security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,204 Commits 1 Branch 0 Tags
8d3ec2b8a3ed2a00645fce573c52ff24dd78c4fb
Commit Graph

695 Commits

Author SHA1 Message Date
Jonhnathan 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-01 14:06:08 -03:00
Jonhnathan 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) 
* [New Rule] Potential Active Directory Replication User Backdoor

* Update credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 12:02:34 -03:00
shashank-elastic dce5bbd904 Update Rule minstack (#3925) 2024-07-25 17:45:55 +05:30
Jonhnathan 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) 
* [New Rule] Potential WSUS Abuse for Lateral Movement

* Update lateral_movement_via_wsus_update.toml

* Update lateral_movement_via_wsus_update.toml
 2024-07-22 17:04:08 -03:00
Jonhnathan 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) 2024-07-22 08:39:40 -03:00
Samirbous 6ac278df0c [tuning] Connection to Commonly Abused Web Services (#3901) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-18 09:59:53 -03:00
Jonhnathan 1384742f07 [New Rule] Service DACL Modification via sc.exe (#3900) 
* [New Rule] Service DACL Modification via sc.exe

* Update defense_evasion_sc_sdset.toml

* Update defense_evasion_sc_sdset.toml
 2024-07-17 19:39:50 -03:00
Jonhnathan ffb68174f9 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#3887) 2024-07-15 06:41:45 -03:00
Jonhnathan 6e7ece4384 [Rule Tuning] Fix event.action conditions - AD Rules (#3874) 2024-07-10 10:33:14 -03:00
ar3diu b303b8296b [Rule Tuning] LSASS Memory Dump Creation (#3810) 
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
 2024-07-10 06:12:38 -05:00
shashank-elastic b66d6e06aa Fix Double Bump For Rule Microsoft Management Console File from Unusual Path (#3878) 2024-07-09 17:59:51 +05:30
Samirbous 801aab82cc [New] Sensitive Registry Hive Access via RegBack (#3855) 
* Create credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Apply suggestions from code review

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-05 07:50:23 +01:00
Samirbous 15e9c9aa5e [Tuning] Ransomware over SMB (#3808) 
* [Tuning] Ransomware over SMB

* Update impact_ransomware_file_rename_smb.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 07:26:57 +01:00
Joe Desimone 8dc0963ae6 [Rule Tuning] LSASS Process Access via Windows API (#3824) 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* fix merge

* newline

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 21:45:46 +01:00
Jonhnathan 208e330b44 [New Rule] Potential PowerShell Obfuscated Script (#3864) 
* [New Rule[ Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml

* Update rules/windows/defense_evasion_posh_obfuscation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 09:26:32 -03:00
ar3diu 5048bc26bd [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) 
* Add "by host.id" argument to the sequence command in the rule query.

* Update collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 10:39:15 -04:00
Jonhnathan d5c34b5750 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) 2024-07-01 13:45:19 -03:00
Samirbous b97069c3e9 Update defense_evasion_microsoft_defender_tampering.toml (#3840) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-06-28 08:16:11 +01:00
Jonhnathan 7693d785aa [Rule Tuning] LSASS Process Access via Windows API (#3839) 2024-06-27 12:22:13 -03:00
Samirbous 17a07020f3 [New] Microsoft Management Console File from Unusual Path (#3834) 
* [New] Windows Script Execution via MMC Console File

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-06-27 11:32:45 +01:00
Jonhnathan deb08fd28d [New Rule] AD Group Modification by SYSTEM (#3833) 
* [New Rule] AD Group Modification by SYSTEM

* .

