5eccaf0cd5)
 2021-07-27 18:26:14 +00:00
Justin Ibarra 3c9079faf3 Ensure EQL rules with maxspan have a long enough lookback window (#1361) 
* Add the following properties to EQLRuleData:
   - max_span
   - look_back
   - interval_ratio

* Add the following tests:
   - test_eql_lookback
   - test_eql_interval_to_maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 7759fa2500)
 2021-07-22 21:54:04 +00:00
Ross Wolf 0ae93632fc [Rule Tuning] Remove \Program Files*\ style wildcards (#1369) 
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex

(cherry picked from commit 7b62fe296d)
 2021-07-22 17:56:25 +00:00
Justin Ibarra 8deeab2c4d [Rule Tuning] Update EQL rules with lookback < maxspan (#1362) 
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 4aab1278bf)
 2021-07-22 17:10:08 +00:00
Ross Wolf cae7fac266 Fix metadata.extended (#1377) 
(cherry picked from commit 5ba1c26cf1)
 2021-07-22 16:30:41 +00:00
Ross Wolf 600acca704 [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

(cherry picked from commit 1882f4456c)
 2021-07-21 21:25:48 +00:00
Ross Wolf 6d9997435f [Rule Tuning] Convert unusual extension rule to regex (#1368) 
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension

(cherry picked from commit 9f3d5328f4)
 2021-07-21 17:50:36 +00:00
Ross Wolf fc2f5866a2 [Rule Tuning] Creation of Hidden Files and Directories (#1357) 
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex

(cherry picked from commit 9b559d0cd9)
 2021-07-21 17:48:37 +00:00
David French f0270973bb [Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374) 
* use google_workspace event schema

* update to use google_workspace schema

(cherry picked from commit 23626b814c)
 2021-07-21 17:39:45 +00:00
dstepanic17 cb3ceb93da [New Rule] Windows Defender Exclusions Added via PowerShell (#1370) 
* Added new rule

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Added pwsh.exe to original name

* Added PowerShell MITRE reference

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fbd4cf2117)
 2021-07-21 16:55:08 +00:00
Justin Ibarra 07a7784659 Update cardinality field in schema for threshold rules (#1349) 
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 163d9e3864)
 2021-07-21 16:33:59 +00:00
Austin Songer bc82e214c7 [Rule Tuning] Mimikatz powershell module activity detected (#1297) 
* update query
* add indexes

(cherry picked from commit 95e6458c6e)
 2021-07-21 07:09:02 +00:00
Andrew Pease ce66c684b0 [Rule Tuning] Add Filebeat and Auditbeat to Network Rules (#1282) 
* standardized indices and added the from field

(cherry picked from commit 34df7c6b89)
 2021-07-21 07:00:25 +00:00
Austin Songer 324d46ee74 [New Rule] O365 Excessive SSO Logon Errors (#1215) 
(cherry picked from commit 64c3f7cdc5)
 2021-07-21 06:55:57 +00:00
Austin Songer 55d2780a6e [New Rule] Disable Windows Event and Security Logs (#1181) 
(cherry picked from commit c82790f588)
 2021-07-21 06:45:33 +00:00
Austin Songer 4d69ad4ae6 [Rule Tuning] Suspicious CertUtil Commands (#1180) 
* update name to Suspicious CertUtil Commands
* update description, query, and filename

(cherry picked from commit 4a11ef9514)
 2021-07-21 06:27:37 +00:00
Austin Songer 8916b7dd4b [Rule Tuning] External IP Lookup from Non-Browser Process (#1147) 
* Added a couple domains

ipapi.co
ip-lookup.net
ipstack.com

(cherry picked from commit 920d973064)
 2021-07-21 05:48:34 +00:00
Ross Wolf adc63cd84b Add optional integration field to the schema (#1359) 
(cherry picked from commit 816e31cd38)
 2021-07-19 18:53:54 +00:00
Samirbous 9b9bebbd27 [New Rule] Parent Process PID Spoofing (#1338) 
* [New Rule] Parent Process PID Spoofing

* excluding sihost FPs

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* relinted and added 2 non ecs fields

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 81ab43898c)
 2021-07-15 20:56:39 +00:00
Ross Wolf cfc0fdd5db Add 7.14 to the list of target backport branches (#1341) 
(cherry picked from commit 809c06ad5f)
 2021-07-14 22:30:24 +00:00
Ross Wolf 77c23da1db [CI] Publish to integrations from on-demand job (#1340) 
* Add command to publish integrations PR
* Add workflow_dispatch job to publish package
* Get working directory dynamically
* Fix the repo settings
* Get the absolute path for local-repo
* Filter out 'main' branch
* Update the description for target_branch
* Fix workflow definition
* Move 'if' into job
* Update ref format
* Remove unnecessary E501 suppression
* Add a link to the full commit hash
* s/partial_args/prefix_args
 2021-07-14 16:19:41 -06:00