security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
940 Commits 1 Branch 0 Tags
dec4243db00ce024073a87efdb0244d05c88cba6
Commit Graph

940 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan dec4243db0 [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-16 07:42:06 -09:00
Jonhnathan 3227d65cd8 [Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773) 
* Remove Windows Integration & Winlogbeat Support

* Update lateral_movement_service_control_spawned_script_int.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 23:04:55 -03:00
Jonhnathan 03f60cc11c [Rule Tuning] Potential Command and Control via Internet Explorer (#1771) 
* Use user.name on the sequence instead of user.id

* Update command_and_control_iexplore_via_com.toml

* Remove min_stack and comment "with runs"

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 22:58:01 -03:00
Jonhnathan 42436d3364 [New Rule] Potential Credential Access via DCSync (#1763) 
* "Potential Credential Access via DCSync" Initial Rule

* replace unintentional bracket removal

* json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-15 21:40:26 -03:00
Jonhnathan fd678dc5cb Modified to use Integrity fields instead of user.id (#1772) 2022-02-15 15:22:49 -09:00
Jonhnathan 9bbe26fec0 [Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775) 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml
 2022-02-15 09:56:37 -03:00
Jonhnathan c646a18efb Update discovery_net_command_system_account.toml (#1769) 2022-02-14 12:11:12 -03:00
Samirbous 326aa64ff6 [New Rule] Windows Service Installed via an Unusual Client (#1759) 
* [New Rule] Windows Service Installed via an Unusual Client

https://www.x86matthew.com/view_post?id=create_svc_rpc

* Update non-ecs-schema.json

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add ```s

* Update privilege_escalation_windows_service_via_unusual_client.toml

* add missing comma to schema

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-11 21:56:59 +01:00
Jonhnathan 9c56b00429 Modification of AmsiEnable Registry Key - Sysmon support (#1760) 2022-02-11 17:49:38 -03:00
Jonhnathan aa9fedd18d Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (#1757) 2022-02-11 08:15:49 -09:00
github-actions[bot] 8f36346139 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1768) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1

* Trigger Build

* Remove change to trigger build

Co-authored-by: DefSecSentinel <DefSecSentinel@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-02-10 15:06:49 -06:00
Khristinin Nikita b1121da237 [Rule Tuning] Fix IM query (#1767) 
* Fix IM quer

* Add update date
 2022-02-10 09:30:13 -09:00
Jonhnathan 5a16a222ad [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) 
* Adjust Integration Name

* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

* Update integration name

* .

* Case

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-09 19:03:30 -03:00
Colson Wilhoit e0dda91f26 Prep for creation of 8.2 branch (#1762) 2022-02-08 18:43:55 -09:00
Justin Ibarra 97835bc5c5 Move misplaced rule to proper folder (#1756) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-02-04 11:35:29 -09:00
Jonhnathan 85b72256c2 [New Rule] Potential Shadow Credentials added to AD Object (#1729) 
* Potential Shadow Credentials added to AD Object Initial Rule

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_shadow_credentials.toml

* Add AD tag

* Update credential_access_shadow_credentials.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-04 15:49:04 -03:00
Jonhnathan 7dac52f1cf [New Rule] PowerShell Script Block Logging Disabled (#1749) 
* PowerShell Script Block Logging Disabled

* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_disable_posh_scriptblocklogging.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-04 15:44:27 -03:00
Jonhnathan 40095d95bf Update credential_access_mod_wdigest_security_provider.toml (#1751) 2022-02-04 15:38:12 -03:00
Jonhnathan 9ce5d0b92a [New Rule] AdminSDHolder Backdoor (#1745) 
* AdminSDHolder Backdoor

* Update rules/windows/persistence_ad_adminsdholder.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-01 10:14:39 -03:00
Jonhnathan d949fefe0c [New Rule] KRBTGT Delegation Backdoor (#1743) 
* KRBTGT Delegation Backdoor

* Update persistence_msds_alloweddelegateto_krbtgt.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* refresh rule_id with new uuid

