security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
198 Commits 1 Branch 0 Tags
a679207413bed5ca2e0809fa2eb3e735a58fd4a5
Commit Graph

25 Commits

Author SHA1 Message Date
Brent Murphy 7857787328 [New Rule] Azure Global Administrator Role Addition to PIM User (#336) 
* Create persistence_azure_pim_user_added_global_admin.toml

* tweak syntax for readability

* Update additional rule name to match others naming convention

* Delete defense_evasion_azure_diagnostic_settings_deletion.toml

* tweak rule name

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update description and lint

* small naming tweak for consistency

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 10:45:59 -04:00
Brent Murphy 95877f7879 [Rule Tuning] Update event.category for Azure rules (#335) 
* update event.category for azure rules

* update updated_date field

* update name to include Azure

* Update persistence_user_added_as_owner_for_azure_service_principal.toml
 2020-09-24 12:45:25 -04:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
David French cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237) 
* new-rule-azure-conditional-access-policy-modified

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

Update maturity to production

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to include result value

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to search both the Azure audit logs and activity logs

* Optimize formatting of query

* Tweak consent grant attack rule

Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs

* Tweak formatting of query to improve Brent's happiness level

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 09:28:32 -06:00
David French 11145ffb7f [New Rule] Possible Consent Grant Attack via Azure-Registered Application (#236) 
* new-rule-illicit-consent-grant-attack

* Update initial_access_consent_grant_attack_via_azure_registered_application.toml

Move detailed info and investigation notes to notes field

* Update query to include result field

* Update rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
 2020-09-22 08:30:34 -06:00
Brent Murphy 140091e7b8 [New Rule] Azure Storage Account Key Regenerated (#188) 
* Create credential_access_storage_account_key_regenerated.toml

* Update rules/azure/credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 14:08:48 -04:00
Brent Murphy 040f56ff0c [New Rule] Azure Network Watcher Deletion (#232) 2020-09-04 12:18:18 -04:00
Brent Murphy 21431101b7 [New Rule] Azure External Guest User Invitation (#231) 
* Create initial_access_external_guest_user_invite.toml

* Update rules/azure/initial_access_external_guest_user_invite.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* update mitre metadata

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 12:11:13 -04:00
Brent Murphy 0fc78b3c3b [New Rule] Azure Key Vault Modified (#230) 
* [New Rule] Azure Update to Key Vault

* Update rules/azure/credential_access_key_vault_update.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_key_vault_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 11:30:01 -04:00
Brent Murphy e49b69af10 [New Rule] Azure Blob Container Access Level Modification (#192) 
* Create discovery_blob_container_access_mod.toml

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:48:21 -04:00
David French 230b59dfc9 rule-tuning-user-added-as-owner-for-azure-service-principal (#258) 2020-09-04 08:36:20 -06:00
Brent Murphy bcd698add2 [New Rule] Azure Event Hub Deletion (#170) 
* Create defense_evasion_event_hub_deletion.toml

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/defense_evasion_event_hub_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:23:43 -04:00
Brent Murphy a49d102de3 [New Rule] Azure Event Hub Authorization Rule Created or Updated (#173) 
* Create collection_update_event_hub_auth_rule.toml

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-04 09:32:30 -04:00
Brent Murphy 0ac7f3d672 [New Rule] Azure Firewall Policy Deletion (#169) 
* Create defense_evasion_firewall_policy_deletion.toml

* Update rules/azure/defense_evasion_firewall_policy_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 09:28:58 -04:00
Brent Murphy 9025a7d183 [New Rule] Azure Diagnostic Settings Deletion (#157) 
* Create azure_diagnostic_settings_deletion.toml

* Update azure_diagnostic_settings_deletion.toml
 2020-09-04 09:20:13 -04:00
Brent Murphy b4a15960cb [New Rule] Azure Command Execution on Virtual Machine (#155) 
* Create execution_command_virtual_machine.toml

* Update execution_command_virtual_machine.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:09:40 -04:00
Brent Murphy 6b04105936 [New Rule] Azure Resource Group Deletion (#158) 
* Create impact_resource_group_deletion.toml

* Update rules/azure/impact_resource_group_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-03 17:06:43 -04:00
David French 1f555c289f [New Rule] Azure Privileged Identity Management Role Modified (#238) 
* new-rule-azure-pim-role-modified

* Add ATT&CK metadata to rule

* Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml
 2020-09-03 15:02:14 -06:00
David French 89db7384a0 [New Rule] Azure Automation Runbook Deleted (#235) 
* new-rule-azure-automation-runbook-deleted

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Fix typo in rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Remove superfluous parens from query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 13:09:40 -06:00
David French 225aba61c9 [New Rule] Multi-Factor Authentication Disabled for an Azure User (#195) 
* new-rule-mfa-disabled-for-an-azure-user

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Update ECS version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 12:42:27 -06:00
David French 43204391b6 [New Rule] User Added as Owner for Azure Service Principal (#194) 
* new-rule-user-added-as-owner-for-azure-service-principal

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Add parens to query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update ECS version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:21:44 -06:00
David French 43f657ac4e [New Rule] User Added as Owner for Azure Application (#191) 
* new-rule-user-added-as-owner-for-azure-application

* Update rule name and description

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Update query to remove superfluous quotes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Add ATT&CK metadata to rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 12:15:33 -06:00
David French 4c431d2408 [New Rule] Azure Automation Webhook Created (#179) 
* new-rule-azure-automation-webhook-created

* Update rules/azure/persistence_azure_automation_webhook_created.toml

Update description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/persistence_azure_automation_webhook_created.toml

Update ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:20:50 -06:00
David French 98f216404a [New Rule] Azure Automation Runbook Created or Modified (#178) 
* new-rule-azure-automation-runbook-created-or-modified

* Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml

Update ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-03 11:16:42 -06:00
David French 85e799b378 [New Rule] Azure Automation Account Created (#177) 
* new-rule-azure-automation-account-created

* Fix rule name format 😄

* Update rules/azure/persistence_azure_automation_account_created.toml

Update maturity to production

* Update rules/azure/persistence_azure_automation_account_created.toml

Update ecs_version to 1.6.0

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-03 11:08:38 -06:00