security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,192 Commits 1 Branch 0 Tags
baee89de9b05aca705fa4f99de421ab62744680b
Commit Graph

325 Commits

Author SHA1 Message Date
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
Ruben Groenewoud a71bbe0cf8 [Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905) 
* [Rule Tuning] Misc. DR Rule Tuning - Part 2

* ++

* Update privilege_escalation_suspicious_uid_guid_elevation.toml

* Update rules/linux/persistence_systemd_service_creation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-19 15:21:35 +02:00
Ruben Groenewoud 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) 
* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation
 2024-07-19 15:13:42 +02:00
Ruben Groenewoud 39350847d6 [New Rules] Git Hook execution/netcon (#3896) 
* [New Rules] Git Hook execution/netcon

* TImestamp formatting change

* Update rules/linux/persistence_git_hook_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-17 15:28:37 +02:00
Ruben Groenewoud 83d6eeb844 [New Rule] RPM Package Installed by Unusual Parent Process (#3882) 
* [New Rule] RPM Package Installed by Unusual Parent Process

* Update persistence_rpm_package_installation_from_unusual_parent.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-07-17 15:12:17 +02:00
Ruben Groenewoud 8c5910b1a6 [New Rule] Unsafe Docker Container Creation (#3884) 
* [New Rule] Unsafe Docker Container Creation

* Update execution_potentially_overly_permissive_container_creation.toml

* Update execution_potentially_overly_permissive_container_creation.toml

* Update execution_potentially_overly_permissive_container_creation.toml
 2024-07-17 15:03:07 +02:00
Ruben Groenewoud e5d08a2c38 [Rule Tuning] Updated setup guide (#3885) 
* [Rule Tuning] Updated setup guide

* Update persistence_user_or_group_creation_or_modification.toml

* Update rules/linux/persistence_user_or_group_creation_or_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/linux/persistence_user_or_group_creation_or_modification.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-07-17 14:39:38 +02:00
Ruben Groenewoud 56e8e059b6 [New Rules] Docker Entrypoint Netcon / Nsenter Escape (#3883) 
* [New Rules] Docker entrypoint netcon / nsenter escape

* ++

* Update privilege_escalation_docker_escape_via_nsenter.toml

* Update privilege_escalation_docker_escape_via_nsenter.toml

* Better description formatting

* Update execution_egress_connection_from_entrypoint_in_container.toml

* Update privilege_escalation_docker_escape_via_nsenter.toml
 2024-07-15 13:07:36 +02:00
Ruben Groenewoud 82a0cc80a7 [New Rules] DPKG Execution/Installation (#3879) 
* [New Rules] DPKG Execution/Installation

* Update rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml

* Update persistence_dpkg_package_installation_from_unusual_parent.toml

* Update persistence_dpkg_unusual_execution.toml

* Update persistence_dpkg_unusual_execution.toml
 2024-07-15 12:59:03 +02:00
Ruben Groenewoud 21485b16fa [Tuning & Changes] Misc rule/hunt tuning (#3875) 
* [Tuning & Changes] Misc rule/hunt tuning

* Bump update_date

* ++

* Updated docs
 2024-07-11 14:55:33 +02:00
Joe Desimone 6a2f5e7138 [Bug] Persistence ssh key generation index pattern (#3873) 
* fix persistence_ssh_key_generation.toml

* Update persistence_ssh_key_generation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-08 10:27:52 -03:00
Ruben Groenewoud 64f0e258cb [New Rule] Linux Shadow File Modification (#3737) 
* [New Rule] Linux User Account Password Change

* Update rules/linux/persistence_user_password_change.toml

* Update persistence_user_password_change.toml

* Update persistence_user_password_change.toml

* Update persistence_user_password_change.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 10:03:24 +02:00
Ruben Groenewoud b311d49c2a [New Rules] Git Hook Execution/File Creation (#3832) 
* [New Rules] Git Hook Execution/File Creation

