security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,249 Commits 1 Branch 0 Tags
d3dc2313152ea0b56a2a67e18399bb85235d702e
Commit Graph

1610 Commits

Author SHA1 Message Date
Jonhnathan 4c44f98cd6 [Rule Tuning] LSASS Process Access via Windows API (#3975) 
* [Rule Tuning] LSASS Process Access via Windows API

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
 2024-08-14 11:42:18 -03:00
Terrance DeJesus 3500c3db15 [Rule Tuning] Tuning Direct Outbound SMB Connection (#3485) 
* tuning 'Direct Outbound SMB Connection'

* removed lolbas references

* reverted EQL function due to escaped characters in substring match

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* reverted internal address exclusion; adjusted rule name and description

* removing min-stack

* Update rules/windows/lateral_movement_direct_outbound_smb_connection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-08-13 13:53:07 -04:00
Terrance DeJesus 74d8186aeb [Rule Tuning] Tuning MsBuild Making Network Connections (#3482) 
* tuning 'MsBuild Making Network Connections'

* added performance note; added comments in query

* adjusted array search

* linting

* updated query logic;updated date

* updated query logic

* fixed query error

* changed query logic

* removing min-stack

* reverting change

* updated network sequence event
 2024-08-13 12:55:08 -04:00
Ruben Groenewoud c58ae92dd1 [New Rule] Dynamic Linker Creation or Modification (#3969) 
* [New Rule] Dynamic Linker Creation or Modification

* Removed new line from description

* Update rules/linux/defense_evasion_dynamic_linker_file_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_dynamic_linker_file_creation.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-10 10:25:55 +02:00
Ruben Groenewoud 55e81c1169 [Rule Tuning] Attempt to Disable IPTables or Firewall (#3972) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-10 10:18:11 +02:00
Ruben Groenewoud b6ffb10ab2 [Rule Tuning] System Log File Deletion (#3970) 2024-08-10 10:04:56 +02:00
Ruben Groenewoud 6e3e5f6373 [Rule Tuning] Potential Disabling of AppArmor (#3971) 
* [Rule Tuning] Potential Disabling of AppArmor

* Update query

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-10 09:51:45 +02:00
Jonhnathan 8950d33539 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#3964) 
* [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation

* .

* ++
 2024-08-09 13:23:16 -03:00
Jonhnathan 20f4242566 [Rule Tuning] Simple KQL to EQL Conversion (#3948) 
* [Rule Tuning] Simple KQL to EQL Conversion

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update privilege_escalation_group_policy_iniscript.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-09 13:11:27 -03:00
Jonhnathan fcc8aaaf63 [Rule Tuning] Fix missing Winlogbeat index (#3976) 
* [Rule Tuning] Fix missing Winlogbeat index

* bump
 2024-08-09 12:46:33 -03:00
Jonhnathan 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) 
* [Rule Tuning] Windows File-based Rules Tuning

* Update credential_access_lsass_memdump_file_created.toml

* .
 2024-08-09 12:26:58 -03:00
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
Terrance DeJesus 698e830f9f [Rule Tuning] Removing Minimum Stack Compatibility (#3974) 
* removing min-stack

* removing min-stack

* updating date
 2024-08-08 11:47:48 -04:00
Terrance DeJesus fe9ba15a2a [Rule Tuning] Tuning Suspicious HTML File Creation for Performance (#3480) 
* tuning 'Suspicious HTML File Creation'

* TOML lint; reverted EQL function checks

* updated date
 2024-08-08 11:12:55 -04:00
Jonhnathan 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) 2024-08-08 12:02:23 -03:00
Terrance DeJesus ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) 
* tuning 'Persistent Scripts in the Startup Directory'

* adjusted query logic; added note about performance

* adjusted query logic

* adjusted query logic; added note about performance

* removed newline

* adjusted query logic to be more inclusive

* adjusted query

* adjusted query to leave wildcard and substring searches towards the end

* TOML lint

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* adjusted note; removed setup

