security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,904 Commits 1 Branch 0 Tags
b1989a921bcfd5c6db5acf7380a14f9551c2b3d9
Commit Graph

9 Commits

Author SHA1 Message Date
Jonhnathan b1989a921b [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

(selectively cherry picked from commit 458e67918a)
 2024-03-11 12:14:53 +00:00
Ruben Groenewoud ee5fa810aa [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 84824c67fd)
 2023-12-18 08:41:02 +00:00
shashank-elastic 9c271c6591 Enhance Setup Guide information (#3256) 
(cherry picked from commit d52546eee5)
 2023-11-03 13:41:40 +00:00
shashank-elastic 60475f6aa0 Move Setup information into setup filed (#3206) 
(cherry picked from commit 7254c582c5)
 2023-10-23 14:04:26 +00:00
shashank-elastic a7e83681e3 Setup information for Linux Rules - Set5 (#3188) 
(cherry picked from commit 2a48db0598)
 2023-10-17 13:46:52 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Ruben Groenewoud e938ed28a0 [Rule Tuning] added additional event action (#3008) 2023-08-10 16:59:07 +02:00
Ruben Groenewoud dbd7ed65a9 [Tuning] Reverse Shell Rules (#2959) 
* [Rule Tuning] Reverse Shell Rule destination.ip tuning

* Updated updated_date
 2023-07-25 14:55:56 +02:00
Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905) 
* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-07-06 15:27:57 +02:00