security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,648 Commits 1 Branch 0 Tags
8dfa5da3bf41eec3acec83beb6ee15498cd6fbb3
Commit Graph

1873 Commits

Author SHA1 Message Date
Ruben Groenewoud 8dfa5da3bf [New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 16:57:33 +01:00
Ruben Groenewoud fe06843636 [New Rule] Unusual Process Spawned from Web Server Parent (#4513) 2025-03-06 16:46:12 +01:00
Ruben Groenewoud 7ce6aaf566 [New Rule] Unusual Command Execution from Web Server Parent (#4512) 
* [New Rule] Unusual Command Execution from Web Server Parent

* ++
 2025-03-06 16:25:38 +01:00
Kirti Sodhi a1d6ff4a50 Added ML detection-rules for new Security Host package (#4519) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-03-06 19:53:29 +05:30
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Samirbous b1470a480b [New] WDAC Policy File by an Unusual Process (#4504) 
* [New] WDAC Policy File by an Unusual Process

https://github.com/logangoins/Krueger/tree/main

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-03-04 15:21:58 +00:00
shashank-elastic 467034ee5b Deprecate an APM BBR rule (#4511) 2025-03-04 17:39:45 +05:30
Ruben Groenewoud b9e8115c2f [New Rule] Python Site or User Customize File Creation (#4500) 
* [New Rule] Python Site or User Customize File Creation

* Update persistence_site_and_user_customize_file_creation.toml

* Update persistence_site_and_user_customize_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:30:33 +01:00
Ruben Groenewoud d948279af6 [New Rule] Python Path File (pth) Creation (#4499) 
* [New Rule] Python Path File (pth) Creation

* ++

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:20:00 +01:00
Ruben Groenewoud f70eafb8e7 [New Rule] Successful SSH Authentication from Unusual User (#4481) 
* [New Rule] Succesful SSH Authentication from Unusual User

* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-03 11:55:27 +01:00
Jonhnathan 5653190d08 [Rule Tuning] Remove hardcoded logic from description (#4503) 2025-02-28 14:38:18 -03:00
Ruben Groenewoud 06002cd9ac [New Rule] Kill Command Execution (#4485) 
* [New Rule] Kill Command Execution

* Update defense_evasion_kill_command_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:26:50 +01:00
Ruben Groenewoud 9bb3b9f204 [New Rule] Unusual File Transfer Utility Launched (#4487) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:15:21 +01:00
Ruben Groenewoud 029fd45bb1 [New Rule] Base64 Decoded Payload Piped to Interpreter (#4488) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:01:52 +01:00
Ruben Groenewoud a2a120858f [New Rule] Unusual Base64 Encoding/Decoding Activity (#4486) 
* [New Rule] Unusual Base64 Encoding/Decoding Activity

* Update defense_evasion_base64_decoding_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 10:09:48 +01:00
Ruben Groenewoud 8c250db3c3 [New Rule] Successful SSH Authentication from Unusual IP-Address (#4482) 
* [New Rule] Successful SSH Authentication from Unusual IP-Address

* Apply suggestions from code review

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 09:55:35 +01:00
Ruben Groenewoud 89f79c6e4f [New Rule] Successful SSH Authentication from Unusual SSH Public Key (#4478) 
* [New Rule] First Time Public Key Authentication

* Update initial_access_first_time_public_key_authentication.toml

* Update initial_access_first_time_public_key_authentication.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 09:44:51 +01:00
Ruben Groenewoud fe48309daf [New Rule] Linux User Account Credential Modification (#4484) 
* [New Rule] Linux User Account Credential Modification

* Update rules/linux/persistence_user_credential_modification_via_echo.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 16:42:11 +01:00
Ruben Groenewoud 342e18075b [New Rule] SSH Authorized Keys File Deletion (#4483) 
* [New Rule] Authorized Keys File Deletion

* Apply suggestions from code review

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 16:29:51 +01:00
Samirbous 46c4a80015 [Tuning] Remote File Copy to a Hidden Share (#4494) 
* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:50:02 -03:00
Samirbous 7b15acf9dd Update defense_evasion_amsi_bypass_powershell.toml (#4477) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:36:15 -03:00
Jonhnathan 0340335cf4 [Rule Tuning] Sysmon rules that uses event.action (#4496) 
* [Rule Tuning] Sysmon rules that uses `event.action`

* Adjust queries

* Fix unit test :thinking-hard:
 2025-02-27 11:24:42 -03:00
Ruben Groenewoud a614da5900 [New Rule] Remote File Creation in World Writeable Directory (#4475) 
* [New Rule] Remote File Creation in World Writeable Directory

* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml

* Update lateral_movement_remote_file_creation_world_writeable_dir.toml

* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
 2025-02-26 10:11:55 +01:00
Ruben Groenewoud 59473f09ac [New Rule] Potential Malware-Driven SSH Brute Force Attempt (#4474) 
* [New Rule] Potential Malware-Driven SSH Brute Force Attempt

