security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
291 Commits 1 Branch 0 Tags
ba0cc7a055fad50c1d48c533271b8de6a2b97ebe
Commit Graph

291 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous ba0cc7a055 [New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422) 
* [New Rule] UAC Bypass via Elevated COM Interface - ClipUp

* linted

* Update privilege_escalation_uac_bypass_com_clipup.toml

* added tags

* changed rule name

* adjusted rule for more performance

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 20:26:07 +01:00
Justin Ibarra d0ba03230a [Rule Tuning] Unusual File Modification by dns.exe (#472) 2020-11-30 08:22:27 -09:00
Brent Murphy 310f480027 [New Rule] O365 Exchange Safe Attachment Rule Disabled (#593) 
* [New Rule] O365 Exchange Safe Attachment Rule Disabled

* update description
 2020-11-30 12:06:42 -05:00
Brent Murphy ba52c3d426 [New Rule] O365 Exchange Transport Rule Modification (#592) 
* [New Rule] O365 Exchange Transport Rule Modification

* Update exfiltration_o365_exchange_transport_rule_mod.toml

* update description
 2020-11-30 11:57:48 -05:00
Brent Murphy 3751095897 [New Rule] O365 Exchange Malware Filter Rule Modification (#590) 
* [New Rule] O365 Exchange Malware Filter Rule Modification

* update description
 2020-11-30 11:46:58 -05:00
Brent Murphy a5960851c0 [New Rule] O365 Exchange Malware Filter Policy Deletion (#589) 
* [New Rule] O365 Exchange Malware Filter Policy Deletion

* update description
 2020-11-30 11:39:25 -05:00
Brent Murphy bd6be63d88 [New Rule] O365 Exchange Anti-Phish Rule Modification (#586) 
* [New Rule] O365 Exchange Anti-Phish Rule Modification

* bump severity
 2020-11-30 11:25:20 -05:00
Brent Murphy 76ec49f764 [New Rule] O365 Exchange Anti-Phish Policy Deletion (#585) 
* [New Rule] O365 Exchange Anti-Phish Policy Deletion

* bump severity
 2020-11-30 11:19:17 -05:00
Brent Murphy 6b280fe7ed [New Rule] O365 Exchange Transport Rule Creation (#579) 
* [New Rule] O365 Exchange Transport Rule Creation

* bump severity

* Update exfiltration_o365_exchange_transport_rule_creation.toml
 2020-11-30 11:09:30 -05:00
Brent Murphy b21d32acf4 [New Rule] O365 Exchange Safe Link Policy Disabled (#577) 
* Create initial_access_o365_exchange_safelinks_disabled.toml

* Update initial_access_o365_exchange_safelinks_disabled.toml

* linting

* update description

* update tags

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-30 10:52:33 -05:00
David French 33e731416d Add badges to README.md (#596) 2020-11-30 06:14:08 -08:00
Ross Wolf 8f8e310377 Bump EQL dependency to 0.9.6 (#625) 2020-11-24 12:37:31 -07:00
dstepanic17 625b0ec771 [New-Rule] Suspicious WMI Image Load from MS Office (#551) 
* image-load-wmi-ms-office

* Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Resolved linting after suggestion

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-20 08:34:02 -06:00
dstepanic17 517ee0dc03 image-load-sched-task-ms-office (#566) 2020-11-20 07:28:16 -06:00
Samirbous 1ebdcc8248 [New Rule] Suspicious RDP ActiveX Client Loaded (#588) 
* [New Rule] Suspicious RDP ActiveX Client Loaded

* added exec from mounted device and UNC

* removed unecessary exclusion

* Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-11-20 10:43:12 +01:00
Samirbous 9d2a74ea1b [New Rule] Connection to Commonly Abused Web Services (#476) 
* [New Rule] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* added notabug.org as suggested by Daniel

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-11-18 23:38:09 +01:00
Samirbous 161ea402fe [New Rule] Kerberos Traffic from Unusual Process (#448) 
* [New Rule] Kerberos Traffic from Unusual Process

* removed timeline_id

* adjusted args for better perf

* added potential rare FPs

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-18 22:07:49 +01:00
Samirbous 3e7be55a24 [New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376) 
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack

* Delete workspace.xml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:36:59 +01:00
Samirbous 75ed0f8f92 [New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383) 
* [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface

* added tags

* Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml

* adjusted args to avoid leading wildcard

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* replaced wildcard with In

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-11-18 20:34:10 +01:00
Samirbous 14270a5614 [New Rule] Persistence via MS Office Addins (#381) 
* [New Rule] Persistence via MS Office Addins

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* fixed extension and relaxed file.path

* updated references

* changed leading wildcard for perf

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:27:01 +01:00
David French 8f6eba8986 Tune metadata in Okta rules to align with the style of other rules (#491) 
* rune-okta-rule-metadata

* update note field to include fleet integration info

* separate okta policy rule modification and deletion into two rules

* rename file to align with style of others

* fix syntax typo

* separate zone and policy deactivation, deletion, and modification actions into separate rules