* Update rules/linux/persistence_git_hook_file_creation.toml

* Update persistence_git_hook_process_execution.toml
 2024-06-28 11:34:32 +02:00
Ruben Groenewoud f33c25b118 [New Rule] DNF Package Manager Plugin File Creation (#3822) 
* [New Rule] DNF Package Manager Plugin File Creation

* Update persistence_dnf_package_manager_plugin_file_creation.toml
 2024-06-28 11:14:48 +02:00
Ruben Groenewoud edc501accf [New Rules] rc.local Execution Rules (#3813) 
* [New Rules] rc.local Execution Rules

* ++

* Update rules/linux/persistence_rc_local_error_via_syslog.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-28 09:59:26 +02:00
Ruben Groenewoud cd4fe07c2c [New Rule & Tuning] Systemd Generator Created (#3801) 2024-06-27 22:00:48 +02:00
Ruben Groenewoud e941645b2f [Rule Tuning] rc.local/rc.common File Creation (#3805) 2024-06-27 21:50:49 +02:00
Ruben Groenewoud 68bf4e453e [Rule Tuning] System V Init Script Created (#3811) 2024-06-27 21:38:34 +02:00
Ruben Groenewoud 460b314f49 [Rule Tuning] Executable Bit Set for Potential Persistence Script (#3812) 
* [Rule Tuning] Executable Bit Set for Potential Persistence Script

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml

* Update persistence_potential_persistence_script_executable_bit_set.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-06-27 21:29:30 +02:00
Ruben Groenewoud c3ba7b1262 [New Rule] Privilege Escalation via SUID/SGID (#3793) 
* [New Rule] Privilege Escalation via SUID/SGID

* unit test error fix?

* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
 2024-06-27 16:50:09 +02:00
Ruben Groenewoud 0ca16a1516 [New Rule] User or Group Creation/Modification (#3804) 2024-06-27 16:35:25 +02:00
Ruben Groenewoud 6746a421c4 [New Rules] Yum Plugin Creation / Discovery (#3820) 
* [New Rules] Yum Plugin Creation / Discovery

* Update discovery_yum_plugin_detection.toml

* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml
 2024-06-25 16:14:28 +02:00
Ruben Groenewoud c87c4c9f5d [New Rules] PAM Module Creation & Unusual PAM Grantor (#3743) 
* [New Rules] PAM Module Creation & Unusual PAM Grantor

* Update persistence_unusual_pam_grantor.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml

* Update persistence_pluggable_authentication_module_creation.toml

* Update persistence_unusual_pam_grantor.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
 2024-06-11 11:51:33 +02:00
Ruben Groenewoud 4cf0c2b9af [Rule Tuning] Systemd-udevd Rule File Creation (#3738) 
* [Rule Tuning] Systemd-udevd Rule File Creation

* Incompatible endgame field

* Update rules/linux/persistence_udev_rule_creation.toml

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_udev_rule_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_udev_rule_creation.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-11 11:40:54 +02:00
Ruben Groenewoud 4003219aa1 [New Rule] APT Package Manager Configuration File Creation (#3739) 
* [New Rule] APT Package Manager Configuration File Creation

* Update rules/linux/persistence_apt_package_manager_file_creation.toml

* Update persistence_apt_package_manager_file_creation.toml
 2024-06-11 09:43:35 +02:00
Ruben Groenewoud 74f049cc7c [New Rule] Network Connection Initiated by SSH Parent Process (#3759) 
* [New Rule] Network Connection Initiated by SSH Parent Process

* Update persistence_ssh_netcon.toml

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_ssh_netcon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_ssh_netcon.toml

* Update persistence_ssh_netcon.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-10 10:30:45 +02:00
Ruben Groenewoud 29bb52d2fb [New Rule] Netcon through XDG Autostart Entry (#3741) 
* [New Rule] Netcon through XDG Autostart Entry