* adjusted note; removed setup

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-06 18:42:53 -04:00
shashank-elastic 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) 2024-08-06 18:48:24 +05:30
Jonhnathan a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) 2024-08-06 17:15:08 +05:30
Jonhnathan 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) 2024-08-06 17:05:17 +05:30
Jonhnathan 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) 2024-08-05 11:27:58 -03:00
Jonhnathan fbaac66f9f [Rule Tuning] Accepted Default Telnet Port Connection (#3954) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-03 20:15:06 -03:00
Jonhnathan 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) 2024-08-02 16:37:45 -03:00
Ruben Groenewoud 93d928625d [Tuning] Executable Bit Set for Potential Persistence Script (#3929) 2024-08-02 21:13:19 +02:00
Jonhnathan ff3f66cacf [Rule Tuning] AWS S3 Object Versioning Suspended (#3953) 2024-08-02 13:36:11 -03:00
Jonhnathan dfdc214be8 [New Rule] Potential Relay Attack against a Domain Controller (#3928) 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
 2024-08-02 13:03:20 -03:00
Jonhnathan 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-01 14:06:08 -03:00
Ruben Groenewoud 485312d5f2 [Rule Tuning] System Binary Moved or Copied (#3933) 2024-08-01 18:47:58 +02:00
Isai 62982f9d8c [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910) 
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User

* increased severity score

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-01 00:30:02 -04:00
Isai f2eb78219c [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time (#3923) 
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time

* Update discovery_new_terms_sts_getcalleridentity.toml

* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml

* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* rule name change, removed ec2

* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 16:55:49 -04:00
Isai 1b58d0640b [New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922) 
* [New Rule] AWS EC2 Instance Console Login via Assumed Role

* added reference for custom url creation

* added STS tag

* added event.provider to query

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:52:59 -04:00
Isai a28af59d02 [New Rule] AWS EC2 Instance Interaction with IAM Service (#3920) 
* [New Rule] AWS EC2 Instance Interaction with IAM Service

* Update rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:44:02 -04:00
Jonhnathan 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) 
* [New Rule] Potential Active Directory Replication User Backdoor

* Update credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 12:02:34 -03:00
Ruben Groenewoud 134b842361 [Rule Tuning] Removed Endgame from Incompatible Rules (#3931) 
* [Rule Tuning] Removed Endgame from Incompatible Rules

* ++
 2024-07-31 09:26:38 +02:00
shashank-elastic dce5bbd904 Update Rule minstack (#3925) 2024-07-25 17:45:55 +05:30
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
Jonhnathan 896946ad1b [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#3917) 
* [New Rule] Active Directory Forced Authentication from Linux Host via SMB Pipes

* Update credential_access_forced_authentication_pipes.toml

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-24 12:01:10 -03:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
Jonhnathan 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) 
* [New Rule] Potential WSUS Abuse for Lateral Movement

* Update lateral_movement_via_wsus_update.toml

* Update lateral_movement_via_wsus_update.toml
 2024-07-22 17:04:08 -03:00
Jonhnathan 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) 2024-07-22 08:39:40 -03:00
Ruben Groenewoud a71bbe0cf8 [Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905) 
* [Rule Tuning] Misc. DR Rule Tuning - Part 2

* ++

* Update privilege_escalation_suspicious_uid_guid_elevation.toml

* Update rules/linux/persistence_systemd_service_creation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-19 15:21:35 +02:00
Ruben Groenewoud 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) 
* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation
 2024-07-19 15:13:42 +02:00
Isai 322162f097 [New Rule] AWS S3 Bucket Replicated to Another Account (#3895) 2024-07-18 22:52:39 -04:00
Isai e9cb2228e6 [New Rule] AWS S3 Object Versioning Suspended (#3894) 
* [New Rule] AWS S3 Object Versioning Suspended

* description spacing changes

* update description
 2024-07-18 22:14:46 -04:00
Isai 80f85cff4d [New Rule] AWS S3 Bucket Server Access Logging Disabled (#3892) 
* [New Rule] AWS S3 Bucket Server Access Logging Disabled

* changed severity from low to medium
 2024-07-18 18:28:19 -04:00
Samirbous 6ac278df0c [tuning] Connection to Commonly Abused Web Services (#3901) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-18 09:59:53 -03:00
Jonhnathan 1384742f07 [New Rule] Service DACL Modification via sc.exe (#3900) 
* [New Rule] Service DACL Modification via sc.exe

* Update defense_evasion_sc_sdset.toml

* Update defense_evasion_sc_sdset.toml
 2024-07-17 19:39:50 -03:00
Ruben Groenewoud 39350847d6 [New Rules] Git Hook execution/netcon (#3896) 
* [New Rules] Git Hook execution/netcon

* TImestamp formatting change

* Update rules/linux/persistence_git_hook_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-17 15:28:37 +02:00