security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
118 Commits 1 Branch 0 Tags
d988fcb0de2b60a5f51f1bfe3af1aec78bfa17cb
Commit Graph

22 Commits

Author SHA1 Message Date
Mika Ayenson cbfa323c34 [Rule Tuning] Attempt to Unload Elastic Endpoint Security Kernel Extension (#2134) 
* add subtechnique T1547/006/

(cherry picked from commit 286941cb8e)
 2022-07-23 15:23:38 +00:00
Mika Ayenson f8a53b50b7 add CVE to tag (#2127) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 1dc0fcec47)
 2022-07-23 00:45:21 +00:00
Mika Ayenson cf1cdb1791 update description (#2149) 
(cherry picked from commit f07c72254d)
 2022-07-22 21:13:40 +00:00
Mika Ayenson 2a160e0106 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#2147) 
* exclude jamf fp and add ssh subtechnique
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit b3334941f9)
 2022-07-22 21:11:14 +00:00
Mika Ayenson 53e035a91f exclude google drive FP (#2145) 
(cherry picked from commit 84104773a6)
 2022-07-22 21:01:10 +00:00
Mika Ayenson 5e21144896 [Rule Tuning] Suspicious Automator Workflows Execution (#2142) 
* add subtechnique

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 44ae72d054)
 2022-07-22 20:51:44 +00:00
Mika Ayenson f6ed0dcf7e update tags to include C2 tactic (#2140) 
(cherry picked from commit f176b5ef57)
 2022-07-22 20:40:24 +00:00
Colson Wilhoit 3be3902038 [Rule Tuning] Remove File Quarantine Attribute (#2129) 
(cherry picked from commit d6527afd51)
 2022-07-22 20:26:08 +00:00
Mika Ayenson db6ff5588c [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#2136) 
* fix parens and exclude parent process FPs and update description

(cherry picked from commit 1e28385ea4)
 2022-07-22 20:17:30 +00:00
Mika Ayenson ca898d0680 [Rule Tuning] Potential Privacy Control Bypass via TCCDB Modification (#2121) 
* add exception for Bitdefender

(cherry picked from commit d2be29b226)
 2022-07-22 20:08:50 +00:00
Mika Ayenson f1af12e81b [Rule Tuning] Modification of Environment Variable via Launchctl (#2119) 
* add exception for vmoptions

(cherry picked from commit cefb84ae15)
 2022-07-22 20:04:54 +00:00
Terrance DeJesus 141b00ec41 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Removed changes from:
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

(selectively cherry picked from commit e8c39d19a7)
 2022-07-22 18:31:42 +00:00
Mika Ayenson c12b3dcf50 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#2117) 
* Add exceptions for browser FPs

(cherry picked from commit cd11001fe8)
 2022-07-22 18:27:50 +00:00
Mika Ayenson 5c5f49a96c [Rule Tuning] Kerberos Cached Credentials Dumping (#2103) 
* Updated description to include threat actor utilization

(cherry picked from commit c1c83a536c)
 2022-07-22 18:20:06 +00:00
Mika Ayenson 6e98740a90 [Rule Tuning] Access to Keychain Credentials Directories (#2101) 
* rule tune to remove noisy FPs

(cherry picked from commit a9de227cfa)
 2022-07-22 18:15:16 +00:00
Mika Ayenson 75560f96ec [Rule Tuning] Access of Stored Browser Credentials (#2098) 
* audit update : added technique T1539 and excluded additional cookies path

(cherry picked from commit aaf9a708ae)
 2022-07-22 17:58:53 +00:00
Mika Ayenson 62298d92f4 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit a52751494e)
 2022-07-18 21:25:32 +00:00
Mika Ayenson 128053a93e [Rule tuning] check for anything found in the emondClient directory (#1977) 
* check for anything found in the emondClient directory and add reference

(cherry picked from commit 92640f517a)
 2022-05-18 16:35:25 +00:00
shashank-elastic 1d74816afc Detection of suspicious crontab creation or modification (#1938) 
* Detection of suspicious crontab creation or modification

* Update rules/macos/persistence_crontab_creation.toml

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 88f71233c9)
 2022-04-27 06:40:40 +00:00
Jonhnathan e3c8981b63 Review & Fix Invalid References (#1936) 
(cherry picked from commit 20d2e92cfe)
 2022-04-26 20:59:20 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00