* Update rules/linux/persistence_xdg_autostart_netcon.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_xdg_autostart_netcon.toml

* Update persistence_xdg_autostart_netcon.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-06-10 10:17:09 +02:00
Ruben Groenewoud 70496f813f [New Rule] Executable Bit Set for rc.local/rc.common (#3736) 
* [New Rule] Executable Bit Set for rc.local/rc.common

* Endgame compatibility

* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
 2024-06-10 09:57:14 +02:00
Ruben Groenewoud d3e2f70ce2 [New Rule] Process Capability Set via setcap Utility (#3744) 
* [New Rule] Process Capability Set via setcap Utility

* ++

* Update rules/linux/persistence_process_capability_set_via_setcap.toml
 2024-06-06 12:44:31 +02:00
Ruben Groenewoud 8e6114f76c [Rule Tuning] System Binary Moved or Copied (#3742) 
* [Rule Tuning] System Binary Moved or Copied

* Added reference

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-06-06 12:24:48 +02:00
Ruben Groenewoud 61ab035f41 [Rule Tuning] Potential Sudo Hijacking (#3745) 
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml
 2024-06-06 11:59:26 +02:00
Ruben Groenewoud 342fde097f [New Rule] SSH Key Generated via ssh-keygen (#3731) 
* [New Rule] SSH Key Generated via ssh-keygen

* ++

* Update rules/linux/persistence_ssh_key_generation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-06-06 11:50:38 +02:00
Ruben Groenewoud 5f36f3a03e [Rule Tuning] Shell Configuration Creation or Modification (#3732) 
* [Rule Tuning] Shell Configuration Creation or Modification

* Incompatible endgame field

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:28:13 +02:00
Ruben Groenewoud e41a57f2ad [Rule Tuning] Message-of-the-Day (MOTD) (#3730) 
* [Rule Tuning] Message-of-the-Day (MOTD)

* Update persistence_message_of_the_day_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:18:30 +02:00
Ruben Groenewoud bebf671881 [Rule Tuning] Systemd Service & Timer (#3728) 
* [Rule Tuning] Systemd Service & Timer

* Update

* Update persistence_systemd_scheduled_timer_created.toml

* Update persistence_systemd_service_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_systemd_service_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 10:01:15 +02:00
Ruben Groenewoud 81ee6380ec [New Rule & Tuning] (Ana)Cron & At Job Creation (#3726) 
* [New Rule & Tuning] (Ana)Cron & At Job Creation

* Update persistence_at_job_creation.toml

* Update persistence_cron_job_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_at_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_cron_job_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-06-05 09:53:42 +02:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
Ruben Groenewoud 390629da4e [New Rule & Tunings] Linux Springtail Backdoor (#3692) 
* [New Rules and Tuning] Springtail backdoor

* consistency formatting

* update

* unit testing formatting change

* Update persistence_systemd_service_started.toml

* Update persistence_systemd_service_started.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
 2024-05-24 10:10:11 +02:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Justin Ibarra ce21acef9c [Bug] Fix test_os_and_platform_in_query test and rules (#3695) 
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-05-20 08:43:30 -07:00
Ruben Groenewoud e29994c338 [New Rule] Shell Configuration Modification (#3629) 
* [New Rule] Shell Configuration Modification

* description update

* uuid update

* query update

* query update

* Update rules/linux/persistence_shell_configuration_modification.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-04-30 13:41:13 +02:00
Ruben Groenewoud 115c3a6dfd [Rule Tuning] Linux DRs (#3628) 2024-04-30 13:26:09 +02:00
Mirko Bez 153657029b Add filebeat-* index pattern to rules based on system.auth dataset (#3561) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-03 11:27:31 +02:00
Samirbous f2490007e8 [New] Potential Execution via XZBackdoor (#3555) 
* [New] Potential Execution via XZBackdoor

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-02 05:15:04 +01:00
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00