security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
864 Commits 1 Branch 0 Tags
d4e06beee609c9895ad81cbffa034db9be6fd5e7
Commit Graph

6 Commits

Author SHA1 Message Date
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Samirbous 97fa6c62cd [New Rule] Remote File Download via Powershell (#660) 
* [New Rule] Remote File Download via Powershell

* new line

* eql syntax

* ecs_version

* added google related FPs

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* relint

* ecs_version removed

* replaced path with name to avoid FPs for users temp folder

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-12-08 21:28:28 +01:00