security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,198 Commits 1 Branch 0 Tags
8c19e9ff6c0f29bfd0930c4d511eaf93127effef
Commit Graph

897 Commits

Author SHA1 Message Date
Terrance DeJesus 8c19e9ff6c [New Rule] Bitlocker Settings Disabled - Google Workspace (#2288) 
* adding new rule

* adjusted UUID
 2022-09-12 16:06:01 -04:00
TotalKnob 3ba777c1b1 [Rule Tuning] Disable Windows Firewall Rules via Netsh (#2231) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 13:10:08 -04:00
Terrance DeJesus 6a6ef0ce11 [New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace (#2268) 
* adding new rule

* adjusted UUID to address unit testing failures

* adjusted UUID to address unit testing failures

* adjusted references
 2022-08-26 12:43:30 -04:00
Terrance DeJesus bd6befb168 [New Rule] Google Drive Ownership Transferred (#2265) 
* adding new rule

* adjusted query format

* adjusted file and rule name to include google workspace

* Update collection_google_drive_ownership_transferred_via_google_workspace.toml

Fixed a couple minor typos

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:41:10 -04:00
Terrance DeJesus 18df50443c [Rule Tuning] Admin Role Assigned to User - Google Workspace (#2266) 
* tuning rule query and att&ck mappings

* adjusted description and query formatting

* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adjusted risk and severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:35:44 -04:00
Terrance DeJesus cd2539f1eb [New Rule] User Group Access Modified to Allow External Access (#2264) 
* adding new rule

* adjusting rule name, file name and description

* adjusted att&ck technique

* adjusted file and rule name to include google workspace

* adjusted references

* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml

Fixed minor typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-08-26 12:25:29 -04:00
Terrance DeJesus c0a339e277 [New Rule] 2SV Policy Disabled - Google Workspace (#2271) 
* adding new rule

* adjusted file name, query and rule name
 2022-08-26 12:22:54 -04:00
Terrance DeJesus e5399bc148 [New Rule] Application Removed from Blocklist - Google Workspace (#2267) 
* adding new rule

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 12:16:41 -04:00
TotalKnob 97e42d01d8 [Rule Tuning] SUNBURST Command and Control Activity (#2232) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-26 13:11:22 -03:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
TotalKnob 023fbc7bbd [Rule Tuning] Clearing Windows Event Logs (#2233) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-23 21:41:30 -03:00
Mika Ayenson dfef597794 [Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service (#2192) 2022-08-23 10:10:40 -04:00
Mika Ayenson 2204459e73 [Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172) 2022-08-23 09:59:43 -04:00
Mika Ayenson 2326b30a87 [Rule Tuning] Suspicious Browser Child Process (#2138) 2022-08-23 09:56:23 -04:00
Jonhnathan c5ff8511a9 [Rule Tuning] Abnormal Process ID or Lock File Created (#2113) 
* [Rule Tuning] Abnormal Process ID or Lock File Created

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update execution_abnormal_process_id_file_created.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-08-23 09:59:31 -03:00
Jonhnathan 6631c4927d [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#2240) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-23 09:43:09 -03:00
Jonhnathan 6e2d20362a [Rule Tuning] Standardizing Risk Score according to Severity (#2242) 2022-08-21 22:29:39 -03:00
Samirbous d3420e3386 [Deprecate Rule] Suspicious Process from Conhost (#2222) 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:32:24 +02:00
Samirbous 8e0ae64a04 [Rule Tuning] Whoami Process Activity (#2224) 
* added Whoami Process Activity

* Update discovery_whoami_command_activity.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:26:10 +02:00
Samirbous 0f7b29918c [Rule Tuning] Suspicious Execution via Scheduled Task (#2235) 
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
 2022-08-15 21:50:23 +02:00
Samirbous b89d6185b2 [Rule Tuning] Reduce FPs (#2223) 
9 rules tuned to exclude common noisy FP patterns.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-15 09:15:48 -05:00
Jonhnathan fc7a384d19 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-08-08 21:34:05 -03:00
Mika Ayenson d1bc53e295 [Rule Tuning] Persistence via Folder Action Script (#2174) 
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:36:05 -04:00
Mika Ayenson 4f55e9b05f [Rule Tuning] Potential Persistence via Login Hook (#2177) 
* Exclude FPs for iMazing Profile Editor and backupd
 2022-08-05 14:25:31 -04:00
Mika Ayenson 058f11f650 [Rule Tuning] Sublime Plugin or Application Script Modification (#2180) 
* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:15:28 -04:00
TotalKnob b043695833 Remove ambiguity from impact_modification_of_boot_config.toml (#2199) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-05 10:38:41 -03:00
Terrance DeJesus a76c51ae17 [Deprecation rule] DNS Activity to the Internet (#2221) 2022-08-02 20:59:35 -05:00
Mika Ayenson ecd10b672a [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) 
* add case sensitive Python process name and T1548
 2022-08-02 14:21:00 -04:00
Mika Ayenson d8e0c0fee3 [Rule Tuning] Suspicious Calendar File Modification (#2187) 
* exclude fps for Mail.app
 2022-08-02 14:06:57 -04:00
Samirbous 50bb821708 [Rules Tuning] Add support for Sysmon ImageLoad Events (#2215) 
* [Rules Tuning] Add support for Sysmon ImageLoad Events

added correct event.category and event.action to rules using library events to support sysmon eventid 7.

