security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,169 Commits 1 Branch 0 Tags
cb2ca45d5658a7b899d1ceb9d7df35dcc28f162b
Commit Graph

1169 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
github-actions[bot] cb2ca45d56 Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 (#2236) 
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-08-10 09:18:59 -04:00
Mika Ayenson e7a1afbba0 only run on pull request (#2237) 2022-08-09 21:21:30 -04:00
Terrance DeJesus 2a3b584433 Prep for 8.5 branch (#2220) 
* adding first commit

* renamed branch

* adjusted packages, stack schema and updated schemas

* updated integrations manifest

* adjusted comments to be a little more organized

* adjusted stack-schema-map

* refreshed ecs and beats schema, adjusted stack schema map accordingly
 2022-08-09 17:14:42 -04:00
Jonhnathan fc7a384d19 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-08-08 21:34:05 -03:00
Mika Ayenson 89cdae87c5 only add related_integration if on the correct stack (#2234) 2022-08-08 18:41:56 -04:00
Mika Ayenson 7d973a3b07 add new field related_integrations to the post build (#2060) 
* add new field `related_integrations` to the post build

* add exception for endpoint `integration`

* Skip rules without related integrations

* lint

* refactor related_integrations to TOMLRuleContents class

* update to reflect required_fields updates

* add todo

* add new line for linting

* related_integrations updates, get_packaged_integrations returns list of dictionaries, started work on integrations py

* build_integrations_manifest command completed

* initial test completed for post-building related_integrations

* removed get_integration_manifest method from rule, removed global integrations path

* moved integration related methods to integrations.py and fixed flake issues

* adjustments for PipedQuery from eql sequence rules and packages with no integration

* adjusted github client import for integrations.py

* Update detection_rules/devtools.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/devtools.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added integration manifest schema, made adjustments

* Update detection_rules/integrations.py

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* removed get_integrations_package to consolidate code

* removed type list return

* adjusted import flake errors

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted indentation error

* adjusted rule.get_packaged_integrations to account for kql.ast.OrExpr if event.dataset is not set

* Update detection_rules/devtools.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/devtools.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted find_least_compatible_version in integrations.py

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fixed flake issues

* adjusted get_packaged_integrations

* iterate the ast for literal event.dataset values

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update detection_rules/integrations.py

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* made small adjustments to address errors during build manifests command

* addressing integrations.find_least_compatible method to return None instead of raise error only

* Update detection_rules/integrations.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-08-08 13:44:36 -04:00
Mika Ayenson d1bc53e295 [Rule Tuning] Persistence via Folder Action Script (#2174) 
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:36:05 -04:00
Mika Ayenson 4f55e9b05f [Rule Tuning] Potential Persistence via Login Hook (#2177) 
* Exclude FPs for iMazing Profile Editor and backupd
 2022-08-05 14:25:31 -04:00
Mika Ayenson 058f11f650 [Rule Tuning] Sublime Plugin or Application Script Modification (#2180) 
* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:15:28 -04:00
TotalKnob b043695833 Remove ambiguity from impact_modification_of_boot_config.toml (#2199) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-08-05 10:38:41 -03:00
Mika Ayenson 73584407d7 [Bug] Opening Issues in this Repo Causes "Run failed: Community - main" (#2214) 
* use ghv6 and catch errors
 2022-08-03 14:36:08 -04:00
Terrance DeJesus a76c51ae17 [Deprecation rule] DNS Activity to the Internet (#2221) 2022-08-02 20:59:35 -05:00
Mika Ayenson ecd10b672a [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) 
* add case sensitive Python process name and T1548
 2022-08-02 14:21:00 -04:00
Mika Ayenson d8e0c0fee3 [Rule Tuning] Suspicious Calendar File Modification (#2187) 
* exclude fps for Mail.app
 2022-08-02 14:06:57 -04:00
Samirbous 50bb821708 [Rules Tuning] Add support for Sysmon ImageLoad Events (#2215) 
* [Rules Tuning] Add support for Sysmon ImageLoad Events

added correct event.category and event.action to rules using library events to support sysmon eventid 7.

