security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,811 Commits 1 Branch 0 Tags
bfca0ea4142cb29321ddfc30412963db4e599333
Commit Graph

2811 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus bfca0ea414 [New Hunt] Commvault Supply Chain Threat (#4748) 
* hunts for CommVault threat

* added lookback time to ESQL query

* updated query logic
 2025-05-28 14:11:46 -04:00
Terrance DeJesus 17d98cc8dd [Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts (#4737) 
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'

* updated lookback windows, date truncation times

* updated investigation guide
 2025-05-28 13:45:15 -04:00
Terrance DeJesus 4bd8469c38 [New Rule] Microsoft Entra ID Elevated Access to User Access Administrator (#4742) 
* new rule Microsoft Entra ID Elevated Access to User Access Administrator

* updating uuid
 2025-05-28 13:33:22 -04:00
Terrance DeJesus 22d780f9af [New Rule] Microsoft Entra ID User Reported Suspicious Activity (#4740) 
* new rule Microsoft Entra ID User Reported Suspicious Activity

* Update rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-05-28 11:55:51 -04:00
Terrance DeJesus 0d4db2ecfe tuning 'Microsoft Entra ID High Risk Sign-in' (#4739) 2025-05-28 11:40:04 -04:00
Sergey Polzunov 2cc81fc0cb fix: Making github lib a main dependency (#4744) 
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-05-28 10:35:31 +02:00
Samirbous bb63887741 [New] BadSuccessor dMSA Abuse Detections (#4745) 
* [New] BadSuccessor dMSA Abuse Detections

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

using new term rule type with events 5136/5137 by winlog.event_data.SubjectUserName to detect unusual accounts performing dMSA changes (creation of a new dMSA account or the modification of the `msDS-ManagedAccountPrecededByLink` attribute to take over a target account)

* Update privilege_escalation_dmsa_creation_by_unusual_user.toml
 2025-05-25 09:38:15 +01:00
Terrance DeJesus fab0933df4 [Rule Tuning] Tuning Microsoft 365 Global Administrator Role Assigned (#4738) 
* tuning 'Microsoft 365 Global Administrator Role Assigned'

* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-05-21 12:47:58 -04:00
Samirbous 2c2b3e7d12 [Tuning] Lateral Movement Rules (#4736) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update execution_suspicious_cmd_wmi.toml

* Update lateral_movement_incoming_wmi.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update lateral_movement_incoming_wmi.toml

* Update execution_suspicious_cmd_wmi.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-05-21 15:59:45 +01:00
Samirbous 22cf1f0ced [Tuning] Account Discovery Command via SYSTEM Account (#4734) 
* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml

* Update discovery_command_system_account.toml
 2025-05-21 06:25:16 +01:00
github-actions[bot] 72ec8199ae Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4732) 2025-05-20 08:26:21 +05:30
github-actions[bot] 5832aec32b Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4731) 2025-05-20 07:44:22 +05:30
Terrance DeJesus 82bee3e9c2 [Rule Tuning] Microsoft Graph First Occurrence of Client Request (#4728) 
* tuning 'Microsoft Graph First Occurrence of Client Request'

* updated update date
 2025-05-19 14:56:21 -04:00
Terrance DeJesus fcd70b284b [New Rule] Multiple Microsoft 365 User Account Lockouts in Short Time Window (#4717) 
* new rule 'Multiple Microsoft 365 User Account Lockouts in Short Time Window'

* adjusted logic

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-19 14:44:46 -04:00
Terrance DeJesus 3e0a9ec47b [Rule Tuning] Potential Microsoft 365 User Account Brute Force (#4716) 
* tuning M365 brute force rule

* updated logic

* updated references

* adds minstack for values

* removed ignoring MSFT ASN

* Update rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-19 14:08:38 -04:00
Terrance DeJesus 0d366d6a15 [New Rule] Microsoft Entra ID Protection - Risk Detections (#4725) 
* new rule 'Microsoft Entra ID Protection - Risk Detections'

* added timing bypass

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-05-19 13:51:26 -04:00
shashank-elastic 43cdc7ff51 Refresh MITRE version (#4729) 2025-05-19 22:49:33 +05:30
Jonhnathan e6fb73970d [Rule Tuning] Startup or Run Key Registry Modification (#4710) 2025-05-19 22:12:37 +05:30
Jonhnathan 9af2bf4a66 [Rule Tuning] Unusual Scheduled Task Update (#4714) 2025-05-19 21:51:14 +05:30
Emmanuel Ferdman 2ad2d68c4a Resolve datetime.utcfromtimestamp deprecation (#4719) 2025-05-19 21:35:07 +05:30
Samirbous f2f9cdac66 Update initial_access_azure_o365_with_network_alert.toml (#4723) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-05-19 20:54:19 +05:30
Jonhnathan 47059e22f2 [Rule Tuning] Backup Deletion with Wbadmin (#4715) 2025-05-19 20:34:25 +05:30
Terrance DeJesus 909ff9c07e new hunt 'Microsoft Entra Infrequent Suspicious OData Client Requests' (#4708) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-09 22:14:42 -04:00
Terrance DeJesus 8f27c24528 [New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph (#4704) 
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'

