security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,584 Commits 1 Branch 0 Tags
a866ee7f57362c18f11b238ddd24b399cbdb2f13
Commit Graph

426 Commits

Author SHA1 Message Date
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Ruben Groenewoud 8d29a1f7d5 [New Rule] Process Backgrounded by Unusual Parent (#4431) 
* [New Rule] Process Backgrounded by Unusual Parent

* Update execution_process_backgrounded_by_unusual_parent.toml

* Update execution_process_backgrounded_by_unusual_parent.toml
 2025-02-03 14:17:15 +01:00
Ruben Groenewoud 14c648598e [Rule Tuning] Linux DR Tuning - Part 6 (#4423) 
* [Rule Tuning] Linux DR Tuning - Part 6

* Update privilege_escalation_ld_preload_shared_object_modif.toml

* Update privilege_escalation_ld_preload_shared_object_modif.toml
 2025-02-03 14:05:26 +01:00
Ruben Groenewoud 6b84542093 [Rule Tuning] Linux DR Tuning - Part 5 (#4422) 
* [Rule Tuning] Linux DR Tuning - Part 5

* Update rules/linux/persistence_xdg_autostart_netcon.toml
 2025-02-03 13:53:53 +01:00
Ruben Groenewoud 53b9b53467 [Rule Tuning] Linux DR Tuning - Part 4 (#4421) 
* [Rule Tuning] Linux DR Tuning - Part 4

* [Rule Tuning] Linux DR Tuning - Part 4

* Update persistence_etc_file_creation.toml
 2025-02-03 13:31:00 +01:00
Ruben Groenewoud 1c98a0d64c [Rule Tuning] Linux DR Tuning - Part 3 (#4420) 
* Initial set

* [Rule Tuning] Linux DR - Part 3

* ++

* Update execution_unusual_path_invocation_from_command_line.toml

* Update execution_unusual_path_invocation_from_command_line.toml
 2025-02-03 13:17:00 +01:00
Ruben Groenewoud b642c55680 [Rule Tuning] Potential OpenSSH Backdoor Logging Activity (#4429) 2025-01-31 15:33:21 +01:00
Ruben Groenewoud 18dd9cb04a [New Rule] Suspicious Usage of bpf_probe_write_user Helper (#4426) 
* [New Rule] Suspicious Usage of bpf_probe_write_user Helper

* Update persistence_bpf_probe_write_user.toml
 2025-01-29 11:46:40 +01:00
Ruben Groenewoud 52d33c12b8 [Rule Tuning] Linux DR Tuning - Part 2 (#4417) 2025-01-29 10:34:13 +01:00
Ruben Groenewoud fed7b216d5 [Rule Tuning] Linux DR Tuning - Part 1 (#4416) 2025-01-28 14:43:00 +01:00
Samirbous 4e6625ae40 [Tuning] Unusual Instance Metadata Service (IMDS) API Request (#4418) 
* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update credential_access_unusual_instance_metadata_service_api_request.toml

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-24 17:23:32 +00:00
shashank-elastic d6f1a75f11 Fix S1 minstack version (#4415) 2025-01-23 17:59:40 +05:30
Mika Ayenson 7c6c77932c [FR] Add Remaining Guides (#4412) 2025-01-22 14:43:30 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Ruben Groenewoud b708e09f2b [New Rule] Unusual D-Bus Daemon Child Process (#4397) 2025-01-21 12:24:06 +01:00
Ruben Groenewoud cf183579b4 [New Rule] Polkit Version Discovery (#4378) 2025-01-20 15:58:27 +01:00
Ruben Groenewoud 2e6ec33141 [New Rule] Polkit Policy Creation (#4379) 
* [New Rule] Polkit Policy Creation

* Update persistence_polkit_policy_creation.toml
 2025-01-20 15:47:18 +01:00
Ruben Groenewoud 3e655abfef [New Rule] Unusual Pkexec Execution (#4380) 
* [New Rule] Unusual Pkexec Execution

* Update execution_unusual_pkexec_execution.toml
 2025-01-20 15:35:29 +01:00
Ruben Groenewoud 4294ed8981 [New Rule] NetworkManager Dispatcher Script Creation (#4381) 
* [New Rule] NetworkManager Dispatcher Script Creation

* ++
 2025-01-20 15:18:55 +01:00
Ruben Groenewoud 89c113560b [New Rule] D-Bus Service Created (#4382) 2025-01-20 15:07:06 +01:00
Ruben Groenewoud 6cc5184f70 [New Rule] Manual Dracut Execution (#4383) 2025-01-20 14:41:44 +01:00
Ruben Groenewoud abd199a9bc [New Rule] Dracut Module Creation (#4384) 2025-01-20 14:31:16 +01:00
Ruben Groenewoud 2bb46899ae [New Rule] OpenSSL Password Hash Generation (#4385) 
* [New Rule] OpenSSL Password Hash Generation

* Update rules/linux/persistence_openssl_passwd_hash_generation.toml
 2025-01-20 14:14:12 +01:00
Ruben Groenewoud 1fce3fd22a [New Rule] Boot File Copy (#4386) 
* [New Rule] Boot File Copy

