security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,170 Commits 1 Branch 0 Tags
bd345d4c19137ffad5bedfc62a22cec8f2629709
Commit Graph

90 Commits

Author SHA1 Message Date
Isai 44658ea5f6 [Rule Tunings] Change from to prevent double alerts (#3868) 2024-07-11 13:02:10 -04:00
Isai f0ab897f99 [Rule Tunings] AWS Administrator Access Policy Attached Rules (#3867) 
* [Tuning] AWS Administrator Access Policy Attached Rules

* change lookback to prevent overlap

* changed from to now-6m
 2024-07-11 12:49:03 -04:00
Isai 215d5a0861 [New Rule] AWS S3 Object Encryption Using External KMS Key (#3861) 
* [New Rule] AWS S3 Object Encryption Using External KMS Key

Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.

* Update impact_s3_object_encryption_with_external_key.toml

* Update impact_s3_object_encryption_with_external_key.toml

* missing coma after tag

* missing backslash on technique reference
 2024-07-05 12:25:55 -04:00
Isai 83be212632 [New Rule] AWS RDS DB Instance Made Public (#3836) 
* [New Rule] AWS RDS DB Instance Made Public

...

* Apply suggestions from code review

* added coverage for instances created with public access

* rule review edits

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 01:01:52 -04:00
Isai 3a5c5c20a8 [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) 
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed

...

* insert rule_id

* rule name change
 2024-07-02 17:22:03 -04:00
Isai 9f4956f542 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) 
* [New Rule] AWS RDS DB Instance or Cluster Password Modified

..

* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-02 16:14:51 -04:00
Isai 43fbf94d8a [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) 
* [New Rule] AWS RDS DB Snapshot Shared with Another Account

...

* Update exfiltration_rds_snapshot_shared_with_another_account.toml

* edit threat matrix format

* Apply suggestions from code review

* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-02 15:36:44 -04:00
Isai aaf014390b [New Rule] AWS RDS Snapshot Deleted (#3852) 
* [New Rule] AWS RDS Snapshot Deleted

* added coverage for backupRetentionPeriod set to 0
 2024-07-02 14:01:15 -04:00
Terrance DeJesus d59d462956 [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#3854) 
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'

* adding filter to ignore common AWS object path strings
 2024-07-02 13:02:52 -04:00
Isai f62644887e [Rule Tuning] AWS RDS Snapshot Restored (#3809) 
* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
 2024-06-28 20:42:36 -04:00
Isai 2708a89f20 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) 
* [New Rule] AWS IAM User Created Access Keys for Another User

...

* updated min_stack and removed index field

* reversed tactic order

* added AWS documentation as reference

* Apply suggestions from code review

updated_date, query format change, removed keep from query
 2024-06-25 00:11:48 -04:00
Kirti Sodhi 51b9717ac0 Adding setup templates to the ML rules (#3798) 
* Added setup instructions for ml rules
 2024-06-19 10:04:41 -04:00
Anthony c1dcd21531 Closes #2216 (#2855) 
* Update privilege_escalation_sts_assumerole_usage.toml

* Update privilege_escalation_sts_assumerole_usage.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-06-13 16:52:54 -04:00
Terrance DeJesus 62eea772d0 [New Rule] AWS S3 Bucket Ransom Note Uploaded (#3604) 
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'

* fixed technique mapping

* added investigation guide; added more ransom note extensions

* adjusted lookback and maxspan

* added  API call to second sequence

* updating date

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* changed rule to ESQL; updated investigation guide

* changed file name

* removed txt, ecc, and note

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-10 10:47:20 -04:00
Isai e1cbf9f684 [New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) (#3735) 
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User

issue...

* add source.address and source.geo.location

* fix threat tactic ids

* AdministratorAccess Policy Attached to Group

* AdminstratoAccess Policy Attached to Role

* reduce severity to medium

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-07 18:31:06 -04:00
Terrance DeJesus 9f67585332 [New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded (#3634) 
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* changed tactic to privilege escalation

* added additional reference

* added investigation guide

* updated summary

* changed risk score to medium; adjusted tags

* fixed mitre mapping

* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-05 10:33:42 -04:00
Terrance DeJesus 05ac4e1bd3 [New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag (#3590) 
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'

* updated rule contents

* added investigation guide; changed new terms to uder.id

* adjusted time window

* adjusted rule name

* updated query, adjusted new terms value
 2024-06-05 10:22:38 -04:00
Terrance DeJesus c77eb1d915 [New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created (#3609) 
* new rule 'AWS IAM Roles Anywhere Role Creation'

* adjusted rule to focus on Roles Anywhere profile creation

* added rule for roles anywhere trusted anchor; updated rule file naming

* added investigation guide

* added investigation guide

* adjusted rule and file name

* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-05 10:10:53 -04:00
Terrance DeJesus 59b7e3bde4 [New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589) 
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'