`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`

`dll.name` --> `file.name`

* added Suspicious RDP ActiveX Client Loaded

* Delete workspace.xml
 2022-08-02 18:40:26 +02:00
Samirbous b15f0de9a4 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml
 2022-08-02 18:37:07 +02:00
Samirbous a046dc0d29 [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.
 2022-08-02 18:30:57 +02:00
Samirbous e5ee8e024f [Deprecate Rule] File and Directory Discovery (#2217) 
* [Deprecate Rule] File and Directory Discovery

very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.

* Delete workspace.xml
 2022-08-02 17:57:28 +02:00
shashank-elastic 19d9a7eb87 Rule tuning as part of Linux Detection Rules Review (#2210) 2022-08-02 17:46:57 +05:30
Samirbous 04dcf09c03 [Rule Tuning] Suspicious Process Creation CallTrace (#2207) 
Excluding some FPs by process.parent.executable and process.parent.args.
 2022-08-01 19:00:13 +02:00
Samirbous 1f21c5c57f [Rule Tuning] Unusual Service Host Child Process - Childless Service (#2208) 
Excluding some noisy unique processes.
 2022-08-01 18:40:45 +02:00
Samirbous 8d34416049 [Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209) 
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP

FPs in certain cases with no room for tuning.

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:28:26 +02:00
Samirbous a22fef8723 [Rule Tuning] Suspicious Process Access via Direct System Call (#2204) 
Excluding some FPs by calltrace.
 2022-08-01 18:16:08 +02:00
Samirbous 6f69695820 [Rule Tuning] Remotely Started Services via RPC (#2211) 
* [Rule Tuning] Remotely Started Services via RPC

excluding noisy FPs by process.executable to be compatible with winlog and endpoint

* Update lateral_movement_remote_services.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:11:11 +02:00
Samirbous 91896db453 [Rule Tuning] Process Termination followed by Deletion (#2206) 
Excluded some FPs by process.executable and file.path.
 2022-08-01 18:01:31 +02:00
Samirbous 049fbf7979 [Rule Tuning] Potential Remote Credential Access via Registry (#2203) 
* [Rule Tuning] Potential Remote Credential Access via Registry

Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)

* Update credential_access_remote_sam_secretsdump.toml
 2022-08-01 17:49:39 +02:00
Samirbous 527507835f [Rule Tuning] Kerberos Traffic from Unusual Process (#2202) 
Excluding couple of FPs by process.executables to reduce FPs rate.
 2022-07-29 22:27:59 +02:00
Isai 386a8202c0 [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195) 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.

* Update persistence_via_update_orchestrator_service_hijack.toml

revert back to eql

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-07-29 16:11:16 -04:00
Samirbous 6d61a68c29 [Rule Tuning] Modification of WDigest Security Provider (#2201) 
excluding svchost.exe running as system (main src of FPs for this use case).
 2022-07-29 19:45:33 +02:00
shashank-elastic b2b5c170dd Rule(s) to identify potential mining activities (#2185) 2022-07-29 23:00:18 +05:30
shashank-elastic 8afded11e7 Rule tuning as part of Linux Detection Rules Review (#2170) 2022-07-29 21:55:49 +05:30
Colson Wilhoit 998afcf9c4 [Rule Tuning] MacOS Installer Package Net Event (#2193) 
* [Rule Tuning] MacOS Installer Package Net Event

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update execution_installer_package_spawned_network_event.toml

just deleting a typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-07-28 15:16:10 -05:00
Isai 026a822840 [New Rule] Kubernetes Suspicious Self-Subject Review (#2067) 
* Create discovery_suspicious_self_subject_review.toml

Adding new rule

* non-ecs-schema fields added and query change to specify fields

added non ecs-schema fields for all coming k8s rules and added specific fields to the query instead of using regex