* Update persistence_boot_file_copy.toml

* Update rules/linux/persistence_boot_file_copy.toml
 2025-01-20 14:04:02 +01:00
Ruben Groenewoud b633987e5b [New Rule] Initramfs Unpacking via unmkinitramfs (#4387) 
* [New Rule] Initramfs Unpacking via unmkinitramfs

* Update rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
 2025-01-20 13:43:54 +01:00
Ruben Groenewoud 971049957e [New Rule] Initramfs Extraction via CPIO (#4389) 
* [New Rule] Initramfs Extraction via CPIO

* Update rules/linux/persistence_extract_initramfs_via_cpio.toml
 2025-01-20 13:32:48 +01:00
Ruben Groenewoud 01eda44298 [Rule Tuning] Linux Persistence Rules (#4393) 
* [Rule Tuning] Linux Persistence Rules

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
 2025-01-20 09:51:49 +01:00
Ruben Groenewoud cf929554a6 [New Rule] Systemd Shell Execution During Boot (#4392) 2025-01-20 09:33:46 +01:00
Ruben Groenewoud f029e9a171 [New Rule] GRUB Configuration Generation through Built-in Utilities (#4391) 2025-01-17 18:00:01 +01:00
Ruben Groenewoud 0ef7f3a83e [New Rule] GRUB Configuration File Creation (#4390) 
* [New Rule] Grub Configuration File Creation

* Update persistence_grub_configuration_creation.toml
 2025-01-17 17:49:41 +01:00
Ruben Groenewoud 28c3d074b8 [New Rule] Process Started with Executable Stack (#4340) 
* [New Rule] Process Started with Executable Stack

* [New Rule] Process Started with Executable Stack

* Update execution_executable_stack_execution.toml

* Update rules/linux/execution_executable_stack_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-01-17 17:36:39 +01:00
Ruben Groenewoud ac541f0b18 [New Rules] Kernel Seeking/Unpacking Activity (#4341) 
* [New Rules] Kernel Seeking/Unpacking Activity

* ++
 2025-01-16 12:04:04 +01:00
Ruben Groenewoud bba5096efa [New Rule] System Binary Path File Permission Modification (#4339) 2025-01-16 10:32:23 +01:00
Ruben Groenewoud 75c7c09595 [New Rule] Suspicious Path Invocation from Command Line (#4338) 2025-01-16 10:20:37 +01:00
Ruben Groenewoud 79b26085f5 [New Rule] Potential Process Name Stomping with Prctl (#4352) 
* [New Rule] Potential Process Name Stomping with Prctl

* Update defense_evasion_prctl_process_name_tampering.toml
 2025-01-13 16:35:40 +01:00
Jonhnathan 6b0b988d79 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10 (#4357) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10

* Remaining ones
 2025-01-09 11:54:46 -03:00
Jonhnathan 7eeca006bc [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 (#4355) 2025-01-09 11:38:26 -03:00
Jonhnathan e66bca73e0 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 (#4349) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7

* Update rules/linux/discovery_process_capabilities.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 11:28:21 -03:00
Jonhnathan cc889e3bf2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 (#4345) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:59:32 -03:00
Jonhnathan 0fc83fe815 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3

* .

* Update rules/linux/command_and_control_ip_forwarding_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 10:35:58 -03:00
Jonhnathan d6ceb88558 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 (#4348) 2025-01-09 10:17:57 -03:00
Jonhnathan f4a022c5d2 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 (#4346) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - X

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/defense_evasion_mount_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-01-09 09:44:40 -03:00
Jonhnathan 2af2e1f57b [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 (#4356) 2025-01-09 08:29:51 -03:00
Jonhnathan 4142868956 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 (#4333) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 15:23:19 -03:00
Jonhnathan 282f613ddf [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

* min_stack

* Update defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-01-08 14:40:43 -03:00
Ruben Groenewoud d16f56b4e2 [New Rule] SSH via Backdoored System User (#4336) 
* [New Rule] SSH via Backdoored System User

* ++

* Update persistence_ssh_via_backdoored_system_user.toml

* Update persistence_ssh_via_backdoored_system_user.toml

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-01-07 13:20:36 +01:00
Ruben Groenewoud 2530c4d376 [New Rule] Pluggable Authentication Module Source Download (#4301) 
* [New Rule] Pluggable Authentication Module Source Download

* Update persistence_pluggable_authentication_module_source_download.toml

* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
 2025-01-07 13:04:05 +01:00
Ruben Groenewoud feaeabf60c [New Rule] Dynamic Linker (ld.so) Creation (#4306) 2025-01-03 17:06:38 +01:00
Ruben Groenewoud fea5c90ed9 [New Rule] Kernel Object File Creation (#4325) 
* [New Rule] Kernel Object File Creation

* ++

* Update rules/linux/persistence_kernel_object_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-03 16:49:59 +01:00
Ruben Groenewoud 53ca51b20c [New Rule] Simple HTTP Web Server Connection (#4309) 2025-01-03 16:06:28 +01:00