security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,404 Commits 1 Branch 0 Tags
92fe46b8ffe7a7c346a5e2df7ca6df84b1aa8d0a
Commit Graph

2404 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
shashank-elastic 92fe46b8ff Fix Minstack version for windows integration (#4214) 2024-10-28 19:28:10 +05:30
Ruben Groenewoud 9e4fce6586 [Rule Tuning] Potential Linux Hack Tool Launched (#4191) 2024-10-25 17:23:48 +02:00
Ruben Groenewoud b0bba39007 [Rule Tuning] Linux User Added to Privileged Group (#4206) 2024-10-25 14:21:20 +02:00
protections machine 5d9b295bb6 Sync RTA Potential Mining Pool Command Detection (#4204) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 21:47:17 +05:30
protections machine ae2adc766d Sync RTA Renice or Ulimit Execution from Unusual Parent (#4203) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 21:38:49 +05:30
protections machine 4d41496e1d Sync RTA Linux Powershell Egress Network Connection (#4202) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 20:35:15 +05:30
protections machine 933020a5c1 Sync RTA Suspicious Execution from Foomatic-rip or Cupsd Parent (#4201) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 19:49:15 +05:30
protections machine 6ec5c5b04b Sync RTA Foomatic-rip Shell Execution (#4200) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-24 19:13:38 +05:30
shashank-elastic be656ae740 Tune Bedrock rule to accept multivalued column (#4205) 2024-10-23 20:48:56 +05:30
protections machine 77f0ee85d9 react_sync_rta_updates_4215 Network Connection by Foomatic-rip Child (#4196) 2024-10-23 19:18:36 +05:30
protections machine a54f83981e Sync RTA File Downloaded via Curl or Wget to Hidden Directory (#4197) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 19:01:17 +05:30
protections machine 0ef122632e Sync RTA Shared Object Load via LoLBin (#4198) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 18:48:11 +05:30
protections machine f8d08f92f3 Sync RTA Suspicious Kernel Feature Activity (#4199) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 18:40:21 +05:30
protections machine faafc4f19d Sync RTA Potential Proxy Execution via PHP (#4195) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 16:07:32 +05:30
protections machine c336e30dee Sync RTA Suspicious Download and Redirect by Web Server (#4194) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:55:10 +05:30
protections machine 6a740a6a61 Sync RTA File Downloaded and Piped to Interpreter by Web Server (#4193) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:45:45 +05:30
protections machine c5b108400c Sync RTA File Downloaded from Suspicious Source by Web Server (#4192) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 15:15:56 +05:30
protections machine 91fbc39084 Sync RTA MSR Write Access Enabled (#4189) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 14:13:47 +05:30
protections machine 21c45f97fe Sync RTA Reverse or Bind Shell via Suspicious Utility (#4187) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 13:37:44 +05:30
protections machine 9cb2974e70 Sync RTA Potential Gsocket Activity (#4186) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 13:21:33 +05:30
protections machine fe6459d784 Sync RTA Bind Shell via Socket (#4185) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 12:10:45 +05:30
protections machine 08fc5a5e35 Sync RTA Bind Shell via Node (#4184) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:43:10 +05:30
protections machine fb963628f2 Sync RTA Potential Proxy Execution via Sed (#4183) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:31:10 +05:30
protections machine 6d430be209 Sync RTA Bind Shell via Netcat Traditional (#4182) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:23:12 +05:30
protections machine 2e1daeeaa0 Sync RTA Base64 Shebang Payload Decoded via Built-in Utility (#4181) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:12:43 +05:30
protections machine 31d3b6417b Sync RTA Potential Proxy Execution via Tcpdump (#4180) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 11:00:09 +05:30
protections machine 3e1fe91a1c Sync RTA Potential Proxy Execution via Sysctl (#4179) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:52:28 +05:30
protections machine 519a3688c8 Sync RTA Potential Proxy Execution via Split (#4178) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:37:38 +05:30
protections machine fff957c0f5 Sync RTA Potential Proxy Execution via Pidstat (#4177) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:27:11 +05:30
protections machine bc821f56e1 Sync RTA System Binary Proxy Execution via ld.so (#4176) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-23 10:12:44 +05:30
protections machine fb4bc72607 Sync RTA Potential Proxy Execution via Crash (#4175) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-22 21:49:13 +05:30
protections machine d1f44270e1 Sync RTA Potential Process Masquerading via Exec 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-10-22 21:41:27 +05:30
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud 592ad0fe9a [Rule Tuning] Q2 Linux DR Tuning - BBR (#4171) 
* [Rule Tuning] Q2 Linux DR Tuning - BBR

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update discovery_linux_sysctl_enumeration.toml

* Update discovery_potential_memory_seeking_activity.toml

* Update discovery_potential_memory_seeking_activity.toml
 2024-10-18 16:45:23 +02:00
Ruben Groenewoud 09bd4cef16 [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) 
* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml
 2024-10-18 16:38:14 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00
Ruben Groenewoud af9f9e2456 [Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 1

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-10-18 15:59:51 +02:00
Terrance DeJesus 61b731c300 [Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145) 
* tuning

* added note about whitelisting user agent

* removed extra new line
 2024-10-16 11:41:50 -04:00
shashank-elastic b1e91ddb14 Add setuptools as project dependency (#4160) 2024-10-16 20:09:23 +05:30
Terrance DeJesus 4b4b2cc9c8 [Hunt Tuning] Enforce STATS or KEEP functions in ES|QL hunting queries (#4157) 
* enforcing aggregate or keep in ES|QL queries

* Update hunting/definitions.py

* Update hunting/definitions.py

* Update hunting/definitions.py

* updated capitalization of linting

* updated raise value error

* Update hunting/definitions.py

* added note about stats in best practices
 2024-10-16 09:16:28 -04:00
github-actions[bot] c1ce0d43d1 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4159) 2024-10-16 10:23:33 +05:30
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Samirbous 8f56b7de5e Update privilege_escalation_gpo_schtask_service_creation.toml (#4152) 2024-10-15 18:36:35 +05:30
Samirbous a98161ad2a [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-15 10:49:01 +01:00