security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,892 Commits 1 Branch 0 Tags
9b292b97eaeb75aea893c4d3f34698cf2d033757
Commit Graph

489 Commits

Author SHA1 Message Date
shashank-elastic 9b292b97ea Prep 8.19/9.1 (#4869) 
* Prep 8.19/9.1 Release

* Download Beats Schema

* Download API Schema

* Download 8.18.3 Beats Schema

* Download Latest Integrations manifest and schema

* Comment old schemas

* Update Patch version
 2025-07-07 11:27:48 -04:00
Ruben Groenewoud 715e3f44f4 [New Rule] Kubectl Apply Pod from URL (#4855) 
* [New Rule] Kubectl Apply Pod from URL

* Update execution_kubectl_apply_pod_from_url.toml
 2025-07-03 10:47:07 +02:00
Ruben Groenewoud 26e35fd03b [Rule Tuning] Potential Linux Tunneling and/or Port Forwarding (#4858) 2025-07-03 09:50:30 +02:00
Ruben Groenewoud 3efcd70f8c [New Rule] Kubernetes Sensitive Configuration File Activity (#4849) 
* [New Rule] Kubernetes Sensitive Configuration File Activity

* Update rules/linux/persistence_kubernetes_sensitive_file_activity.toml
 2025-07-02 17:16:25 +02:00
Ruben Groenewoud 0847c32333 [New Rule] Potential Kubectl Masquerading (#4832) 
* [New Rule] Potential Kubectl Masquerading

* Update defense_evasion_potential_kubectl_masquerading.toml

* ++

* ++

* Update defense_evasion_potential_kubectl_masquerading.toml

* Update rules/linux/defense_evasion_potential_kubectl_masquerading.toml
 2025-06-30 13:47:58 +02:00
Ruben Groenewoud bc87ca1d5b [New Rule] Kubectl Network Configuration Modification (#4836) 
* [New Rule] Kubectl Network Configuration Modification

* ++
 2025-06-30 10:53:32 +02:00
Ruben Groenewoud 786542a9d4 [New Rule] Kubernetes Direct API Request via Curl or Wget (#4841) 2025-06-30 10:34:10 +02:00
Ruben Groenewoud 7c07033354 [Deprecation] Suspicious File Creation in /etc for Persistence (#4850) 
* [Deprecation] Suspicious File Creation in /etc for Persistence

* [Deprecation] Suspicious File Creation in /etc for Persistence

* Update persistence_etc_file_creation.toml

* Fix
 2025-06-27 10:14:53 +02:00
Ruben Groenewoud e666cabb3d [Rule Tuning] Added Kubernetes Data Source Tag (#4831) 2025-06-24 13:18:58 +02:00
Ruben Groenewoud dd4576d127 [New Rule] Kubernetes Service Account Secret Access (#4816) 2025-06-18 09:31:35 +05:30
Ruben Groenewoud 386a4b85eb [New Rule] Kubeconfig File Creation or Modification (#4810) 
* [New Rule] Kubeconfig File Creation or Modification

* Update lateral_movement_kubeconfig_file_activity.toml
 2025-06-17 15:01:07 +02:00
Ruben Groenewoud 6bc808916b [New Rule] Kubeconfig File Discovery (#4811) 
* [New Rule] Kubeconfig File Discovery

* Update discovery_kubeconfig_file_discovery.toml
 2025-06-17 14:42:39 +02:00
Ruben Groenewoud 103fbf12c8 [Rule Tuning] Container Management Utility Run Inside A Container (#4809) 
* [Rule Tuning] Container Management Utility Run Inside A Container