* updated user identity arn to user.id for cross-service password retrieval

* added investigation guides; bumped dates; adjusted threshold value

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-04 09:20:04 -04:00
Terrance DeJesus 0885032b2c [New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation (#3632) 
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'

* updated rule UUID

* added investigation guide

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-03 11:42:38 -04:00
Terrance DeJesus 856c6c5a1f [New Rule] AWS EC2 EBS Snapshot Shared with Another Account (#3601) 
* new rule 'AWS EC2 EBS Snapshot Shared with Another Account'

* added investigation guide

* updated rule name

* converted to ES|QL

* reverting non-ecs update
 2024-06-02 10:30:08 -04:00
Terrance DeJesus 70469b4cdb [New Rule] AWS Lambda Layer Added to Existing Function (#3631) 
* new rule 'AWS Lambda Layer Added to Existing Function'

* updated query logic; added investigation note
 2024-06-02 08:41:04 -04:00
Terrance DeJesus 7c82e75cf4 [New Rule] AWS S3 Bucket Policy Added to Share with External Account (#3603) 
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'

* added investigation guide

* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
 2024-06-01 10:31:41 -04:00
Isai 23ce41d8af [New Rule] AWS GetCallerIdentity API Called for the First Time (#3711) 
* [New Rule] AWS GetCallerIdentity API Called for the First Time

issue

* Apply suggestions from code review

name change, false positive additions, remove Setup, change new_terms window from 15d to 10d

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml

fixed missing closing quotes

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-31 17:55:06 -04:00
Terrance DeJesus d5c57463e1 [New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598) 
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'

* added investigation guide

* changed file name to match tactic

* changed reference

* updated tags

* updated investigation notes

* changed new terms value; adjusted rule name
 2024-05-28 11:23:17 -04:00
Terrance DeJesus 527f785a60 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-28 10:49:20 -04:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Mika Ayenson 58ba0713fe [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3700) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-21 16:33:17 -05:00
Mika Ayenson ed0038ee1d Revert "[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591)" 
This reverts commit 137b74c3aa.
 2024-05-21 15:53:02 -05:00
Terrance DeJesus 137b74c3aa [New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591) 
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'

* added investigation guide

* updated query logic
 2024-05-20 16:15:46 -04:00
Terrance DeJesus 2375297879 [New Rule] Route53 Resolver Query Log Configuration Deleted (#3592) 
* new rule 'Route53 Resolver Query Log Configuration Deleted'

* added investigation guide

* adjusted investigation notes

* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 10:24:20 -04:00
Terrance DeJesus d505b95f3c [New Rule] AWS EC2 AMI Shared with Another Account (#3600) 
* new rule 'AWS EC2 AMI Shared with Another Account'

* linted; updated UUID

* added investigation guide

* updated description

* fixed spelling errors

* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* fixed spacing issue

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-14 01:56:26 -04:00
Terrance DeJesus 38e0f13e23 [New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586) 
* new rule 'First Occurrence of User Identity Sending  Requests to EC2 Instance'

* updated description and name

* added investigation guide; adjusted description

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated query logic

* fixed spacing issue

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-13 23:07:39 -04:00
Jonhnathan 6cc39a538f [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-09 18:41:56 -07:00
terrancedejesus 69595a5f69 updated query logic 2024-05-09 18:31:50 -07:00
Mika Ayenson 51268581a8 [Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (#3646) 2024-05-04 08:20:20 -05:00
Mika Ayenson 2ffb0e7fe2 [New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644) 2024-05-03 18:01:53 -05:00
Justin Ibarra 54ff270c62 [New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635) 
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-05-01 15:00:33 -06:00
Terrance DeJesus 74312797bf adjust aws rule index patterns and tags (#3595) 2024-04-16 10:08:57 -04:00
Terrance DeJesus f6e79944f2 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) 
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'

* reverting lookback window

* missing word in description
 2024-03-15 19:08:28 -04:00
Leandro Maciel 709cfddcbe fix: correct the provider for the create, delete and modify routes in EC2 VPCs (#3500) 2024-03-08 16:01:27 -03:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Terrance DeJesus 3d57209705 [Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221) 
* adding adjusted Okta rules

* adding adjusted AWS rules

* adding adjusted AWS rules
 2023-10-24 12:51:59 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 71d93e875e [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760) 
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms

* updated new terms
 2023-05-03 09:28:59 -04:00
Jonhnathan 38b8311482 [Security Content] Expand Abbreviated Tags (#2414) 
* [Security Content] Expand Abbreviated Tags

* .

* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Revert changes to deprecated rules

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-03-06 17:37:52 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00