security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,720 Commits 1 Branch 0 Tags
bbfc026c95fbd9491cdbd06e779e1598ad63a31f
Commit Graph

2720 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus bbfc026c95 [New Hunt] New Hunting Queries for DPRK ByBit (#4644) 
* new hunting queries for macOS DPRK

* added docker hunting queries
 2025-04-23 16:41:23 -04:00
Samirbous ea31143b83 [New] Suspicious Azure Sign-in via Visual Studio Code (#4639) 
* Create initial_access_entra_login_visual_code_phish.toml

* Update non-ecs-schema.json

* Update initial_access_entra_susp_visual_code_signin.toml

* Update pyproject.toml

* Update initial_access_entra_susp_visual_code_signin.toml

* Update non-ecs-schema.json
 2025-04-23 14:06:05 +01:00
Samirbous f8e91be329 [New] RemoteMonologue Attack rules (#4604) 
* [New] RemoteMonologue Attack rules

https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
    https://github.com/xforcered/RemoteMonologue

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-22 15:26:57 -03:00
Jonhnathan 1bab74179e [New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635) 
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation

* Update execution_posh_malicious_script_agg.toml
 2025-04-22 13:36:04 -03:00
Colson Wilhoit c80319d462 [Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547) 2025-04-22 21:23:01 +05:30
Jonhnathan 8361cfd205 [New Rule] Potential PowerShell Obfuscation via String Reordering (#4595) 
* [New Rule] Potential PowerShell Obfuscation via String Reordering

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
 2025-04-22 12:26:55 -03:00
Jonhnathan 364d9dd3bc [New Rule] Threat Intel Email Indicator Match (#4598) 
* [New Rule] Threat Intel Email Indicator Match

* Update threat_intel_indicator_match_email.toml

* Update pyproject.toml

* Adds IG

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-04-22 12:15:36 -03:00
Jonhnathan a495b4b9b2 [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627) 2025-04-22 11:59:06 -03:00
Jonhnathan a9f99137f3 [New Rule] Dynamic IEX Reconstruction via Method String Access (#4634) 2025-04-22 11:47:03 -03:00
Colson Wilhoit 4ef72457d3 [Tuning] MacOS DR Tuning PR (#4546) 
* [Tuning] MacOS DR Tuning PR

* tunings

* tuning

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* fix

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-21 17:32:05 -05:00
Terrance DeJesus c58d59eeb7 [New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625) 
* adding new rule 'AWS CLI with Kali Linux Fingerprint Identified'

* updating rule logic

* updating mitre mapping

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-21 12:06:57 -04:00
Terrance DeJesus 94237798a5 [New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626) 
* adding new rule 'AWS IAM Virtual MFA Device Registration Attempt with Session Token'

* updating rule

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-21 11:02:14 -04:00
Terrance DeJesus 96c2d0ca85 [New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses (#4624) 
* adding new rule 'AWS STS Temporary IAM Session Token Used from Multiple Addresses'

* updating rule assets

* updating mitre mapping

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-17 16:06:40 -04:00
Eric Forte 62feac3348 [Bug] Update Schema Prompt to include new_terms_fields (#4567) 
* Update Schema Prompt to include new_terms_fields

* Version Bump

* Ensure list of strings

* Update utils to support comma deliminated strings

* Also remove excess quotes

* Bump patch version

* Remove Union

* bump version
 2025-04-17 10:45:51 -04:00
Frederik Berg 6cb238bedb [Enhancement] Add flag to export rules via KQL search on name (#4594) 
* Add flag to export rules via KQL search on name

* Add KQL to help text

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* version patch bump

* flake8 trimming

* pyproject bump

* Bump version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-04-16 18:40:46 -04:00
Frederik Berg 9b682b752c Feature exclude tactic name (#4593) 
* Added new cli flag to exclude tactic name in rule file name

* added a shortcut for the flag and adjusted CLI readme

* Add no tactic flag also to import to prevent warnings

* Added info about unit test

* version bump

* Added no_tactic_filename as config option + fixed linting

* pyproject version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-16 16:02:14 -04:00
Eric Forte 033c82858c [FR] Add Support for Local Dates Flag (#4582) 
* Add support for local dates flag

* Use two variables

* Add support for import-rules-to-repo

* Revert arg formatting

* Update comment

* Pass Rule Path as Path Object

* Update to rule loader function

* Streamline metadata function

* Also support dictionaries

* Bump patch version

* Reduce complexity

* Add if path exists check

* Fix version bump
 2025-04-16 15:41:09 -04:00
Terrance DeJesus ba16e27edb [Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570) 
* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
 2025-04-16 13:58:17 -04:00
Terrance DeJesus 1a6669e5a6 [Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562) 
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'

* updated MITRE ATT&CK mappings

* updated index target

* updated patch version

* updating patch version

* bumping patch version

* updating patch version
 2025-04-16 12:21:41 -04:00
Jonhnathan e11fe78846 [Rule Tuning] Suspicious WMI Event Subscription Created (#4618) 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
 2025-04-16 10:05:20 -03:00
Jonhnathan 3eed0f5b6a [Rule Tuning] SSH Authorized Keys File Deletion (#4591) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 12:16:03 -03:00
Eric Forte ea7de8230c [FR] Add Kibana Action Connector Error to Exception List Workaround (#4583) 
* Add error catch for workaround

