security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,467 Commits 1 Branch 0 Tags
c443aadbe1244046a4c59ea9cd2ae6354b4e5c1b
Commit Graph

1083 Commits

Author SHA1 Message Date
Jonhnathan 6655932190 [Rule Tuning] Startup or Run Key Registry Modification (#2766) 
* [Rule Tuning] Startup or Run Key Registry Modification

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-04 09:42:12 -03:00
Terrance DeJesus 71d93e875e [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760) 
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms

* updated new terms
 2023-05-03 09:28:59 -04:00
Ruben Groenewoud 6524acf98a [rule tuning] modified std auth module or config (#2737) 2023-05-03 09:32:33 +02:00
Terrance DeJesus d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) 
* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-02 23:09:17 -04:00
shashank-elastic 855ba16299 Linux Rule Tuning (#2753) 2023-05-02 19:12:13 +05:30
Karl Godard 7435ac39d2 [Rule Tuning] added rule name override for cloud_defend integration rule (#2767) 2023-05-02 00:05:24 -04:00
shashank-elastic cd5bc2c44b Update file path regex for /run (#2749) 2023-04-26 14:02:16 +05:30
shashank-elastic 0107e0fcaa Detect Threat indicators for VMware ESXi servers (#2708) 2023-04-25 20:17:16 +05:30
Apoorva Joshi c60e1a61a9 Updating some rule names (#2744) 
* Changing some rule names

* Updating the date
 2023-04-25 09:01:06 -03:00
Samirbous 2eda02c10e [Rule Tuning] Multiple Logon Failure from the same Source Address (#2588) 
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-24 09:16:17 -03:00
shashank-elastic 2996c79ff4 Detect Mount Execution With Hidepid Parameter (#2706) 2023-04-22 08:00:30 +05:30
Jonhnathan 84acf004da [Rule Tuning] Component Object Model Hijacking (#2730) 2023-04-21 18:43:02 -03:00
Jonhnathan 12d6b49a24 [Rule Tuning] Potential Credential Access via Windows Utilities (#2727) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Add system integration index

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-21 18:27:44 -03:00
Jonhnathan 255c53cff0 [Rule Tuning] Connection to Commonly Abused Web Services (#2728) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-04-20 18:26:00 -03:00
Jonhnathan b1e3215cd5 [Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729) 2023-04-20 12:37:06 -03:00
shashank-elastic 2705df81e2 Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687) 2023-04-20 18:35:18 +05:30
shashank-elastic f7aa477536 Correct Event Action to include endgame event schema (#2610) 2023-04-20 17:28:01 +05:30
shashank-elastic 94baa89ea8 New Rule to identify defense evasion via PRoot (#2625) 2023-04-20 17:14:01 +05:30
Jonhnathan fb09208132 [Rule Tuning] Connection to Commonly Abused Web Services (#2717) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2023-04-18 09:15:47 -03:00
Terrance DeJesus f21a9e4793 updating min stack comments (#2712) 2023-04-12 14:30:34 -04:00
Terrance DeJesus d6f277e379 [New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677) 
* adding new rule 'Google Workspace New OAuth Login from Custom Application'

* changed name and 'custom' to 'third-party'

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* updated non-ecs
 2023-04-12 09:40:31 -04:00
Terrance DeJesus 4511ab0666 [Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674) 
* tuning rule to add token sequence

* updated date

* updated non-ecs, integration schemas and manifests

* added investigation guide

* Updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updated false positive description

* updating manifest and schemas with main to resolve conflicts

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-04-12 09:15:58 -04:00
Jonhnathan 16749e45ae [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process (#2704) 
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process

* Update impact_backup_file_deletion.toml
 2023-04-11 13:47:52 -03:00
Eric d1aadde671 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#2671) (#2672) 
* --amend

* --amend

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-04-06 15:15:57 -03:00
Karl Godard d0ea8c6f98 [New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679) 
* new CWP rule to surface alerts from the cloud_defend integration

* created new rule uuid

* updated version info. removed risk level overrides and endpoint exception list

* added event.module

* removed rule name override

* updated_date and min_stack_comments updated

* updated external alerts updated_date. added kubernetes to cwp rule tags

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-04-05 21:31:03 -03:00
Jonhnathan 1a9b0e732c [Rule Tuning] Potential PowerShell HackTool Script by Function Names (#2692) 2023-04-05 16:48:33 -03:00
Jonhnathan eafe54c2cc [Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot (#2691) 2023-04-05 13:28:57 -03:00
Jonhnathan 5aaac84f3a [Rule Tuning] Suspicious service was installed in the system (#2693) 
* [Rule Tuning] Suspicious service was installed in the system