`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`

`dll.name` --> `file.name`

* added Suspicious RDP ActiveX Client Loaded

* Delete workspace.xml
 2022-08-02 18:40:26 +02:00
Samirbous b15f0de9a4 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml
 2022-08-02 18:37:07 +02:00
Samirbous a046dc0d29 [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.
 2022-08-02 18:30:57 +02:00
Samirbous e5ee8e024f [Deprecate Rule] File and Directory Discovery (#2217) 
* [Deprecate Rule] File and Directory Discovery

very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.

* Delete workspace.xml
 2022-08-02 17:57:28 +02:00
shashank-elastic 19d9a7eb87 Rule tuning as part of Linux Detection Rules Review (#2210) 2022-08-02 17:46:57 +05:30
Samirbous 04dcf09c03 [Rule Tuning] Suspicious Process Creation CallTrace (#2207) 
Excluding some FPs by process.parent.executable and process.parent.args.
 2022-08-01 19:00:13 +02:00
Samirbous 1f21c5c57f [Rule Tuning] Unusual Service Host Child Process - Childless Service (#2208) 
Excluding some noisy unique processes.
 2022-08-01 18:40:45 +02:00
Samirbous 8d34416049 [Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209) 
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP

FPs in certain cases with no room for tuning.

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:28:26 +02:00
Samirbous a22fef8723 [Rule Tuning] Suspicious Process Access via Direct System Call (#2204) 
Excluding some FPs by calltrace.
 2022-08-01 18:16:08 +02:00
Samirbous 6f69695820 [Rule Tuning] Remotely Started Services via RPC (#2211) 
* [Rule Tuning] Remotely Started Services via RPC

excluding noisy FPs by process.executable to be compatible with winlog and endpoint

* Update lateral_movement_remote_services.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:11:11 +02:00
Samirbous 91896db453 [Rule Tuning] Process Termination followed by Deletion (#2206) 
Excluded some FPs by process.executable and file.path.
 2022-08-01 18:01:31 +02:00
Samirbous 049fbf7979 [Rule Tuning] Potential Remote Credential Access via Registry (#2203) 
* [Rule Tuning] Potential Remote Credential Access via Registry

Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)

* Update credential_access_remote_sam_secretsdump.toml
 2022-08-01 17:49:39 +02:00
Samirbous 527507835f [Rule Tuning] Kerberos Traffic from Unusual Process (#2202) 
Excluding couple of FPs by process.executables to reduce FPs rate.
 2022-07-29 22:27:59 +02:00
Isai 386a8202c0 [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195) 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.

* Update persistence_via_update_orchestrator_service_hijack.toml

revert back to eql

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-07-29 16:11:16 -04:00
Samirbous 6d61a68c29 [Rule Tuning] Modification of WDigest Security Provider (#2201) 
excluding svchost.exe running as system (main src of FPs for this use case).
 2022-07-29 19:45:33 +02:00
shashank-elastic b2b5c170dd Rule(s) to identify potential mining activities (#2185) 2022-07-29 23:00:18 +05:30
shashank-elastic 8afded11e7 Rule tuning as part of Linux Detection Rules Review (#2170) 2022-07-29 21:55:49 +05:30
Colson Wilhoit 998afcf9c4 [Rule Tuning] MacOS Installer Package Net Event (#2193) 
* [Rule Tuning] MacOS Installer Package Net Event

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update execution_installer_package_spawned_network_event.toml

just deleting a typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-07-28 15:16:10 -05:00
Isai 026a822840 [New Rule] Kubernetes Suspicious Self-Subject Review (#2067) 
* Create discovery_suspicious_self_subject_review.toml

Adding new rule

* non-ecs-schema fields added and query change to specify fields

added non ecs-schema fields for all coming k8s rules and added specific fields to the query instead of using regex

* Update discovery_suspicious_self_subject_review.toml

* Update rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 15:30:47 -04:00
Isai 3d88dc2cf5 [New Rule] Kubernetes Privileged Pod Created (#2070) 
* new rule privileged pod created

created toml for new rule and added to the non-ecs-schema with all fields

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 15:19:15 -04:00
Isai 80734b3f21 [New Rule] Kubernetes Pod Created With HostPID (#2071) 
* [New Rule] Kubernetes Pod Created With HostPID

new rule toml for pod created with hostPID and updated non-ecs-schema with all k8s fields

* Update privilege_escalation_pod_created_with_hostpid.toml

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 14:51:17 -04:00