* Update discovery_suspicious_self_subject_review.toml

* Update rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 15:30:47 -04:00
Isai 3d88dc2cf5 [New Rule] Kubernetes Privileged Pod Created (#2070) 
* new rule privileged pod created

created toml for new rule and added to the non-ecs-schema with all fields

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 15:19:15 -04:00
Isai 80734b3f21 [New Rule] Kubernetes Pod Created With HostPID (#2071) 
* [New Rule] Kubernetes Pod Created With HostPID

new rule toml for pod created with hostPID and updated non-ecs-schema with all k8s fields

* Update privilege_escalation_pod_created_with_hostpid.toml

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 14:51:17 -04:00
Isai ecba0fc489 [New Rule] Kubernetes Pod Created With HostNetwork (#2072) 
* [New Rule] Kubernetes Pod Created With HostNetwork

new rule toml for pod created with hostNetwork and added all k8s fields to non-ecs-schema json

* Update privilege_escalation_pod_created_with_hostnetwork.toml

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 13:57:43 -04:00
Isai f516241f1f [New Rule] Kubernetes Pod Created With HostIPC (#2074) 
* [New Rule] Kubernetes Pod Created With HostIPC

new rule toml file for pod created with hostIPC and k8s fields added to non-ecs-schema json

* Rename privilege_escalation_pod_created_with_hostIPC.toml to privilege_escalation_pod_created_with_hostipc.toml

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 13:43:58 -04:00
Isai 97f3a8cad2 [New Rule] Kubernetes Exposed Service Created With Type NodePort (#2075) 
* [New Rule] Kubernetes Exposed Service Created With Type NodePort

new rule toml for exposed service created with type nodeport and added all k8s fields to non-ecs-schema

* Update rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 13:18:56 -04:00
Isai c1486407aa [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume (#2094) 
* [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume

created new rule toml and updated non-ecs-schema with k8s fields

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 13:09:26 -04:00
Isai 4f1b7fa448 Update execution_user_exec_to_pod.toml (#2092) 
I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
 2022-07-28 12:49:45 -04:00
Mika Ayenson 3a557503d1 [Rule Tuning] Unexpected Child Process of macOS Screensaver Engine (#2184) 
* add screensaver subtechnique
 2022-07-27 14:49:22 -04:00
Jonhnathan 91c00fd442 [Security Content] Add Investigation Guides - Cloud - 3 (#2132) 
* [Security Content] Add Investigation Guides - Cloud - 3

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

* update dates

* Apply suggestions from review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2022-07-27 15:40:09 -03:00
Mika Ayenson df670fac56 [Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123) 
* filter run by macOS os type
 2022-07-27 11:58:30 -04:00
Mika Ayenson fcc9cc9d8e fix typo in description (#2168) 2022-07-27 08:51:52 -04:00
Mika Ayenson cdafe17ffb [Rule Tuning] Authorization Plugin Modification (#2156) 
* exclude files altered by shove processes
 2022-07-27 08:34:23 -04:00
Mika Ayenson e6bab063dc [Rule Tuning] LaunchDaemon Creation or Modification and Immediate Loading (#2154) 
* update query
 2022-07-27 08:24:57 -04:00
Mika Ayenson e74ad241ca use atexist to logout of kibana cleanly (#2095) 2022-07-26 10:20:36 -04:00
shashank-elastic e9267e544c Rule(s) deprecation as part of Linux Detection Rule Review (#2163) 2022-07-26 18:48:25 +05:30
Colson Wilhoit c222d4528d [New Rule] File made Immutable by Chattr (#2161) 
* [New Rule] File made Immutable by Chattr

* Update rules/linux/defense_evasion_chattr_immutable_file.toml
 2022-07-25 13:11:45 -05:00
Colson Wilhoit 146f59f4bd [New Rule] Chkconfig Service Add (#2159) 
* [New Rule] Chkconfig Service Add

* Update rules/linux/persistence_chkconfig_service_add.toml
 2022-07-25 11:43:03 -05:00