* ++
 2025-06-17 14:30:34 +02:00
Ruben Groenewoud dfd46a09e8 [New Rule] Kubectl Permission Discovery (#4812) 2025-06-17 14:14:35 +02:00
Ruben Groenewoud b2887e592b [Rule Tuning] Loadable Kernel Module Configuration File Creation (#4765) 2025-06-05 13:12:24 +02:00
Ruben Groenewoud ba9f76c6b5 [Rule Tuning] Shell Configuration Creation or Modification (#4766) 2025-06-04 11:26:45 +02:00
Ruben Groenewoud 3a601a10fb [New Rule] Unusual Exim4 Child Process (#4684) 2025-05-06 22:24:34 +05:30
Ruben Groenewoud c145e33f16 [New Rule] Unusual Execution from Kernel Thread (kthreadd) Parent (#4683) 2025-05-06 22:08:43 +05:30
Ruben Groenewoud 608e02e27e [New Rule] Linux Telegram API Request (#4677) 2025-05-06 21:53:19 +05:30
Ruben Groenewoud 944428d81e [New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (#4685) 2025-05-06 21:21:58 +05:30
Ruben Groenewoud fdc6b09d54 [New Rule] System Binary Symlink to Suspicious Location (#4682) 2025-05-06 17:46:47 +05:30
Ruben Groenewoud 25dc8498ae [New Rule] Suspicious Named Pipe Creation (#4681) 2025-05-06 17:30:38 +05:30
Ruben Groenewoud 8b08795e00 [New Rule] Suspicious Kernel Feature Activity (#4676) 2025-05-06 17:13:24 +05:30
Ruben Groenewoud 0193af2842 [New Rule] Potential Data Exfiltration Through Curl (#4678) 2025-05-06 16:57:59 +05:30
Ruben Groenewoud 4030de9295 [New/Tuning] Potential Hex Payload Execution via Command-Line (#4675) 2025-05-06 16:29:03 +05:30
Ruben Groenewoud eb3520a63b [New Rule] Potential Backdoor Execution Through PAM_EXEC (#4674) 2025-05-06 16:13:23 +05:30
Ruben Groenewoud 403e20c2c6 [New Rule] Git Repository or File Download to Suspicious Directory (#4663) 2025-05-06 15:05:27 +05:30
Ruben Groenewoud 3f9e2edcb5 [New Rule] Manual Mount Discovery via /etc/exports (#4662) 2025-05-06 14:48:55 +05:30
Ruben Groenewoud a9e8a78c09 [New Rule] Docker Release File Creation (#4661) 2025-05-06 14:31:52 +05:30
Ruben Groenewoud 13cf424ef5 [New Rule] Manual Memory Dumping via Proc Filesystem (#4660) 2025-05-06 14:16:15 +05:30
Ruben Groenewoud c9c41747fc [FN Tuning] Suspicious /proc/maps Discovery (#4659) 2025-05-06 13:59:44 +05:30
Ruben Groenewoud 1150271372 [New Rule] Suspicious Path Mounted (#4664) 2025-05-06 13:43:00 +05:30
shashank-elastic e4856d3c2c Refresh ecs, beats, integration manifests & schemas (#4699) 2025-05-05 23:06:40 +05:30
Ruben Groenewoud 18e1103c51 [New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option (#4658) 2025-05-05 09:59:08 +02:00
Jonhnathan 3eed0f5b6a [Rule Tuning] SSH Authorized Keys File Deletion (#4591) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 12:16:03 -03:00
Ruben Groenewoud 3b1f780435 [D4C Conversion] Converting Compatible D4C Rules to DR (#4532) 
* [D4C Conversion] Converting Compatible D4C Rules to DR

* added host.os.type

* Rename

* Update rules/linux/execution_container_management_binary_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-10 14:26:40 +02:00
Ruben Groenewoud 05c9f6bbdb [FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… (#4529) 
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process

* Update process exclusions in TOML file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-08 18:19:18 +02:00
shashank-elastic 3966981dae Add investigation guides (#4600) 2025-04-07 20:55:39 +05:30
Jonhnathan 9577d53284 [Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-07 12:00:14 -03:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Ruben Groenewoud d7d8c414ec [New Rule] File Creation in /var/log via Suspicious Process (#4528) 
* [New Rule] File Creation in /var/log via Suspicious Process

* ++

* ++
 2025-03-12 12:50:48 +01:00
Ruben Groenewoud 561ab703de [New Rule] Uncommon Destination Port Connection by Web Server (#4515) 2025-03-06 22:01:33 +05:30
Ruben Groenewoud fe0a9f4935 [New/Tuning] Docker Socket Enumeration (#4510) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 17:07:10 +01:00
Ruben Groenewoud 8dfa5da3bf [New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 16:57:33 +01:00
Ruben Groenewoud fe06843636 [New Rule] Unusual Process Spawned from Web Server Parent (#4513) 2025-03-06 16:46:12 +01:00
Ruben Groenewoud 7ce6aaf566 [New Rule] Unusual Command Execution from Web Server Parent (#4512) 
* [New Rule] Unusual Command Execution from Web Server Parent

* ++
 2025-03-06 16:25:38 +01:00
Ruben Groenewoud b9e8115c2f [New Rule] Python Site or User Customize File Creation (#4500) 
* [New Rule] Python Site or User Customize File Creation

* Update persistence_site_and_user_customize_file_creation.toml

* Update persistence_site_and_user_customize_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:30:33 +01:00
Ruben Groenewoud d948279af6 [New Rule] Python Path File (pth) Creation (#4499) 
* [New Rule] Python Path File (pth) Creation

* ++

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:20:00 +01:00
Ruben Groenewoud f70eafb8e7 [New Rule] Successful SSH Authentication from Unusual User (#4481) 
* [New Rule] Succesful SSH Authentication from Unusual User

* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-03 11:55:27 +01:00
Ruben Groenewoud 06002cd9ac [New Rule] Kill Command Execution (#4485) 
* [New Rule] Kill Command Execution

* Update defense_evasion_kill_command_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:26:50 +01:00