* Switch to set for efficiency

* Patch version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 09:18:50 -04:00
Eric Forte 108b64f0c2 [FR] Update Detection Rules MITRE Workflow to SHA Pin (#4581) 
* Update to pinned hash

* version bump
 2025-04-15 09:03:34 -04:00
shashank-elastic 595d204fe6 Remove Task List reference (#4605) 2025-04-15 09:22:56 +05:30
Ruben Groenewoud 3b1f780435 [D4C Conversion] Converting Compatible D4C Rules to DR (#4532) 
* [D4C Conversion] Converting Compatible D4C Rules to DR

* added host.os.type

* Rename

* Update rules/linux/execution_container_management_binary_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-10 14:26:40 +02:00
Ruben Groenewoud 05c9f6bbdb [FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… (#4529) 
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process

* Update process exclusions in TOML file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-08 18:19:18 +02:00
github-actions[bot] fbddc2e659 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4601) 2025-04-08 18:25:47 +05:30
Jonhnathan a5d9d6400a [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) 2025-04-07 22:59:08 +05:30
shashank-elastic 3966981dae Add investigation guides (#4600) 2025-04-07 20:55:39 +05:30
Jonhnathan 9577d53284 [Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-07 12:00:14 -03:00
Colson Wilhoit 753e8d8200 [New] Unusual Network Connection to Suspicious Top Level Domain (#4563) 2025-04-03 14:22:41 -05:00
Colson Wilhoit d4b2a35237 [New] Unusual Network Connection to Suspicious Web Service (#4569) 
* [New] Unusual Network Connection to Suspicious Web Service

* Update rule threat order

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-03 14:02:03 -05:00
Mika Ayenson, PhD 8bb5e2493b Update docset.yml (#4590) 
Remove diagnostic hint
 2025-04-03 13:46:01 -05:00
Jonhnathan e7806fc74f [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4589) 2025-04-02 09:52:34 -03:00
Samirbous 6d8cfda10f Update defense_evasion_microsoft_defender_tampering.toml (#4573) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-01 18:04:29 +01:00
Terrance DeJesus c6e37d6910 [Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557) 
* tuning Azure rule for illicit grant activity; creating new rule for M365

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

* adjusted tags

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
 2025-03-27 15:55:04 -04:00
Terrance DeJesus 280140650a tuning 'Azure Conditional Access Policy Modified' (#4558) 2025-03-27 15:43:46 -04:00
Terrance DeJesus 2f3f4fbdef deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559) 2025-03-27 10:09:34 -04:00
github-actions[bot] 51826ed32f Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4571) 2025-03-27 09:42:15 +05:30
shashank-elastic 2b3095a13c Update Max signals value to supported limits (#4556) 2025-03-27 09:02:25 +05:30
M. Visser 63c1f47689 [Rule Tuning] Added OWA (outlook for web) new AppID (#4568) 
* Added OWA (outlook for web) new AppID

**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule

**Description:**

This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`

### Context

Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
    

Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.

### Why this change?

The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.

### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)

* Update initial_access_microsoft_365_abnormal_clientappid.toml

Updated updated_date
 2025-03-26 15:15:28 -03:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Eric Forte 2d2c5b4d88 [Bug] Update Custom Rules Markdown Location (#4565) 
* Update to custom-rules markdown location

* bump version

* Update link reference
 2025-03-26 10:00:52 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
Martijn Laarman 3bbe24d154 Create new detection rule set documentation to be included in the new docs. (#4508) 
* move docs folder to docs-dev

* Add new docs folder

* update docset.yml to reflect latest usage

* Add rules_building_block folder

* revert changes to docs-dev/experimental-machine-learning/url-spoof.md

* bump patch versions

* revert bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-03-24 17:23:06 +01:00
Sergey Polzunov 65170c394b fix: removing outdated code in Kibana client auth (#4495) 
* Simplify kibana session management

* Drop removed options from `kibana_args` set

* Style fix

* Patch version bump

* Bumping kibana lib version

* Relax CLI requirement, making `api_key` optional, to allow `help` to run
 2025-03-24 12:28:36 +01:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
Eric Forte 75b2b5cb6a [FR] Bump changed-files Version to Patched Version (#4542) 
* Bump changed-files Version to Patched Version

* patch bump

* reenable workflow

* Use full length commit hash

* Bump 44 to 46

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-03-20 12:58:21 -04:00
Martijn Laarman cd9ec7838c [ci] Add new docs-builder automation. (#4507) 
* Add new docs automation

* Add path-pattern filters for documentation folders

* Update .github/workflows/docs-build.yml

Co-authored-by: Jan Calanog <nejcalanog@gmail.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jan Calanog <nejcalanog@gmail.com>
Co-authored-by: Sergey Polzunov <traut@users.noreply.github.com>
 2025-03-20 17:20:27 +01:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30