sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	c9c8e3501e	[New Rule] Unusual SSHD Child Process (#4303 ) * [New Rule] Unusual SSHD Child Process * Update persistence_unusual_sshd_child_process.toml	2025-01-03 14:50:43 +01:00
Ruben Groenewoud	c7fe940206	[New Rule] Pluggable Authentication Module Creation in Unusual Directory (#4302 ) * [New Rule] Pluggable Authentication Module Creation in Unusual Directory * Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml * Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml	2025-01-03 14:35:08 +01:00
Ruben Groenewoud	5384191934	[New Rule] PAM Version Discovery (#4300 ) * [New Rule] PAM Version Discovery * Update discovery_pam_version_discovery.toml * Update discovery_pam_version_discovery.toml * Update discovery_pam_version_discovery.toml * Update rules/linux/discovery_pam_version_discovery.toml	2025-01-03 14:25:38 +01:00
Jonhnathan	aca416a779	[Rule Tuning] Windows misc Rule Tuning (#4298 )	2025-01-02 07:44:01 -03:00
rad9800	c99cf9279d	[Tuning] Uncommon Registry Persistence Change (#4286 ) * Update persistence_registry_uncommon.toml Add registry rules for additional SMSS persistence vectors * Update persistence_registry_uncommon.toml * Update persistence_registry_uncommon.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-12-25 19:06:58 -03:00
Terrance DeJesus	9fb2dea7aa	[New Rule] Endpoint Security Promotion Rules for Specific Events (#3533 ) * new endpoint security rules for specific alerts * updated risk scores * fixed rule names and UUIDs * changed logic to use message field for detection vs prevention * reverting changes * reverting changes * reverting to old commit * reverting to old commit * reverting to old commit * reverting to old commit * changed naming to Elastic Defend * updated rule dates and min-stacks * linted; adjusted queries * updated ransomware, memory sig or shellcode risk * Update rules/integrations/endpoint/elastic_endpoint_security.toml * updated promotion rule * fixed typos in naming * updated setup guides * added intervals * added MITRE * added investigation guide for Memory Threat * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ * ++ * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security.toml * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml * Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml * Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml * ++ * ++ * ++ * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update defense_evasion_elastic_memory_threat_prevented.toml * toml-lint * Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * ++ --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co> Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-12-19 13:24:23 -05:00
Terrance DeJesus	dad008ea34	[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324 ) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-12-19 13:03:50 -05:00
shashank-elastic	2ff2965cb9	Enhance Readability of validation check failures (#4299 )	2024-12-13 19:03:47 +05:30
Terrance DeJesus	28ffebbf5c	[New Hunt] Adding Hunting Query for `AWS IAM Unusual AWS Access Key Usage for User` (#4280 ) * new hunt 'AWS IAM Unusual AWS Access Key Usage for User' * updated version * updating markdown * bumping version --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-12-12 14:56:20 -05:00
Terrance DeJesus	0a740074c9	new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297 )	2024-12-12 11:00:02 -05:00
shashank-elastic	3fa3349216	Update versioning support for 8.17 (#4296 )	2024-12-10 23:43:04 +05:30
github-actions[bot]	691126cd3d	Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4295 )	2024-12-10 21:43:29 +05:30
shashank-elastic	f0291b440a	Minstack endpoint rules with process.group.id fields (#4294 )	2024-12-10 21:03:32 +05:30
Terrance DeJesus	e6012b1db6	Removing ESQL query format error (#4292 )	2024-12-10 09:27:37 -05:00
github-actions[bot]	febdafa1f4	Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291 )	2024-12-09 21:38:33 +05:30
Terrance DeJesus	052672b09f	[Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290 )	2024-12-09 20:58:33 +05:30
Terrance DeJesus	e7b88ae3fc	[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277 ) * new rule 'AWS IAM Login Profile Added for Root' * added min-stack * linted; fixed rule schema errors --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-12-09 08:55:20 -05:00
shashank-elastic	2c848c5111	Prep for Release 8.18 (#4288 )	2024-12-09 18:25:13 +05:30
Isai	511c108ba1	[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283 ) * [Tuning] Possible Consent Grant Attack via Azure-Registered Application SDH related rule tuning for o365.audit dataset * removing renamed field from query	2024-12-06 17:27:38 -05:00
shashank-elastic	d3c05a08cc	Add all historical versions for v8.17.0 and above packages (#4279 )	2024-12-03 23:36:32 +05:30
shashank-elastic	801efb3d93	Protections for AWS Bedrock (#4270 )	2024-12-03 21:56:39 +05:30
shashank-elastic	53cfeb76e3	Add event dataset for missing rule in Github integration (#4278 )	2024-12-03 20:32:55 +05:30
github-actions[bot]	86cc61c233	Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274 ) * Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 * Update detection_rules/etc/version.lock.json * Update Patch version for version lock changes --------- Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>	2024-11-27 09:34:54 -05:00
shashank-elastic	5ab7565923	Minstack versions for Okta and Github Integration (#4273 )	2024-11-27 18:39:41 +05:30