* updated patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-09 20:49:08 -04:00
Terrance DeJesus d83e1c711a [New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access (#4711) 
* new rule 'Microsoft Entra Session Reuse with Suspicious Graph Access'

* fixed tags; linted

* fixed mitre mappings

* updated name and investigation guide
 2025-05-09 20:32:22 -04:00
Jonhnathan d30e65e5a2 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#4712) 2025-05-09 13:56:54 -03:00
Terrance DeJesus 762857f15f [Rule Tuning] Tuning Suspicious Mailbox Permission Delegation in Exchange Online (#4705) 
* rule tuning 'Suspicious Mailbox Permission Delegation in Exchange Online'

* Update rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml

* updated date
 2025-05-08 11:01:00 -04:00
shashank-elastic 0f3bfcd98a Fix new term doc broken link (#4706) 2025-05-07 17:03:58 +05:30
github-actions[bot] acab8b4c6e Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4703) 2025-05-07 07:34:20 +05:30
github-actions[bot] 69498a97ac Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4702) 2025-05-06 23:12:56 +05:30
Eric Forte 639d748ec2 [FR] Add check-version-lock dev command (#4650) 
* Add check-version-lock dev command

* Bump the version

* Add Check Double Bumps to lock-versions workflow

* Replace return with ctx aware exit

* Bump Version

* Update Double Bump Modulo calculation

* Update if formatting

* Undo formatting typo

* Add logic to process the local file

* Update for descriptiveness

* Allow double bump branch for testing

* Pass github token

* Re-restrict to main

* Patch version bump

* Add comment if no double bumps found

* Bump Version
 2025-05-06 13:26:23 -04:00
James Valente 36d595ae2f [Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce (#4405) 
* Add exceptions for non-interactive signin failures.

Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:

- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled

* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml

* Update metadata for `updated_date`

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-05-06 22:43:15 +05:30
Ruben Groenewoud 3a601a10fb [New Rule] Unusual Exim4 Child Process (#4684) 2025-05-06 22:24:34 +05:30
Ruben Groenewoud c145e33f16 [New Rule] Unusual Execution from Kernel Thread (kthreadd) Parent (#4683) 2025-05-06 22:08:43 +05:30
Ruben Groenewoud 608e02e27e [New Rule] Linux Telegram API Request (#4677) 2025-05-06 21:53:19 +05:30
Jonhnathan d3aa4b2f38 [Rule Tuning] Reduce Severity from Critical to High (#4637) 2025-05-06 21:37:47 +05:30
Ruben Groenewoud 944428d81e [New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (#4685) 2025-05-06 21:21:58 +05:30
Jonhnathan e028bf7954 [New Rule] Potential Dynamic IEX Reconstruction via Environment Variables (#4633) 2025-05-06 21:06:06 +05:30
Terrance DeJesus a34a26ddec [Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity (#4700) 
* tuning rule to exclude service principals added by MSFT

* added additional exclusions

* updated rule name and file name

* updated investigation guide and mitre
 2025-05-06 11:19:50 -04:00
Jonhnathan 0cd7de6862 [New Rule] Potential PowerShell Obfuscation via Special Character Overuse (#4632) 2025-05-06 20:29:19 +05:30
Jonhnathan b7016253ae [New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion (#4631) 2025-05-06 20:13:34 +05:30
Jonhnathan 5d8f0c2ffe [New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (#4630) 2025-05-06 19:58:01 +05:30
Jonhnathan b6a755c84f [New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion (#4629) 2025-05-06 19:41:33 +05:30
Jonhnathan dc6cb3e811 [New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (#4615) 2025-05-06 19:26:15 +05:30
Jonhnathan 5ab73943a1 [New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences (#4614) 2025-05-06 19:10:10 +05:30
Jonhnathan b5ac9707ba [New Rule] PowerShell Obfuscation via Negative Index String Reversal (#4610) 2025-05-06 18:54:22 +05:30
Jonhnathan c291638521 [New Rule] Potential PowerShell Obfuscation via Reverse Keywords (#4609) 2025-05-06 18:36:13 +05:30
Jonhnathan 7b9cd77bc2 [New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction (#4608) 2025-05-06 18:18:29 +05:30
Jonhnathan ebe77f2d86 [New Rule] Potential PowerShell Obfuscation via String Concatenation (#4607) 2025-05-06 18:02:35 +05:30
Ruben Groenewoud fdc6b09d54 [New Rule] System Binary Symlink to Suspicious Location (#4682) 2025-05-06 17:46:47 +05:30