security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,300 Commits 1 Branch 0 Tags
b60b6e2af3e6bd673cb855e36f937416cf3f2ee5
Commit Graph

723 Commits

Author SHA1 Message Date
Samirbous b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) 
* [New] Attempt to establish VScode Remote Tunnel

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update rules/windows/command_and_control_tunnel_vscode.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-09-16 07:39:39 +01:00
Samirbous 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) 
* [New] MsiExec Service Child Process With Network Connection

converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 20:22:44 +01:00
Samirbous 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 19:51:21 +01:00
Samirbous b6162abefa [New] WPS Office Exploitation via DLL Hijack (#4043) 
* Create execution_initial_access_wps_dll_exploit.toml

* Update execution_initial_access_wps_dll_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 11:23:35 +01:00
Samirbous 9255dafe53 [New] Detonate LNK TOP Rules (#4058) 
* [New] Detonate LNK TOP Rules

the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update rules/windows/execution_windows_cmd_shell_susp_args.toml

* Update rules/windows/execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 10:49:17 +01:00
Samirbous cad3865fcf [New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 (#4076) 
* [New] Potential Escalation via Vulnerable MSI Repair

https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

* Update privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-13 17:57:44 +01:00
Jonhnathan 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
 2024-09-11 10:49:41 -03:00
Samirbous dc9c58527f [Tuning] Unusual Network Activity from a Windows System Binary (#4065) 
* Update defense_evasion_network_connection_from_windows_binary.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-10 13:30:56 -03:00
Jonhnathan e60c21b37b [Rule Tuning] Enumeration of Privileged Local Groups Membership (#4016) 2024-08-27 09:54:19 -03:00
Jonhnathan 70c3a6f7b1 [Rule Tuning] Potential privilege escalation via CVE-2022-38028 (#4004) 2024-08-22 15:32:28 -03:00
Jonhnathan 4c44f98cd6 [Rule Tuning] LSASS Process Access via Windows API (#3975) 
* [Rule Tuning] LSASS Process Access via Windows API

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
 2024-08-14 11:42:18 -03:00
Terrance DeJesus 3500c3db15 [Rule Tuning] Tuning Direct Outbound SMB Connection (#3485) 
* tuning 'Direct Outbound SMB Connection'

* removed lolbas references

* reverted EQL function due to escaped characters in substring match

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* reverted internal address exclusion; adjusted rule name and description

* removing min-stack

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-08-13 13:53:07 -04:00
Terrance DeJesus 74d8186aeb [Rule Tuning] Tuning MsBuild Making Network Connections (#3482) 
* tuning 'MsBuild Making Network Connections'

* added performance note; added comments in query

* adjusted array search

* linting

* updated query logic;updated date

* updated query logic

* fixed query error

* changed query logic

* removing min-stack

* reverting change

* updated network sequence event
 2024-08-13 12:55:08 -04:00
Jonhnathan 8950d33539 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#3964) 
* [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation

* .

* ++
 2024-08-09 13:23:16 -03:00
Jonhnathan 20f4242566 [Rule Tuning] Simple KQL to EQL Conversion (#3948) 
* [Rule Tuning] Simple KQL to EQL Conversion

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update privilege_escalation_group_policy_iniscript.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-09 13:11:27 -03:00
Jonhnathan fcc8aaaf63 [Rule Tuning] Fix missing Winlogbeat index (#3976) 
* [Rule Tuning] Fix missing Winlogbeat index

* bump
 2024-08-09 12:46:33 -03:00
Jonhnathan 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) 
* [Rule Tuning] Windows File-based Rules Tuning

* Update credential_access_lsass_memdump_file_created.toml

* .
 2024-08-09 12:26:58 -03:00
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
Terrance DeJesus 698e830f9f [Rule Tuning] Removing Minimum Stack Compatibility (#3974) 
* removing min-stack

* removing min-stack

* updating date
 2024-08-08 11:47:48 -04:00
Terrance DeJesus fe9ba15a2a [Rule Tuning] Tuning Suspicious HTML File Creation for Performance (#3480) 
* tuning 'Suspicious HTML File Creation'

* TOML lint; reverted EQL function checks

* updated date
 2024-08-08 11:12:55 -04:00
Jonhnathan 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) 2024-08-08 12:02:23 -03:00
Terrance DeJesus ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) 
* tuning 'Persistent Scripts in the Startup Directory'