* fix typo

* fix tpyo 🙃

* Use "detects" instead of "identifies" in description

* Use "detects" instead of "identifies" in description

* Use "detects" instead of "identifies" in description

* Use "detects" instead of "identifies" in description
 2020-11-18 09:59:11 -07:00
David French a05f160159 [New Rule] Application Added to Google Workspace Domain (#564) 
* Create application_added_to_google_workspace_domain.toml

* Update rules/google-workspace/application_added_to_google_workspace_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/google-workspace/application_added_to_google_workspace_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-18 09:23:15 -07:00
David French dd8c276e42 Create google_workspace_mfa_enforcement_disabled.toml (#563) 2020-11-18 09:20:31 -07:00
David French 4425bbf436 Create domain_added_to_google_workspace_trusted_domains.toml (#562) 2020-11-18 09:17:48 -07:00
David French 56bc91cc70 Create google_workspace_admin_role_deletion.toml (#561) 2020-11-18 09:15:53 -07:00
David French 10d4e5d8c9 [New Rule] Google Workspace Role Modified (#556) 
* Create persistence_google_workspace_role_modified.toml

* fix tpyo 🙃
 2020-11-18 09:13:44 -07:00
David French acf8102607 Create persistence_google_workspace_custom_admin_role_created.toml (#555) 2020-11-18 09:10:50 -07:00
David French 72fee8d16f Create persistence_google_workspace_admin_role_assigned_to_user.toml (#554) 2020-11-18 09:07:39 -07:00
David French 78b8d5c761 new-rule-mfa-disabled-for-google-workspace-organization (#553) 2020-11-18 09:05:07 -07:00
David French 6aca322cfd [New Rule] Google Workspace Password Policy Modified (#552) 
* new-rule-google-workspace-policy-modified

* lint rule
 2020-11-18 09:02:59 -07:00
David French f11e9f8302 [New Rule] Administrator Role Assigned to Okta User (#489) 
* Create persistence_administrator_role_assigned_to_okta_user.toml

* set maturity to production

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Reorder references to put the most relevant at the top

* tweak rule name

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-18 08:59:23 -07:00
Samirbous eb487f9433 [New Rule] Timestomping using Touch Command (#463) 
* [New Rule] Timestomping using Touch Command

* Update defense_evasion_timestomp_touch.toml

* added macOS tag

* Update rules/linux/defense_evasion_timestomp_touch.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 23:29:47 +01:00
Justin Ibarra ad4a2ef0eb Add test commands to search and survey rule hits (#485) 2020-11-17 13:08:00 -09:00
Samirbous abea5d0779 [New Rule] Prompt for Credentials with OSASCRIPT (#540) 2020-11-17 22:25:40 +01:00
Samirbous 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) 
* [New Rule] Suspicious Execution - Short Program Name

* Update rules/windows/execution_suspicious_short_program_name.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:27:37 +01:00
Samirbous 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) 
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility

* Update lateral_movement_rdp_tunnel_plink.toml

* Update lateral_movement_rdp_tunnel_plink.toml

* changed tags

* expanded condition to more than plink

there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.

* Update lateral_movement_rdp_tunnel_plink.toml

* more args options

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:25:48 +01:00
Samirbous 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) 
* [New Rule] Security Software Discovery using WMIC

* added tags

* adjusted args for performance

avoiding leading wildcard in process args

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:23:28 +01:00
Samirbous ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) 
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer

* Linted

* Update privilege_escalation_uac_bypass_com_ieinstal.toml

* adjusted executable path for better performance

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:21:15 +01:00
Samirbous 3af915ff49 [New Rule] Suspicious Cmd Execution via WMI (#389) 
* [New Rule] Suspicious Cmd Execution via WMI

* Update lateral_movement_suspicious_cmd_wmi.toml

* Update lateral_movement_suspicious_cmd_wmi.toml

* expanded process args for more coverage

* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-17 21:19:30 +01:00
David French 9d3395f9e3 Create okta_attempt_to_delete_okta_application.toml (#497) 2020-11-17 08:53:59 -07:00
David French 58e54f40e3 Create okta_attempt_to_deactivate_okta_application.toml (#496) 2020-11-17 08:51:51 -07:00
David French 768069a8bc [New Rule] Attempt to Modify an Okta Application (#495) 
* Create okta_attempt_to_modify_okta_application.toml

* add reference
 2020-11-17 08:49:02 -07:00
David French 88b8bca929 Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml (#530) 2020-11-17 08:44:37 -07:00
Justin Ibarra 0573def41c Merge pull request #528 from brokensound77/mergeback/7.10-to-main 
Mergeback 7.10 changes to main
 2020-11-12 20:49:04 +01:00
Justin Ibarra 00f8f83a25 Merge branch 'main' into mergeback/7.10-to-main 2020-11-12 20:28:42 +01:00
Ross Wolf b91203233d Link to the Elastic contributor program (#520) 2020-11-12 07:02:18 -07:00
brokensound77 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main 2020-11-12 00:59:31 -09:00
brokensound77 123d523cf0 lock version changes for 7.10 2020-11-12 00:52:44 -09:00
Ross Wolf 8ca32f1423 Fix ClientError (NoneType) suffix 2020-11-09 11:08:36 -07:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00