* Update persistence_service_windows_service_winlog.toml
 2023-04-05 13:23:47 -03:00
Samirbous 0c8d0bfd3d [New Rule] Suspicious Execution via Microsoft Office Add-Ins (#2651) 
* Create

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update initial_access_execution_via_office_addins.toml

* Update rules/windows/initial_access_execution_via_office_addins.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-05 17:02:04 +01:00
Terrance DeJesus 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) 
* add promotion to rulemeta schema class and updated promotion rules

* add promotion to rulemeta schema class and updated promotion rules

* adjusted test_integration_tag and okta rule missing dataset

* fixed flake errors

* updated manifests and schemas to include cloud defend
 2023-04-03 09:42:40 -04:00
Samirbous 51d50b7d8a [New Rule] Lsass Process Access - Generic (#2613) 
* Create credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-04-03 14:34:30 +01:00
Samirbous 892757f4a4 [New Rule] Potential Pass The Hash (#2670) 
* Create lateral_movement_alternate_creds_pth.toml

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_alternate_creds_pth.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-29 19:37:27 +01:00
Jonhnathan 5ed2120e3f [Rule Tuning] Potential Credential Access via Windows Utilities (#2659) 
* [Rule Tuning] Potential Credential Access via Windows Utilities

* Update credential_access_cmdline_dump_tool.toml
 2023-03-29 09:32:36 -03:00
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Jonhnathan 192047f46d [Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell (#2663) 2023-03-27 11:50:53 -03:00
Ruben Groenewoud 3bfe3060a2 [Rule Tuning] Uncommon Registry Persistence Change (#2538) 
* [Rule Tuning] Uncommon Registry Persistence Change

* updated updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-26 00:35:23 +01:00
Terrance DeJesus 76500f0d46 [New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654) 
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'

* updated MITRE ATT&CK mappings
 2023-03-24 12:21:56 -04:00
Jonhnathan 32ca0001ff [Rule Tuning] Untrusted Driver Loaded (#2656) 2023-03-23 08:26:52 -03:00
Ruben Groenewoud 0d1fca454a New Rule: Suspicious Mining Process Creation Event (#2531) 
* New Rule: Suspicious Mining Process Creation Event

* added host.os.type==linux

* trying to fix unit testing

* Revert "trying to fix unit testing"

This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.

* unit testing fix attempt

* Revert "unit testing fix attempt"

This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.

* added endgame support

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-21 16:35:25 +01:00
Terrance DeJesus 7be5788945 [New Rule] Google Workspace Resource Copied from External Drive (#2627) 
* added new rule 'Google Workspace Resource Copied from External Drive'

* adjusted mitre att&ck subtechnique ID
 2023-03-20 14:37:58 -04:00
Terrance DeJesus 2c5470349c [New Rule] External User Added to Private Organization Group (#2577) 
* new rule 'External User Added to Google Workspace Group'

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added Investigation Guide tag

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-20 14:32:42 -04:00
Ruben Groenewoud eab30d7456 [Rule Tuning] Namespace Manipulation Using Unshare (#2599) 
* [Rule Tuning] Namespace Manipulation Using Unshare

* reverted updated_date change

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-20 07:36:47 -03:00
Ruben Groenewoud 672211500c [Rule Fix] Privileged SSH Brute Force Detected (#2595) 2023-03-14 15:42:58 -04:00
Ruben Groenewoud f52a744259 [New Rule] RC Script Creation (#2607) 
* [New Rule] RC Script Creation

* fixed unit testing error

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.os.type==linux

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-03-14 15:03:41 -04:00
Ruben Groenewoud 295fc323a1 [Rule Tunings] System Time & Service Discovery (#2589) 
* [Rule Tuning] System Time Discovery

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-14 14:43:21 -04:00
Ruben Groenewoud 1a5bc7e924 [Rule Tuning] Abnormal PID or Lock File Created (#2600) 2023-03-14 14:37:00 -04:00
Terrance DeJesus 181b56c636 [Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) (#2622) 2023-03-07 19:57:34 -05:00
Jonhnathan 38b8311482 [Security Content] Expand Abbreviated Tags (#2414) 
* [Security Content] Expand Abbreviated Tags

* .

* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Revert changes to deprecated rules

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-03-06 17:37:52 -03:00
Jonhnathan 0273d118a6 [Rule Tuning] Add endgame support for Windows Rules (#2428) 
* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* 1/2

* bump updated_date

* 2/3

* Finale

* Update persistence_evasion_registry_ifeo_injection.toml

* .

* Multiple fixes

* Missing index

* Missing AND
 2023-03-06 12:47:11 -03:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00