security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
952 Commits 1 Branch 0 Tags
a645bc7bbbc5787c8ed8e39e33e9e78dea9ffe53
Commit Graph

708 Commits

Author SHA1 Message Date
shashank-elastic a645bc7bbb awk binary shell evasion threat (#1794) 
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat

* Update rules/linux/awk_binary_shell_evasion.toml

* Update rules/linux/awk_binary_shell_evasion.toml

* new:rule:issue-1785 Adding Mittre Attack Techniques

* new:rule:issue-1785 Adding Mittre Attack Techniques

* new:rule:issue-1785 Adding Mittre Attack Techniques

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* Update rules/linux/privilege_escalation_awk_binary_shell.toml

* new:rule:issue-1785 Review Comments

* new:rule:issue-1785 Review Comments

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit e004a2f4a5)
 2022-03-02 16:26:37 +00:00
shashank-elastic 56997556f5 env binary shell evasion threat (#1793) 
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat

* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat

* Update rules/linux/env_binary_shell_evasion.toml

* Update rules/linux/env_binary_shell_evasion.toml

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* new:rule:issue-1786 Adding Mittre Attack Techniques

* Update rules/linux/privilege_escalation_env_binary.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/privilege_escalation_env_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_env_binary.toml

* Update rules/linux/privilege_escalation_env_binary.toml

* new:rule:issue-1786 Review Comments

* Update rules/linux/defense_evasion_env_binary.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 758784d4d5)
 2022-03-02 16:19:45 +00:00
Samirbous 36369ebf96 [New Rule] Registry Hive File Creation via SMB (#1779) 
* [New Rule] Registry Hive File Creation via SMB

Identifies the creation or modification of a medium size registry hive file via the SMB protocol :

* Update credential_access_moving_registry_hive_via_smb.toml

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f48144c6b3)
 2022-03-02 09:14:52 +00:00
Jonhnathan 31f75bd7e6 Update impact_azure_service_principal_credentials_added.toml (#1802) 
(cherry picked from commit 8a9b52f7e1)
 2022-03-02 08:38:49 +00:00
Jonhnathan 73b3bec457 [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1c50f35aed)
 2022-03-02 00:41:56 +00:00
Mika Ayenson aab23636e8 [New Rule] LSASS Memory Dump (#1784) 
* Add new event_data fields (ObjectName, ProcessName)

* Add detection for LSASS Memory Dump Handle Access

* Reference an example of 120089 AccessMask presence

* modify query to increase performance and update the description to remove ("This rule").

* expand path to Elastic Agent ensure syntax consistency

* Optimize rule based on AccessMaskDescription and additional False Positives.

* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used

* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription

* cleanup

(cherry picked from commit aa7d79cc53)
 2022-02-24 13:16:42 +00:00
Jonhnathan 99c559f870 Update persistence_azure_conditional_access_policy_modified.toml (#1788) 
(cherry picked from commit 8664ef59f4)
 2022-02-22 18:29:00 +00:00
Jonhnathan 678f7cb93c [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit dec4243db0)
 2022-02-16 16:44:51 +00:00
Jonhnathan f571eb970d [Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773) 
* Remove Windows Integration & Winlogbeat Support

* Update lateral_movement_service_control_spawned_script_int.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3227d65cd8)
 2022-02-16 02:07:27 +00:00
Jonhnathan cd59ed785a [Rule Tuning] Potential Command and Control via Internet Explorer (#1771) 
* Use user.name on the sequence instead of user.id

* Update command_and_control_iexplore_via_com.toml

* Remove min_stack and comment "with runs"

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 03f60cc11c)
 2022-02-16 02:00:28 +00:00
Jonhnathan ef78093d88 [New Rule] Potential Credential Access via DCSync (#1763) 
* "Potential Credential Access via DCSync" Initial Rule

