security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
595 Commits 1 Branch 0 Tags
dd4bc3e57eb9a77dbcb574d3fb98b1978b588a1b
Commit Graph

595 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous dd4bc3e57e [Rule Tuning] Connection to Commonly Abused Web Services (#1079) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* adjusted 1 exclusion

* update date

* added 3 dns.names as suggested by Daniel

* added requestbin.net used for DNS tunneling by APT34
 2021-04-14 00:53:27 +02:00
Samirbous 0fe09aaed5 [New Rule] NullSessionPipe Registry Modification (#1058) 
* [New Rule] NullSessionPipe Registry Modification

* Update lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

* Update rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-14 00:50:31 +02:00
Samirbous 0ba469dbe4 [Rule Tuning] Modification of Standard Authentication Module or Confi… (#1056) 
* [Rule Tuning] Modification of Standard Authentication Module or Configuration

* update date
 2021-04-14 00:36:38 +02:00
Samirbous 0669e9be00 [New Rule] Suspicious Startup Shell Folder Modification (#1042) 
* [New Rule] Suspicious Startup Shell Folder Modification

* Update rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 00:33:54 +02:00
Samirbous f2bc0c685d [Rule Tuning] Suspicious Explorer Child Process (#1035) 
* [Rule Tuning] Suspicious Explorer Child Process

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 00:10:29 +02:00
Samirbous 0cc0e3d31f [New Rule] Persistence via BITS Job Notify Cmdline (#1096) 
* [New Rule] Persistence via BITS Job Notify Cmdline

* changed severity and added 1 exclusion

* Update rules/windows/persistence_via_bits_job_notify_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-13 23:25:30 +02:00
Brent Murphy af067797c2 Update defense_evasion_unusual_network_connection_via_rundll32.toml (#1109) 2021-04-13 16:58:30 -04:00
Bobby Filar 3876ef3a37 Adjust loopback for Cloudtrail (#1103) 
* #1092 adjusting loopback for cloudtrail

* refactored time interval, adjusted updated_date

* reverting bucket interval back to 15m
 2021-04-13 13:58:13 -04:00
David French a7bb15eaf7 [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#1046) 
* Update discovery_users_domain_built_in_commands.toml

* tweak whitespace in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-13 11:31:47 -06:00
Brent Murphy aa61283dfa [Rule Tuning] Local Service Commands (#1044) 
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-13 12:31:45 -04:00
Samirbous 31daa7b36a [Rule Tuning] Keychain Password Retrieval via Command Line (#992) 
* [Rule Tuning] Keychain Password Retrieval via Command Line

* removed duplicate tactic

* Update credential_access_keychain_pwd_retrieval_security_cmd.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-13 18:16:43 +02:00
Brent Murphy 414d320276 [Rule Tuning] Local Scheduled Task Commands (#1043) 
* Update persistence_local_scheduled_task_commands.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2021-04-08 14:28:21 -04:00
Apoorva Joshi 0095a80014 Network rules for the 7.13 release (#1087) 
* Adding network rules for the 7.13 release

* Adding rule guids

* Update rules/ml/ml_high_count_network_denies.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/ml/ml_rare_destination_country.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/ml/ml_rare_destination_country.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/ml/ml_rare_destination_country.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/ml/ml_high_count_network_events.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/ml/ml_spike_in_traffic_to_a_country.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Minor changes

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-04-08 09:34:47 -07:00
Samirbous cb5f9e6a2b [New Rule] Persistence via WMI Standard Registry Provider (#1040) 
* [New Rule] Persistence via WMI Standard Registry Provider

* Update persistence_via_wmi_stdregprov_run_services.toml

* Update persistence_via_wmi_stdregprov_run_services.toml

* fixing Mitre technique stuff

* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added few regpaths

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-06 17:50:02 +02:00
Samirbous 0c70d56dcd [Rule Tuning] Potential Command and Control via Internet Explorer (#1070) 
* [Rule Tuning] Potential Command and Control via Internet Explorer

