security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
740 Commits 1 Branch 0 Tags
8a3220ef6a29d7b599ed56ba6790e170fe4d3bea
Commit Graph

545 Commits

Author SHA1 Message Date
dstepanic17 689e690f8c [New rule] Webshell Detection (#1448) 
* [new-rule] Webshell Detection

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added FP note section

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 8ddffc298b)
 2021-08-24 20:19:32 +00:00
Justin Ibarra cc75f645b6 [Rule Tuning] Add technique T1005 to 2 rules (#1405) 
(cherry picked from commit 8099e1c733)
 2021-08-20 08:20:32 +00:00
Austin Songer 94190321c1 [Rule Tuning] AWS Security Group Configuration Change Detection (#1426) 
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration

(cherry picked from commit 3b29498907)
 2021-08-15 04:35:07 +00:00
Christian Clauss 604fd2a18f Fix typos discovered by codespell (#1430) 
(cherry picked from commit ddec37b731)
 2021-08-15 04:30:11 +00:00
Austin Songer e170935f1f [New Rule] AWS EC2 Security Group Configuration Change Detection (#1144) 
(cherry picked from commit 67ba66c8e7)
 2021-08-12 19:38:05 +00:00
David French 9e6c107de5 [New Rule] Whitespace Padding in Process Command Line (#1392) 
* Create defense_evasion_whitespace_padding_in_command_line.toml

* add newline

* update description

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14493689b9)
 2021-08-11 16:16:05 +00:00
Justin Ibarra 121431b40b Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes

(cherry picked from commit d31ea6253e)
 2021-08-04 22:17:11 +00:00
Justin Ibarra 742253c61d [Rule tuning] Revise rule description and other text (#1398) 
(cherry picked from commit f8f643041a)
 2021-08-03 21:08:48 +00:00
Austin Songer fcd2071ca9 [Rule Tuning] NTDS or SAM Database File Copied (#1378) 
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit d2365783fa)
 2021-08-03 20:29:19 +00:00
Justin Ibarra 05d01bbfe0 [Rule Tuning] Rule description tweaks (#1388) 
(cherry picked from commit b736d6e748)
 2021-07-29 18:57:11 +00:00
Ross Wolf 0ae93632fc [Rule Tuning] Remove \Program Files*\ style wildcards (#1369) 
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex

(cherry picked from commit 7b62fe296d)
 2021-07-22 17:56:25 +00:00
Justin Ibarra 8deeab2c4d [Rule Tuning] Update EQL rules with lookback < maxspan (#1362) 
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 4aab1278bf)
 2021-07-22 17:10:08 +00:00
Ross Wolf 600acca704 [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

(cherry picked from commit 1882f4456c)
 2021-07-21 21:25:48 +00:00
Ross Wolf 6d9997435f [Rule Tuning] Convert unusual extension rule to regex (#1368) 
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension

(cherry picked from commit 9f3d5328f4)
 2021-07-21 17:50:36 +00:00
Ross Wolf fc2f5866a2 [Rule Tuning] Creation of Hidden Files and Directories (#1357) 
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex

(cherry picked from commit 9b559d0cd9)
 2021-07-21 17:48:37 +00:00
David French f0270973bb [Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374) 
* use google_workspace event schema

* update to use google_workspace schema

(cherry picked from commit 23626b814c)
 2021-07-21 17:39:45 +00:00
dstepanic17 cb3ceb93da [New Rule] Windows Defender Exclusions Added via PowerShell (#1370) 
* Added new rule

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Added pwsh.exe to original name

* Added PowerShell MITRE reference

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fbd4cf2117)
 2021-07-21 16:55:08 +00:00
Justin Ibarra 07a7784659 Update cardinality field in schema for threshold rules (#1349) 
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 163d9e3864)
 2021-07-21 16:33:59 +00:00
Austin Songer bc82e214c7 [Rule Tuning] Mimikatz powershell module activity detected (#1297) 
* update query
* add indexes

(cherry picked from commit 95e6458c6e)
 2021-07-21 07:09:02 +00:00
Andrew Pease ce66c684b0 [Rule Tuning] Add Filebeat and Auditbeat to Network Rules (#1282) 
* standardized indices and added the from field

(cherry picked from commit 34df7c6b89)
 2021-07-21 07:00:25 +00:00
Austin Songer 324d46ee74 [New Rule] O365 Excessive SSO Logon Errors (#1215) 
(cherry picked from commit 64c3f7cdc5)
 2021-07-21 06:55:57 +00:00
Austin Songer 55d2780a6e [New Rule] Disable Windows Event and Security Logs (#1181) 
(cherry picked from commit c82790f588)
 2021-07-21 06:45:33 +00:00
Austin Songer 4d69ad4ae6 [Rule Tuning] Suspicious CertUtil Commands (#1180) 
* update name to Suspicious CertUtil Commands
* update description, query, and filename

