security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,703 Commits 1 Branch 0 Tags
ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf
Commit Graph

13 Commits

Author SHA1 Message Date
Ruben Groenewoud b13d6bf314 [New Hunt] Persistence via NetworkManager Dispatcher Script (#4408) 2025-02-06 09:33:42 +01:00
Ruben Groenewoud 802419178c [New Hunt] Persistence via Desktop Bus (D-Bus) (#4407) 2025-02-05 16:45:17 +01:00
Ruben Groenewoud 1aea556998 [New Hunt] Persistence via PolicyKit (#4406) 
* [New Hunt] Persistence via PolicyKit

* ++
 2025-02-05 16:29:47 +01:00
Ruben Groenewoud 6fa8a862a2 [New Hunt] General Kernel Manipulation (#4403) 
* [New Hunt] General Kernel Manipulation

* Update index.yml
 2025-02-05 16:18:51 +01:00
Ruben Groenewoud b1a8341371 [Hunt Tuning] Logon Activity by Source IP (#4428) 2025-01-31 15:44:38 +01:00
Ruben Groenewoud bbcf0c7c34 [New Hunt] Persistence via Initramfs (#4402) 
* [New Hunt] Persistence via Initramfs

* Update index.yml
 2025-01-27 10:19:44 +01:00
Ruben Groenewoud 80fe96109b [New & Tuning] Persistence via GRUB Bootloader (#4401) 
* [New & Tuning] Persistence via GRUB Bootloader

* testing github version code workflow update

* testing github version code workflow re-order

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-01-27 09:58:43 +01:00
Ruben Groenewoud e822af47a4 [Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351) 
* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
 2025-01-13 16:53:09 +01:00
Ruben Groenewoud a2b280a6fd [New Hunts] Adding Several Hunting PRs into this Main PR (#4342) 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-01-07 14:29:17 +01:00
Ruben Groenewoud 21485b16fa [Tuning & Changes] Misc rule/hunt tuning (#3875) 
* [Tuning & Changes] Misc rule/hunt tuning

* Bump update_date

* ++

* Updated docs
 2024-07-11 14:55:33 +02:00
Terrance DeJesus 70411664cf [Bug] Normalize Hunting Index Link Generation (#3872) 
* normalizing hunting link generation

* replacing header

* adjusting quotes in f-strings

* added source file to metadata

* removed os dependency

* address bug in source file links

* reverting TOML loading

* change all List type hinting to list

* change all List type hinting to list

* fixed accented characters in queries

* reverted accent character removal; moved macos query and MD to macos folder
 2024-07-10 11:01:59 -04:00
Ruben Groenewoud b230f8372a [New Hunt] Persistence through System V Init (#3871) 
* [New Hunt] Persistence through System V Init

* regenerating docs

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-08 16:35:54 +02:00
Terrance DeJesus f0b2cb7c87 [New Hunt] Add Initial Linux Hunting Files (#3847) 
* added 'Uncommon Process Execution from Suspicious Directory' hunt

* adds all linux hunting files

* moves linux hunting files to queries folder

* adds generated docs

* fixing windows hunts

* fixing windows hunts

* updated README

* Removed 2, updated a few, changed some names/descriptions and added list of str

* updated windows for language schema changes, regenerated docs; updated README and index

* changed UUIDs to hex only with standard hyphen format

* removing unecessary docs

* Fixed queries based on Samir feedback

* ++

* regenerating linux docs

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* Update

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* regenerating linux docs

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-07-05 20:01:12 +02:00