* added FP note

* update date

* added *.office.com to exclusions
 2021-04-06 11:17:19 +02:00
Ross Wolf b12437c88c Remove dead code in the rule loader 2021-04-05 14:30:26 -06:00
Ross Wolf 6ed1a39efe Add a RuleCollection object instead of a "loader" module (#1063) 
* Add a RuleCollection object instead of a "loader" module
* Remove legacy loader code
* Remove more legacy loader
* Freeze the default collection
* Change RULE_LOADER default
* Rename to _toml_load_cache
* Use rglob magic
* Typo should've been a string
* Remove no longer needed glob import
* Fix pycharm import bad ordering
* Restore the detection_rules/schemas imports
* Put more imports back for a smaller diff
* Check cache in _deserialize_toml
* Add multi collection and single collection decorators
* Reorder RuleCollection methods
* Move filter method up
 2021-04-05 14:23:37 -06:00
Ross Wolf 07be6b701d Change the asset .type field (#1075) 2021-04-05 10:50:58 -06:00
Ross Wolf 1e6e49a2cb Change the JSON schema for the security_rule Kibana asset (#1066) 
* Change the JSON schema for the security_rule Kibana asset
* Use the asset type for the folder name
 2021-03-30 13:31:02 -06:00
Ross Wolf 8ee1b2ffd4 Fix the version lock update code (#1064) 
* Fix the version lock update code
* Add Rule.lock_info() method
 2021-03-25 14:48:31 -06:00
Ross Wolf c0af222e7e Move Rule into a dataclass (#1029) 
* WIP: Convert Rule to a dataclass
* Fix make release
* Lint fixes
* Remove dead code
* Fix lint and tests
* Use Python 3.8 in GitHub actions
* Update README to 3.8+
* Add Python 3.8 assertion
* Fix is_dirty property
* Remove incorrect pop from contents
* Add mixin with from_dict() and to_dict() methods
* Bypass validation for deprecated rules
* Fix rule_prompt
* Fix dict_hash usage
* Fix rule_event_search
* Switch to definitions.Date
* Fix toml-lint command, ignoring 'unneeded defaults'
* Moved severity Literal to definitions.Severity
* Remove BaseMarshmallowDataclass
* Fix lint and tests
* Add maturity to metadata for rule prompt loop
* Fix typo in devtools
* Use rule loader to load single rule in toml-lint
* Add Schema hint to __schema method
* Add MITREAttackURL definition
* Fix is_dirty to compare sha<-->sha
* Normalize the autoformatted rule output for API and toml-lint
* Make the package hash match
* Make the rule object mutable but not rule contents
* Restore the rules
 2021-03-24 10:24:32 -06:00
Justin Ibarra cc6711c240 add reference to DGA and solarwinds blogs in ml_dga.md 2021-03-19 10:58:51 -08:00
Ross Wolf 6963c5a445 Change asset type to security_rule (#1054) 
* Change asset type to security_rule
* Add notice.txt
 2021-03-19 08:55:02 -06:00
Samirbous 687c9feba3 [Rule Tuning] Persistence via Login or Logout Hook (#1020) 
* [Rule Tuning] Persistence via Login or Logout Hook

* update date

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-19 10:32:51 +01:00
Samirbous 3e1169317f [Rule Tuning] Timestomping using Touch Command (#1006) 
* [Rule Tuning] Timestomping using Touch Command

* removed process_started from event.type

* update date

* Update defense_evasion_timestomp_touch.toml

* lint and resolve conflict

Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-03-19 10:26:40 +01:00
Samirbous 9cff72bbcb [Rule Tuning] Connection to Commonly Abused Web Services (#1016) 2021-03-19 10:23:12 +01:00
Samirbous dd1214627a [Rule Tuning] Modification of Environment Variable via Launchctl (#1010) 
* [Rule Tuning] Modification of Environment Variable via Launchctl

* update date
 2021-03-19 10:20:04 +01:00
Samirbous 04f3cd967d [Rule Tuning] Execution from Unusual Directory - Command Line (#1012) 
* [Rule Tuning] Execution from Unusual Directory - Command Line