Ruben Groenewoud	4e28895e66	[Rule Tuning] Kernel Module Removal (#4269 ) Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-11-25 21:13:44 +01:00
Terrance DeJesus	2d79494068	new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271 )	2024-11-25 10:28:43 -05:00
shashank-elastic	04e1fc1436	Account for CCS '::' index pattern (#4258 )	2024-11-13 11:17:08 +05:30
github-actions[bot]	ebb3675ea0	Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267 )	2024-11-11 22:29:22 +05:30
terrancedejesus	4a7f83e432	Version Lock File Reconcile Ref: #4266	2024-11-11 10:48:43 -05:00
Samirbous	f36845318e	[New] First Time Seen User Auth via DeviceCode Protocol (#4153 ) * Create credential_access_first_time_seen_device_code_auth.toml * Update credential_access_first_time_seen_device_code_auth.toml * Update credential_access_first_time_seen_device_code_auth.toml * Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update credential_access_first_time_seen_device_code_auth.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-11-11 13:04:18 +00:00
Samirbous	b66d0e0a0d	[New] Remote Desktop File Opened from Suspicious Path (#4251 )	2024-11-11 18:08:48 +05:30
Terrance DeJesus	ef453d8f4d	[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261 ) * adding investigation fields to specific aws rules * updated patch * removing min-stack requirements * removed user.name redundancy * adjusted order of investigation fields * adding source address	2024-11-08 23:11:18 -05:00
Terrance DeJesus	33d832d4e4	[Rule Tuning] Tuning `Process Termination followed by Deletion` (#4173 ) * adding rule tuning * adjusted operators; fixed missing quotes * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml * Update defense_evasion_process_termination_followed_by_deletion.toml * Update defense_evasion_process_termination_followed_by_deletion.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-11-08 16:38:17 -03:00
Ruben Groenewoud	56e61a6321	[New Rule] Potential Hex Payload Execution (#4241 ) * [New Rule] Potential Hex Payload Execution * Update rules/linux/defense_evasion_hex_payload_execution.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 19:15:17 +01:00
Ruben Groenewoud	54bb319f7b	[New Rule] Memory Swap Modification (#4239 ) * [New Rule] Memory Swap Modification * Update rules/linux/impact_memory_swap_modification.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 19:06:55 +01:00
Ruben Groenewoud	3207ca37e4	[New Rule] Unusual Interactive Shell Launched from System User (#4238 ) * [New Rule] Unusual Interactive Shell Launched from System User * Update defense_evasion_interactive_shell_from_system_user.toml * Update defense_evasion_interactive_shell_from_system_user.toml * Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 18:24:30 +01:00
Ruben Groenewoud	267a6b6fa6	[New Rule] Web Server Spawned via Python (#4236 ) * [New Rule] Web Server Spawned via Python * Update execution_python_webserver_spawned.toml * Update rules/linux/execution_python_webserver_spawned.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update execution_python_webserver_spawned.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 18:16:19 +01:00
Ruben Groenewoud	83f31e1640	[New Rule] Directory Creation in /bin directory (#4227 ) * [New Rule] Directory Creation in /bin directory * Description fix * Update rules/linux/defense_evasion_directory_creation_in_bin.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 18:07:06 +01:00
Ruben Groenewoud	6040b6aee4	[New Rule] Hidden Directory Creation via Unusual Parent (#4226 ) * [New Rule] Hidden Directory Creation via Unusual Parent * Update rules/linux/defense_evasion_hidden_directory_creation.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 17:58:13 +01:00
Ruben Groenewoud	43148a72f4	[New Rule] Security File Access via Common Utilities (#4243 ) * [New Rule] Security File Access via Common Utilities * [New Rule] Security File Access via Common Utilities * Update discovery_security_file_access_via_common_utility.toml	2024-11-08 17:41:33 +01:00
Ruben Groenewoud	f89e245e29	[New Rule] Potential Data Splitting Detected (#4235 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 17:32:59 +01:00
Ruben Groenewoud	3e268282d1	[New Rule] Private Key Searching Activity (#4242 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 17:13:55 +01:00
Ruben Groenewoud	40118186fb	[New Rule] IPv4/IPv6 Forwarding Activity (#4240 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 17:06:07 +01:00
Ruben Groenewoud	993c60decb	[New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237 ) * [New Rule] Curl SOCKS Proxy Activity from Unusual Parent * OS Type update * Update rules/linux/command_and_control_curl_socks_proxy_detected.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-11-08 16:51:18 +01:00
github-actions[bot]	ee10be70b9	Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265 )	2024-11-08 20:27:04 +05:30
shashank-elastic	c2e0a9315c	Fix extra new line in ATT&CK-coverage.md (#4263 )	2024-11-08 20:13:21 +05:30
shashank-elastic	d2502c7394	Prep for Release 8.17 (#4256 )	2024-11-07 23:53:04 +05:30
Mika Ayenson	2ca746c4b4	[FR] Reset package version and push tag via ci (#4260 )	2024-11-07 12:11:00 -06:00
Mika Ayenson	48a051e3f1	[FR] Fetch history for versioning workflow (#4259 )	2024-11-07 11:57:33 -06:00
Mika Ayenson	c615df680f	[FR] Update the release versioning process and workflow (#4257 )	2024-11-07 11:31:54 -06:00

1 2 3 4 5 ...

2483 Commits