* Update rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Tighten up indexes

* Update persistence_group_modification_by_system.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-26 18:56:01 -03:00
Jonhnathan 54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests
 2024-06-26 11:06:27 -03:00
Jonhnathan c20318d0d0 [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) 
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification

* Update privilege_escalation_reg_service_imagepath_mod.toml

* [New Rule] NTDS Dump via Wbadmin

* Revert "[New Rule] NTDS Dump via Wbadmin"

This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update privilege_escalation_reg_service_imagepath_mod.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-20 10:41:53 -03:00
Jonhnathan 236444200b [New Rule] NTDS Dump via Wbadmin (#3758) 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-20 09:55:07 -03:00
Jonhnathan 3fd9bae611 [New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748) 2024-06-20 09:34:27 -03:00
Jonhnathan 6a0ac563a0 Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#3734) 2024-06-20 09:23:06 -03:00
Jonhnathan 4eff7c6c87 [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll (#3717) 
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-12 15:18:31 -03:00
shashank-elastic 0a69c19c83 Update Minstack versions for SentinelOne rules (#3777) 2024-06-11 18:58:26 +05:30
Jonhnathan 087e8a6e85 [Rule Tuning] User Added to Privileged Group (#3763) 
* [New Rule] User Added to Privileged Group

* add more groups

* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_user_account_added_to_privileged_group_ad.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-07 13:43:30 -03:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
Samirbous 603f3c313a Update impact_high_freq_file_renames_by_kernel.toml (#3707) 2024-05-23 17:59:58 +01:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan d023ad66b1 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-20 09:50:57 -03:00
Jonhnathan 0eef7f62ff [Rule Tuning] Windows Service Installed via an Unusual Client (#3671) 
* [Rule Tuning] Windows Service Installed via an Unusual Client

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-15 10:31:44 -03:00
Samirbous a1ef8c9fc0 [New] Unusual Execution via Microsoft Common Console File (#3663) 
* [New] Unusual Execution via Microsoft Common Console File

https://www.genians.co.kr/blog/threat_intelligence/facebook

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_initial_access_via_msc_file.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-05-14 15:07:26 +01:00
Samirbous 83462a3087 [New] Potential File Download via a Headless Browser (#3660) 
* [New] Potential File Download via a Headless Browser

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_common_webservices.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml
 2024-05-14 13:55:14 +01:00
Jonhnathan 6150f222b2 [New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517) 
* [New Rule] Alternate Data Stream Creation at Volume Root Directory

* Update defense_evasion_root_dir_ads_creation.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-13 08:35:12 -03:00
Jonhnathan f85d7482fd [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-09 13:00:41 -03:00
Samirbous 7a61070e08 [Tuning] Component Object Model Hijacking (#3655) 
* [Tuning] Component Object Model Hijacking

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-08 17:44:35 +01:00
Samirbous 4a2e2764cd [New] Ransomware over SMB (#3638) 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml
 2024-05-07 06:38:14 +01:00
Samirbous 8f6de1c235 [New] Potential privilege escalation via CVE-2022-38028 (#3616) 
* [New] Potential privilege escalation via CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-29 15:10:27 +01:00
Terrance DeJesus 69d42ecc71 updating performance note (#3608) 2024-04-18 16:36:07 -04:00
Terrance DeJesus 25dafb68f1 [Rule Tuning] Reverting To Previous Version (#3607) 2024-04-18 15:19:27 -04:00
Terrance DeJesus 91e69ac322 [Rule Tuning] Tuning Account Password Reset Remotely (#3478) 
* tuning 'Account Password Reset Remotely'

* adjusted note

* fixing description

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated note about performance; toml lint

* bumping min-stack to resolve version lock

* reverting query to main

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-18 12:49:32 -04:00
Jonhnathan 6ae0902a38 [New Rule] Potential Windows Session Hijacking via CcmExec (#3602) 
* [New Rule] Potential Windows Session Hijacking via CcmExec

* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-18 12:57:35 -03:00
Jonhnathan 5004ff115c [Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-16 13:26:42 -03:00
Jonhnathan c2d1586270 [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-16 09:28:17 -03:00
Samirbous 919a438257 Update defense_evasion_untrusted_driver_loaded.toml (#3596) 
excluding `errorCode_endpoint:*` status (noisy)
 2024-04-15 14:52:39 +01:00