* replace unintentional bracket removal

* json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 42436d3364)
 2022-02-16 00:42:49 +00:00
Jonhnathan 9885be0f59 Modified to use Integrity fields instead of user.id (#1772) 
(cherry picked from commit fd678dc5cb)
 2022-02-16 00:25:10 +00:00
Jonhnathan fd3d2708a1 [Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775) 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26fec0)
 2022-02-15 12:59:15 +00:00
Jonhnathan 3b97ee423b Update discovery_net_command_system_account.toml (#1769) 
(cherry picked from commit c646a18efb)
 2022-02-14 15:13:55 +00:00
Samirbous fbcc7433ad [New Rule] Windows Service Installed via an Unusual Client (#1759) 
* [New Rule] Windows Service Installed via an Unusual Client

https://www.x86matthew.com/view_post?id=create_svc_rpc

* Update non-ecs-schema.json

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add ```s

* Update privilege_escalation_windows_service_via_unusual_client.toml

* add missing comma to schema

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 326aa64ff6)
 2022-02-11 20:59:20 +00:00
Jonhnathan c59429719d Modification of AmsiEnable Registry Key - Sysmon support (#1760) 
(cherry picked from commit 9c56b00429)
 2022-02-11 20:51:51 +00:00
Jonhnathan 782b6c1d0e Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757) 
(cherry picked from commit aa9fedd18d)
 2022-02-11 17:18:12 +00:00
Khristinin Nikita 4fe57055a0 [Rule Tuning] Fix IM query (#1767) 
* Fix IM quer

* Add update date

(cherry picked from commit b1121da237)
 2022-02-10 18:32:37 +00:00
Jonhnathan 6b1b8587e1 [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) 
* Adjust Integration Name

* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

* Update integration name

* .

* Case

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 5a16a222ad)
 2022-02-09 22:06:05 +00:00
Justin Ibarra b4863ddde5 Move misplaced rule to proper folder (#1756) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 97835bc5c5)
 2022-02-04 20:38:01 +00:00
Jonhnathan 2fe12168bc [New Rule] Potential Shadow Credentials added to AD Object (#1729) 
* Potential Shadow Credentials added to AD Object Initial Rule

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_shadow_credentials.toml

* Add AD tag

* Update credential_access_shadow_credentials.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 85b72256c2)
 2022-02-04 18:51:25 +00:00
Jonhnathan df2a844584 [New Rule] PowerShell Script Block Logging Disabled (#1749) 
* PowerShell Script Block Logging Disabled

* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_disable_posh_scriptblocklogging.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 7dac52f1cf)
 2022-02-04 18:46:55 +00:00
Jonhnathan 7e25f14766 Update credential_access_mod_wdigest_security_provider.toml (#1751) 
(cherry picked from commit 40095d95bf)
 2022-02-04 18:40:39 +00:00
Jonhnathan 6ed9769eb6 [New Rule] AdminSDHolder Backdoor (#1745) 
* AdminSDHolder Backdoor

* Update rules/windows/persistence_ad_adminsdholder.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9ce5d0b92a)
 2022-02-01 13:17:28 +00:00
Jonhnathan 58e0584e73 [New Rule] KRBTGT Delegation Backdoor (#1743) 
* KRBTGT Delegation Backdoor

* Update persistence_msds_alloweddelegateto_krbtgt.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* refresh rule_id with new uuid

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d949fefe0c)
 2022-02-01 13:11:57 +00:00
Jonhnathan f661eca2eb [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741) 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year

(cherry picked from commit 26d5bad914)
 2022-02-01 00:04:37 +00:00
Jonhnathan 4e9432a563 [New Rule] Kerberos Preauthentication Disabled for User (#1717) 
* Initial "Kerberos Preauthentication Disabled for User" Rule

* Update credential_access_disable_kerberos_preauth.toml

* Update credential_access_disable_kerberos_preauth.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Add config directives

* Update rules/windows/credential_access_disable_kerberos_preauth.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 6e3f4b2824)
 2022-01-31 15:34:02 +00:00
Jonhnathan fa09b26d59 [New Rule] SeEnableDelegationPrivilege assigned to User (#1737) 
* SeEnableDelegationPrivilege assigned to User

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix logging policy name

* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 25ec71579d)
 2022-01-31 15:25:23 +00:00
Justin Ibarra 948e484070 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 72c64de3f5)
 2022-01-28 19:43:39 +00:00
Khristinin Nikita c05b5dc5f9 [Rule Tuning] Change default time query for rounding days (#1713) 
* Change default time query for rounding days

