security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,703 Commits 1 Branch 0 Tags
ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf
Commit Graph

1909 Commits

Author SHA1 Message Date
Terrance DeJesus ba16e27edb [Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570) 
* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
 2025-04-16 13:58:17 -04:00
Terrance DeJesus 1a6669e5a6 [Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562) 
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'

* updated MITRE ATT&CK mappings

* updated index target

* updated patch version

* updating patch version

* bumping patch version

* updating patch version
 2025-04-16 12:21:41 -04:00
Jonhnathan e11fe78846 [Rule Tuning] Suspicious WMI Event Subscription Created (#4618) 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
 2025-04-16 10:05:20 -03:00
Jonhnathan 3eed0f5b6a [Rule Tuning] SSH Authorized Keys File Deletion (#4591) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 12:16:03 -03:00
Ruben Groenewoud 3b1f780435 [D4C Conversion] Converting Compatible D4C Rules to DR (#4532) 
* [D4C Conversion] Converting Compatible D4C Rules to DR

* added host.os.type

* Rename

* Update rules/linux/execution_container_management_binary_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-10 14:26:40 +02:00
Ruben Groenewoud 05c9f6bbdb [FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… (#4529) 
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process

* Update process exclusions in TOML file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-08 18:19:18 +02:00
Jonhnathan a5d9d6400a [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) 2025-04-07 22:59:08 +05:30
shashank-elastic 3966981dae Add investigation guides (#4600) 2025-04-07 20:55:39 +05:30
Jonhnathan 9577d53284 [Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-07 12:00:14 -03:00
Colson Wilhoit 753e8d8200 [New] Unusual Network Connection to Suspicious Top Level Domain (#4563) 2025-04-03 14:22:41 -05:00
Colson Wilhoit d4b2a35237 [New] Unusual Network Connection to Suspicious Web Service (#4569) 
* [New] Unusual Network Connection to Suspicious Web Service

* Update rule threat order

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-03 14:02:03 -05:00
Jonhnathan e7806fc74f [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4589) 2025-04-02 09:52:34 -03:00
Samirbous 6d8cfda10f Update defense_evasion_microsoft_defender_tampering.toml (#4573) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-01 18:04:29 +01:00
Terrance DeJesus c6e37d6910 [Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557) 
* tuning Azure rule for illicit grant activity; creating new rule for M365

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

* adjusted tags

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
 2025-03-27 15:55:04 -04:00
Terrance DeJesus 280140650a tuning 'Azure Conditional Access Policy Modified' (#4558) 2025-03-27 15:43:46 -04:00
Terrance DeJesus 2f3f4fbdef deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559) 2025-03-27 10:09:34 -04:00
shashank-elastic 2b3095a13c Update Max signals value to supported limits (#4556) 2025-03-27 09:02:25 +05:30
M. Visser 63c1f47689 [Rule Tuning] Added OWA (outlook for web) new AppID (#4568) 
* Added OWA (outlook for web) new AppID

**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule

**Description:**

This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`

### Context

Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
    

Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.

### Why this change?

The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.

### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)

* Update initial_access_microsoft_365_abnormal_clientappid.toml

Updated updated_date
 2025-03-26 15:15:28 -03:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Kirti Sodhi 955e973c00 Change description and name of problemchild ML detection-rules (#4545) 
Changed description and name of problemchild ML detection-rules
 2025-03-20 08:58:10 -04:00
Samirbous 28a06fd25f Update defense_evasion_posh_assembly_load.toml (#4543) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-20 05:13:28 -03:00
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
shashank-elastic 0993ced309 Deprecate Cloud Defend Rules (#4537) 2025-03-14 21:27:37 +05:30
Samirbous 290f0be959 Update defense_evasion_execution_suspicious_explorer_winword.toml (#4533) 2025-03-14 10:46:56 -03:00
Ruben Groenewoud d7d8c414ec [New Rule] File Creation in /var/log via Suspicious Process (#4528) 
* [New Rule] File Creation in /var/log via Suspicious Process

* ++

* ++
 2025-03-12 12:50:48 +01:00
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
 2025-03-11 11:25:10 -04:00
Terrance DeJesus aacb376acf [New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524) 
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'

* updating tactic tag

* adjusted query logic for user type

* updated Entra ID name
 2025-03-11 11:05:56 -04:00
Terrance DeJesus fd1369a164 [New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525) 
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'

* linted; updated UUID

* adjusted rule name and logic to focus on any rare authentication requirements

* adjusted file name
 2025-03-11 10:51:01 -04:00
shashank-elastic e28512a32f Deprecation Notice to Cloud Defend Rules (#4520) 
* Deprecation Notice to Cloud Defend Rules

* Udpate names in investigation guide

* Adding deprecation note under Setup field

* reverting back to setup field name

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-03-07 00:20:00 -05:00
Ruben Groenewoud 561ab703de [New Rule] Uncommon Destination Port Connection by Web Server (#4515) 2025-03-06 22:01:33 +05:30
Ruben Groenewoud fe0a9f4935 [New/Tuning] Docker Socket Enumeration (#4510) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 17:07:10 +01:00
Ruben Groenewoud 8dfa5da3bf [New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 16:57:33 +01:00
Ruben Groenewoud fe06843636 [New Rule] Unusual Process Spawned from Web Server Parent (#4513) 2025-03-06 16:46:12 +01:00
Ruben Groenewoud 7ce6aaf566 [New Rule] Unusual Command Execution from Web Server Parent (#4512) 
* [New Rule] Unusual Command Execution from Web Server Parent

* ++
 2025-03-06 16:25:38 +01:00
Kirti Sodhi a1d6ff4a50 Added ML detection-rules for new Security Host package (#4519) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-03-06 19:53:29 +05:30
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Samirbous b1470a480b [New] WDAC Policy File by an Unusual Process (#4504) 
* [New] WDAC Policy File by an Unusual Process

https://github.com/logangoins/Krueger/tree/main

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-03-04 15:21:58 +00:00
shashank-elastic 467034ee5b Deprecate an APM BBR rule (#4511) 2025-03-04 17:39:45 +05:30
Ruben Groenewoud b9e8115c2f [New Rule] Python Site or User Customize File Creation (#4500) 
* [New Rule] Python Site or User Customize File Creation

* Update persistence_site_and_user_customize_file_creation.toml

* Update persistence_site_and_user_customize_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:30:33 +01:00
Ruben Groenewoud d948279af6 [New Rule] Python Path File (pth) Creation (#4499) 
* [New Rule] Python Path File (pth) Creation

* ++

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:20:00 +01:00
Ruben Groenewoud f70eafb8e7 [New Rule] Successful SSH Authentication from Unusual User (#4481) 
* [New Rule] Succesful SSH Authentication from Unusual User

* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-03 11:55:27 +01:00
Jonhnathan 5653190d08 [Rule Tuning] Remove hardcoded logic from description (#4503) 2025-02-28 14:38:18 -03:00
Ruben Groenewoud 06002cd9ac [New Rule] Kill Command Execution (#4485) 
* [New Rule] Kill Command Execution

* Update defense_evasion_kill_command_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:26:50 +01:00
Ruben Groenewoud 9bb3b9f204 [New Rule] Unusual File Transfer Utility Launched (#4487) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:15:21 +01:00
Ruben Groenewoud 029fd45bb1 [New Rule] Base64 Decoded Payload Piped to Interpreter (#4488) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:01:52 +01:00