* Update impact_potential_bruteforce_malware_infection.toml

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

* Update impact_potential_bruteforce_malware_infection.toml
 2025-02-26 10:00:31 +01:00
Ruben Groenewoud 758e155231 [New Rule] High Number of Egress Network Connections from Unusual Executable (#4473) 
* [New Rule] High Number of Egress Network Connections from Unusual Executable

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-26 09:43:54 +01:00
Ruben Groenewoud 8a221325e9 [New Rule] Unusual Remote File Creation (#4476) 
* [New Rule] Unusual Remote File Creation

* Description update

* ++

* ++

* Update rules/linux/lateral_movement_unusual_remote_file_creation.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-26 09:30:47 +01:00
Jonhnathan 73aaad98f0 [Rule Tuning] MsBuild Making Network Connections (#4479) 
* [Rule Tuning] MsBuild Making Network Connections

* Remove Minstack

* Revert MMinstack removal

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-02-25 10:04:04 -03:00
Jonhnathan bc3e12da38 [Rule Tuning] Adapt Rules to work with Sysmon (#4480) 
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events

* bump updated_date

* Update rules/windows/lateral_movement_incoming_wmi.toml

* Update Logic to support sysmon data

* Update command_and_control_tool_transfer_via_curl.toml
 2025-02-25 09:54:18 -03:00
Samirbous 8e3ad57672 Update defense_evasion_via_filter_manager.toml (#4493) 2025-02-25 09:29:36 +00:00
Terrance DeJesus 4b7aa67213 [New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469) 
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'

* removed Azure data source tag; added saas tag

* removed Azure data source tag; added saas tag

* updated mitre mappings

* added tactic:collection tag

* removed file directory, added targeted_time_window to aggregation
 2025-02-21 10:45:04 -05:00
Terrance DeJesus 0b98462cfe [New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458) 
* new hunting queries for SNS

* added KEEP to all queries; adjusted description in SNS rule
 2025-02-20 10:53:36 -05:00
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Terrance DeJesus 17ea9fbdd5 [New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455) 
* new rule 'AWS SNS Topic Created by Rare User'

* changed file name

* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml

* moved new terms link to investigation guide
 2025-02-20 10:05:40 -05:00
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
Jonhnathan b951e86a55 [Rule Tuning] Account Configured with Never-Expiring Password (#4459) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-17 07:19:33 -03:00
Jonhnathan 15177246cc [Rule Tuning] Windows - Improve Index Pattern Consistency (#4462) 2025-02-17 07:04:34 -03:00
Jonhnathan 5155f47b86 [Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445) 
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-07 18:42:28 -03:00
Samirbous 27e8b85840 Update execution_windows_script_from_internet.toml (#4452) 2025-02-07 14:52:56 +00:00
Mika Ayenson c7f5385711 [Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450) 2025-02-07 08:30:35 -06:00
Jonhnathan be54140485 [Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444) 2025-02-05 17:32:57 -03:00
Jonhnathan 0268daa17d [Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446) 2025-02-05 15:25:45 -03:00
Jonhnathan ab89dfb98d [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447) 2025-02-05 15:09:27 -03:00
Jonhnathan 3e0ba33749 [Rule Tuning] Remote Execution via File Shares (#4448) 2025-02-05 14:51:47 -03:00
Ruben Groenewoud 32975e5155 [Rule Tuning] Port Scan Rules (#4443) 2025-02-05 15:40:27 +01:00
shashank-elastic a866ee7f57 Fix remaining Replace master doc URLs with current (#4441) 2025-02-03 23:03:20 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Samirbous 8f73b88884 [Tuning / New] Execution of a downloaded windows script (#4434) 
* [New] Execution of a downloaded windows script

using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution

* Update defense_evasion_posh_assembly_load.toml

* Update execution_powershell_susp_args_via_winscript.toml

* Update guides

* Update defense_evasion_network_connection_from_windows_binary.toml

* Update execution_windows_script_from_internet.toml

* Update execution_windows_script_from_internet.toml

* Update rules/windows/execution_windows_script_from_internet.toml

* Update rules/windows/execution_powershell_susp_args_via_winscript.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_windows_script_from_internet.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_windows_script_from_internet.toml

* Create command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update execution_windows_script_from_internet.toml

* Create defense_evasion_indirect_exec_forfiles.toml

* Update execution_windows_script_from_internet.toml

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-02-03 14:33:59 +00:00
Ruben Groenewoud 8d29a1f7d5 [New Rule] Process Backgrounded by Unusual Parent (#4431) 
* [New Rule] Process Backgrounded by Unusual Parent

* Update execution_process_backgrounded_by_unusual_parent.toml

* Update execution_process_backgrounded_by_unusual_parent.toml
 2025-02-03 14:17:15 +01:00
Ruben Groenewoud 14c648598e [Rule Tuning] Linux DR Tuning - Part 6 (#4423) 
* [Rule Tuning] Linux DR Tuning - Part 6

* Update privilege_escalation_ld_preload_shared_object_modif.toml

* Update privilege_escalation_ld_preload_shared_object_modif.toml
 2025-02-03 14:05:26 +01:00