* adjusted query logic; added note about performance

* adjusted query logic

* adjusted query logic; added note about performance

* removed newline

* adjusted query logic to be more inclusive

* adjusted query

* adjusted query to leave wildcard and substring searches towards the end

* TOML lint

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* adjusted note; removed setup

* adjusted note; removed setup

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-06 18:42:53 -04:00
shashank-elastic 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) 2024-08-06 18:48:24 +05:30
Jonhnathan a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) 2024-08-06 17:15:08 +05:30
Jonhnathan 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) 2024-08-06 17:05:17 +05:30
Jonhnathan 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) 2024-08-05 11:27:58 -03:00
Jonhnathan 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) 2024-08-02 16:37:45 -03:00
Jonhnathan dfdc214be8 [New Rule] Potential Relay Attack against a Domain Controller (#3928) 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
 2024-08-02 13:03:20 -03:00
Jonhnathan 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-01 14:06:08 -03:00
Jonhnathan 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) 
* [New Rule] Potential Active Directory Replication User Backdoor

* Update credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 12:02:34 -03:00
shashank-elastic dce5bbd904 Update Rule minstack (#3925) 2024-07-25 17:45:55 +05:30
Jonhnathan 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) 
* [New Rule] Potential WSUS Abuse for Lateral Movement

* Update lateral_movement_via_wsus_update.toml

* Update lateral_movement_via_wsus_update.toml
 2024-07-22 17:04:08 -03:00
Jonhnathan 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) 2024-07-22 08:39:40 -03:00
Samirbous 6ac278df0c [tuning] Connection to Commonly Abused Web Services (#3901) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-18 09:59:53 -03:00
Jonhnathan 1384742f07 [New Rule] Service DACL Modification via sc.exe (#3900) 
* [New Rule] Service DACL Modification via sc.exe

* Update defense_evasion_sc_sdset.toml

* Update defense_evasion_sc_sdset.toml
 2024-07-17 19:39:50 -03:00
Jonhnathan ffb68174f9 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#3887) 2024-07-15 06:41:45 -03:00
Jonhnathan 6e7ece4384 [Rule Tuning] Fix event.action conditions - AD Rules (#3874) 2024-07-10 10:33:14 -03:00
ar3diu b303b8296b [Rule Tuning] LSASS Memory Dump Creation (#3810) 
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
 2024-07-10 06:12:38 -05:00
shashank-elastic b66d6e06aa Fix Double Bump For Rule Microsoft Management Console File from Unusual Path (#3878) 2024-07-09 17:59:51 +05:30
Samirbous 801aab82cc [New] Sensitive Registry Hive Access via RegBack (#3855) 
* Create credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Apply suggestions from code review

* Update rules/windows/credential_access_regback_sam_security_hives.toml

* Update credential_access_regback_sam_security_hives.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-05 07:50:23 +01:00
Samirbous 15e9c9aa5e [Tuning] Ransomware over SMB (#3808) 
* [Tuning] Ransomware over SMB

* Update impact_ransomware_file_rename_smb.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 07:26:57 +01:00
Joe Desimone 8dc0963ae6 [Rule Tuning] LSASS Process Access via Windows API (#3824) 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* fix merge

* newline

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 21:45:46 +01:00
Jonhnathan 208e330b44 [New Rule] Potential PowerShell Obfuscated Script (#3864) 
* [New Rule[ Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml

* Update rules/windows/defense_evasion_posh_obfuscation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-04 09:26:32 -03:00
ar3diu 5048bc26bd [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) 
* Add "by host.id" argument to the sequence command in the rule query.

* Update collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 10:39:15 -04:00
Jonhnathan d5c34b5750 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) 2024-07-01 13:45:19 -03:00
Samirbous b97069c3e9 Update defense_evasion_microsoft_defender_tampering.toml (#3840) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-06-28 08:16:11 +01:00
Jonhnathan 7693d785aa [Rule Tuning] LSASS Process Access via Windows API (#3839) 2024-06-27 12:22:13 -03:00
Samirbous 17a07020f3 [New] Microsoft Management Console File from Unusual Path (#3834) 
* [New] Windows Script Execution via MMC Console File

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

* Update execution_via_mmc_console_file_unusual_path.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-06-27 11:32:45 +01:00
Jonhnathan deb08fd28d [New Rule] AD Group Modification by SYSTEM (#3833) 
* [New Rule] AD Group Modification by SYSTEM

* .

* Update rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Tighten up indexes

* Update persistence_group_modification_by_system.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-26 18:56:01 -03:00
Jonhnathan 54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests
 2024-06-26 11:06:27 -03:00