* format change as per JLB sugg
 2021-03-19 10:16:47 +01:00
Samirbous 511a74ef27 [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028) 
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* restored Execution via Regsvcs/Regasm

* restored changes

* deprecated 1rule, deleted 1 and tuned 1

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 10:05:09 +01:00
Samirbous be3c7eaf45 [Rule Tuning] WebProxy Settings Modification (#1008) 
* [Rule Tuning] WebProxy Settings Modification

* kql optimz test

* update date
 2021-03-19 10:00:50 +01:00
Samirbous 83dfe911bc [Rule Tuning] Program Files Directory Masquerading (#1018) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 09:55:08 +01:00
Samirbous bcc8b6922c [Rule Tuning] Suspicious macOS MS Office Child Process (#1022) 
* [Rule Tuning] Suspicious macOS MS Office Child Process

* comment for exclusions

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-03-19 09:48:27 +01:00
Samirbous 8e139012f7 [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream (#1014) 
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream

* Revert "[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream"

This reverts commit 2bf2c33002f08fec1d9cc64da9795bb189625e4d.

* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream

* Update rules/windows/defense_evasion_unusual_dir_ads.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-03-19 09:45:57 +01:00
Samirbous f800199cc5 [Rule Tuning] Access to Keychain Credentials Directories (#999) 
* [Rule Tuning] Access to Keychain Credentials Directories

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 09:42:32 +01:00
Samirbous 04ea1a72c7 [Rule Tuning] Security Software Discovery via Grep (#994) 
* [Rule Tuning] Security Software Discovery via Grep

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:46:26 +01:00
Samirbous 21290cc055 [Rule Tuning] Command Shell Activity Started via RunDLL32 (#996) 
* [Rule Tuning] Command Shell Activity Started via RunDLL32

* relinted and added FP note

* update_date

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:14:22 +01:00
Samirbous 32714b8527 [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:11:42 +01:00
Samirbous bc74838c0b [Rule Tuning] Suspicious WerFault Child Process (#990) 
* [Rule Tuning] Suspicious WerFault Child Process

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:08:44 +01:00
brokensound77 0ca39df508 remove labeler action files 2021-03-17 19:19:32 -08:00
Justin Ibarra 8e12fe7136 Create labeler.yml 
add labeler config
 2021-03-17 11:40:23 -08:00
Justin Ibarra d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) 
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
 2021-03-16 21:31:33 -08:00
Ross Wolf 93f8f2dd94 Change asset type for integration to security-rule (#1048) 2021-03-16 16:05:30 -06:00
Ross Wolf 5c2da0b5c4 Move Rule.build to cli_utils.rule_prompt (#1024) 
* Move Rule.build to cli_utils.rule_prompt
* Fix build_threat_map_entry lint
* Fix license and add docstring
 2021-03-09 16:37:53 -07:00
Justin Ibarra fc9dfde2c4 Generate an integrations package from a release (#983) 
* Generate an integrations package files during a release build
 2021-03-09 13:30:12 -09:00
Justin Ibarra 2fe48e3225 Merge pull request #1004 from brokensound77/merge-7.12-to-main 2021-03-08 20:31:41 -09:00
brokensound77 4b5d2542cf Merge remote-tracking branch 'upstream/main' into merge-7.12-to-main 2021-03-08 14:41:21 -09:00
Justin Ibarra 0b65678d8c [Rule tuning] Correct tags with associated threat mappings (#1003) 2021-03-08 14:12:29 -09:00
Brent Murphy 309edf7f4a Create initial_access_suspicious_ms_exchange_worker_child_process.toml (#1001) 2021-03-08 16:45:27 -05:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 0ef7d87b34 [Rule Tuning] Fix inconsistent rule indexes (#974) 
* [Rule Tuning] Fix inconsistent rule indexes
* cleaned up tests that load rules to leverage setUpClass
 2021-03-05 11:16:02 -09:00