security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
86 Commits 1 Branch 0 Tags
d8ee4473a25302a4b4667a3d2a0733f1c0aee26d
Commit Graph

15 Commits

Author SHA1 Message Date
Colson Wilhoit 3e73a3c60a [New Rule] Insmod kernel module load (#2093) 
* insmod kernel module load

* Update rules/linux/persistence_insmod_kernel_module_load.toml

* Update rules/linux/persistence_insmod_kernel_module_load.toml

(cherry picked from commit d7d0466344)
 2022-07-13 14:23:29 +00:00
shashank-elastic 69237c4ed2 [Rule tuning] existing strace activity rule. (#2028) 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd80f)
 2022-06-16 11:49:16 +00:00
shashank-elastic b12d1cb978 [Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012) 
* Add MITRE Details to existing hping activity rule.

(cherry picked from commit f02325fe2f)
 2022-06-02 05:08:23 +00:00
shashank-elastic 821e04aaf8 Linux binary(s) ftp shell evasion threat (#2007) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 98a85ddcee)
 2022-06-01 16:40:06 +00:00
shashank-elastic 75f8928d1f [Rule tuning] Linux binary(s) shell evasion threat 
* Linux binary(s) git shell evasion threat

(cherry picked from commit fd7a6d63b0)
 2022-05-25 13:53:22 +00:00
shashank-elastic 44046642e7 [Rule tuning] Linux binary(s) shell evasion threat (#1957) 
* Linux binary(s) shell evasion threat

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 51b2d9da4b)
 2022-05-25 03:04:53 +00:00
Justin Ibarra 0796082300 [Rule tuning] Unusual Process Execution - Temp (#1968) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1840a638c8)
 2022-05-23 15:06:55 +00:00
Mika Ayenson a2dbfff31b [Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974) 
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag

(cherry picked from commit 77966473d1)
 2022-05-20 15:12:56 +00:00
Colson Wilhoit 4817bf26c8 [Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983) 
* [Rule Tuning] Update Rule Name

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

(cherry picked from commit d12f45c6ba)
 2022-05-17 22:43:06 +00:00
Terrance DeJesus a440d87f67 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) 
* adding initial rule

* adjusted UUID

* removed event.ingested as query is a sequence

* changed file name to match mitre ATT&CK tactic

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* TOML linted

* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml

Just edited a couple grammar things. Looks good

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* added additional tactic for privilege escalation and linted

* formatted query to be more readable

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit c89f423961)
 2022-05-16 21:24:34 +00:00
Terrance DeJesus c7d1ea428c [New Rule] Abnormal Process ID File Creation (#1964) 
* adding rule detection

* changed Rule ID

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot extension as well.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot to description.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Added additional reference to similar threat.

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added rule for a process starting where the executable's name represented a PID file

* Adjusted user.id value from integer to string

* Added simple investigation notes and osquery coverage

* TOML linting

* Updated date to reflect recent changes

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 1704924f7b)
 2022-05-12 14:40:34 +00:00
Terrance DeJesus b5f473a444 [New Rule] Executable Launched from Shared Memory Directory (#1961) 
* new rule to check for executables launched from shared memory directory

* added references and false positive instances

* Update rules/linux/execution_shared_memory_executable.toml

* Update rules/linux/execution_shared_memory_executable.toml

* Update rules/linux/execution_shared_memory_executable.toml

* adjusted process to account for var run and lock directories

* TOML lint and query formatting

* TOML lint and query formatting

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* Update rules/linux/execution_process_started_in_shared_memory_directory.toml

* added BPFDoor tag to be threat specific

* TOML linting and adjusted risk because of root requirement

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5f447a63a2)
 2022-05-11 16:22:41 +00:00
Terrance DeJesus 5769a21867 [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) 
* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml

(cherry picked from commit e9f5585a9f)
 2022-05-06 17:23:22 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00