* Udpate date

* Revert rule updated_data

* Restore threat_query

(cherry picked from commit 87c7210aab)
 2022-01-28 19:36:44 +00:00
Jonhnathan c1c239e1ec [New Rule] PowerShell Kerberos Ticket Request (#1715) 
* PowerShell Kerberos Ticket Request Initial Rule

* bump date

(cherry picked from commit edd0df5e1a)
 2022-01-27 19:38:40 +00:00
Jonhnathan 012e88601e [New Rule] Email Reported by User as Malware or Phish (#1699) 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 189c2b152c)
 2022-01-27 19:33:20 +00:00
Jonhnathan 239f7f9324 [New Rule] MS Office Macro Security Registry Modifications (#1696) 
* "MS Office Macro Security Registry Modifications" Initial Rule

* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit b6cbdbd416)
 2022-01-27 19:27:12 +00:00
Jonhnathan c300fce9f7 [New Rule] OneDrive Malware File Upload (#1693) 
* "OneDrive Malware File Upload" Initial Rule

* bump severity

(cherry picked from commit f7bc13b437)
 2022-01-27 19:22:11 +00:00
Jonhnathan b0b52abbd5 [New Rule] SharePoint Malware File Upload (#1691) 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity

(cherry picked from commit 1676844640)
 2022-01-27 19:15:20 +00:00
Samirbous c8671b4a1e [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660) 
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 26fb8e83a5)
 2022-01-27 14:49:15 +00:00
Jonhnathan 71c382b1f5 [New Rule] Global Administrator Role Assigned (#1686) 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14252d45ee)
 2022-01-27 12:55:30 +00:00
Jonhnathan 15d6244331 Create credential_access_mfa_push_brute_force.toml (#1682) 
(cherry picked from commit 7e4325dd7a)
 2022-01-27 12:40:11 +00:00
Jonhnathan b753a05c72 [Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 38ae64f729)
 2022-01-27 12:34:30 +00:00
Jonhnathan a5b1ac9e0e Update credential_access_suspicious_lsass_access_memdump.toml (#1714) 
(cherry picked from commit 1699f50beb)
 2022-01-27 12:30:41 +00:00
Jonhnathan 45946dbf3e Update source.ip condition (#1712) 
(cherry picked from commit 4ac824192f)
 2022-01-27 12:27:38 +00:00
Jonhnathan 042f9cfaa1 [Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687) 
* Tune rule query

* Update credential_access_microsoft_365_potential_password_spraying_attack.toml

* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml

* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"

This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.

(cherry picked from commit 0a23d820c9)
 2022-01-27 12:25:02 +00:00
Jonhnathan 51dbef8321 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683) 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json

(cherry picked from commit 50c7d5f262)
 2022-01-27 12:23:36 +00:00
Jonhnathan 9fd1c14450 [Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679) 
* Update impact_virtual_network_device_modified.toml

* Change case

(cherry picked from commit fdeb8cb1de)
 2022-01-27 12:19:33 +00:00
Samirbous 9e5c68a04c [New Rule] Potential Privilege Escalation via PKEXEC (#1727) 
* [New Rule] Potential Privilege Escalation via PKEXEC

Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :

* Update privilege_escalation_pkexec_envar_hijack.toml

* removed = sign

(cherry picked from commit b9edc5464e)
 2022-01-27 09:44:06 +00:00
Justin Ibarra 646e920ac1 Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix (#1649)" (#1731) 
This reverts commit 625d1df2bf.

(cherry picked from commit 84d55c829d)
 2022-01-26 20:43:37 +00:00
Jonhnathan b6d1c1476b [Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706) 
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
 2022-01-25 16:51:20 -09:00
Justin Ibarra 9c43151da4 [Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703) 2022-01-25 16:46:49 -09:00
Colson Wilhoit b564fa13fb MacOS FolderActionScripts Process List Update (#1723) 
* update and expand process list

* fix query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-25 14:27:27 -06:00
Colson Wilhoit cfd4d431dd MacOS Launch Daemon Creation Rule - Query Fix (#1722) 
* launch daemon creation syntax fix

* change updated date
 2022-01-25 12:47:51 -06:00