(cherry picked from commit 4a11ef9514)
 2021-07-21 06:27:37 +00:00
Austin Songer 8916b7dd4b [Rule Tuning] External IP Lookup from Non-Browser Process (#1147) 
* Added a couple domains

ipapi.co
ip-lookup.net
ipstack.com

(cherry picked from commit 920d973064)
 2021-07-21 05:48:34 +00:00
Samirbous 9b9bebbd27 [New Rule] Parent Process PID Spoofing (#1338) 
* [New Rule] Parent Process PID Spoofing

* excluding sihost FPs

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* relinted and added 2 non ecs fields

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 81ab43898c)
 2021-07-15 20:56:39 +00:00
Oliver Gupte 7ec97e622f [APM] Adds APM data stream 'traces-apm*' to apm rules (#105334) (#1335) 2021-07-13 07:04:58 -06:00
Samirbous 89420ae976 [New Rule] Potential PrintNightmare Exploitation rules (#1326) 
* [New Rule] Potential PrintNightmare Exploitation rules

* added Potential PrintNightmare File Modification

* added spoolsv as process name to narrow more the scope

* added Suspicious Print Spooler File Deletion

* removed Suspicious Print Driver Registry Modification cuz of potential noise

* Update privilege_escalation_printspooler_malicious_registry_modification.toml

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted description and added a comment for sysmon compatibility

* added FP note and relinted all files

* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-07-07 18:56:39 +02:00
Samirbous 9fadc4c1dc [New Rule] Complementary Rules for Recent REvil TTPs (#1329) 
* [New Rule] Complementary Rules for Recent REvil TTPs

* added OFN

* relinted and added T1574.002

* removed new line

* Update defense_evasion_disabling_windows_defender_powershell.toml

* corrected rule name

* added a reference url

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-07-07 17:02:40 +02:00
Justin Ibarra 63a39665e3 Make "config" in note field consistent (#1310) 
* Add test to ensure consistent config in note field
* Update inconsistent rule
 2021-07-06 15:54:01 -08:00
Ross Wolf c82e89ad34 Add min_stack_version to 7.14+ only rules (#1321) 2021-07-06 13:42:09 -06:00
Austin Songer 8e451f2318 [New Rule] AWS RDS Security Group Created (#1260) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:14:56 -08:00
Austin Songer fe14cd23ed [New Rule] AWS RDS Security Group Deleted (#1261) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:09:15 -08:00
Austin Songer 9d4574b267 [New Rule] AWS RDS Instance Creation (#1269) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 16:02:48 -08:00
Austin Songer ccae1dc841 [New Rule] AWS RDS Snapshot Export (#1270) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-06-22 15:58:13 -08:00
Austin Songer c215c44809 [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-22 13:36:13 -04:00
Ross Wolf 31f63e728e Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
 2021-06-22 09:10:28 -06:00
Brent Murphy d8ef9a81ef [Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251) 
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors
 2021-06-22 08:38:49 -06:00
Brent Murphy a8c9d7174f Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml (#1225) 2021-06-22 10:22:01 -04:00
Austin Songer ea9a23af8d [New Rule] AWS Route 53 Domain Transferred to Another Account (#1198) 2021-06-21 22:08:59 -08:00
Austin Songer 2cadee1718 [New Rule] AWS Route 53 Domain Transfer Lock Disabled (#1197) 2021-06-21 22:05:53 -08:00
Austin Songer d7e0e37e54 [New Rule] EC2 Full Network Packet Capture Detected (#1175) 2021-06-21 22:00:48 -08:00
Austin Songer 6986f28af6 [New Rule] Azure Service Principal Credentials Added (#1169) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-06-21 21:49:45 -08:00
Apoorva Joshi e41fe620e6 [New Rule] Add detection rules for auth ML jobs (#1283) 
* Adding detection rules for auth ML jobs

* name prefix

added the prefix "auth" to the file names

* Added descriptions

* Adding new lines and updating license

* FP text

added FP metadata

Co-authored-by: Craig <mailredirector36@gmail.com>
 2021-06-16 16:00:17 -07:00
Justin Ibarra e0fa25ae8e Fix rules which were note using v2 license (#1291) 2021-06-16 08:21:30 -06:00
Ross Wolf 49cb2e8dbf [Bug] Fix ML job IDs that used hyphens (#1287) 
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
 2021-06-15 11:40:47 -06:00
David French 177cfc85bf [Rule Tuning] Attempts to Brute Force an Okta User Account (#1216) 
* update rule.threshold field value

* add rule authors

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-06-15 10:07:51 -06:00
Apoorva Joshi 1f7c88c6f4 Updating rules to query v2 (#1254) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-06-15 07:20:50 -07:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Austin Songer 546e43071c [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:20:20 -04:00
Brent Murphy 13bf55480a Update persistence_suspicious_com_hijack_registry.toml (#1244) 2021-06-14 09:00:22 -04:00