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-01 10:08:54 -03:00
Justin Ibarra 2828633919 [Bug] Fix AttributeError in RuleCollection dupe check (#1747) 2022-01-31 15:57:46 -09:00
Jonhnathan 26d5bad914 [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741) 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year
 2022-01-31 21:02:02 -03:00
Jonhnathan 6e3f4b2824 [New Rule] Kerberos Preauthentication Disabled for User (#1717) 
* Initial "Kerberos Preauthentication Disabled for User" Rule

* Update credential_access_disable_kerberos_preauth.toml

* Update credential_access_disable_kerberos_preauth.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Add config directives

* Update rules/windows/credential_access_disable_kerberos_preauth.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-31 12:31:20 -03:00
Jonhnathan 25ec71579d [New Rule] SeEnableDelegationPrivilege assigned to User (#1737) 
* SeEnableDelegationPrivilege assigned to User

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix logging policy name

* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-31 12:22:54 -03:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Khristinin Nikita 87c7210aab [Rule Tuning] Change default time query for rounding days (#1713) 
* Change default time query for rounding days

* Udpate date

* Revert rule updated_data

* Restore threat_query
 2022-01-28 10:34:14 -09:00
Jonhnathan edd0df5e1a [New Rule] PowerShell Kerberos Ticket Request (#1715) 
* PowerShell Kerberos Ticket Request Initial Rule

* bump date
 2022-01-27 16:36:02 -03:00
Jonhnathan 189c2b152c [New Rule] Email Reported by User as Malware or Phish (#1699) 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 16:30:46 -03:00
Jonhnathan b6cbdbd416 [New Rule] MS Office Macro Security Registry Modifications (#1696) 
* "MS Office Macro Security Registry Modifications" Initial Rule

* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 16:24:41 -03:00
Jonhnathan f7bc13b437 [New Rule] OneDrive Malware File Upload (#1693) 
* "OneDrive Malware File Upload" Initial Rule

* bump severity
 2022-01-27 16:19:16 -03:00
Jonhnathan 1676844640 [New Rule] SharePoint Malware File Upload (#1691) 
* "SharePoint Malware File Upload" Initial Rule

* s/onedrive/sharepoint

* bump severity
 2022-01-27 16:12:17 -03:00
Samirbous 26fb8e83a5 [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660) 
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 15:46:27 +01:00
Jonhnathan 14252d45ee [New Rule] Global Administrator Role Assigned (#1686) 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:53:02 -03:00
Jonhnathan 7e4325dd7a Create credential_access_mfa_push_brute_force.toml (#1682) 2022-01-27 09:37:49 -03:00
Jonhnathan 38ae64f729 [Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-27 09:31:51 -03:00
Jonhnathan 1699f50beb Update credential_access_suspicious_lsass_access_memdump.toml (#1714) 2022-01-27 09:28:16 -03:00
Jonhnathan 4ac824192f Update source.ip condition (#1712) 2022-01-27 09:24:55 -03:00
Jonhnathan 0a23d820c9 [Rule Tuning] Fix event.outcome condition on O365 failed logon related rules (#1687) 
* Tune rule query

* Update credential_access_microsoft_365_potential_password_spraying_attack.toml

* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml

* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"

This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
 2022-01-27 09:22:42 -03:00
Jonhnathan 50c7d5f262 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683) 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json
 2022-01-27 09:20:49 -03:00
Jonhnathan fdeb8cb1de [Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679) 
* Update impact_virtual_network_device_modified.toml

* Change case
 2022-01-27 09:15:22 -03:00
Samirbous b9edc5464e [New Rule] Potential Privilege Escalation via PKEXEC (#1727) 
* [New Rule] Potential Privilege Escalation via PKEXEC

Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :

* Update privilege_escalation_pkexec_envar_hijack.toml

* removed = sign
 2022-01-27 10:41:40 +01:00
Justin Ibarra 1f216d12aa Autogenerate docs for integration package releases (#1567) 
* Autogenerate docs for integration package releases
* add parameter to bypass query validation in git loader
* strip space and - from normalized name
 2022-01-26 21:19:03 -09:00
Justin Ibarra e26374cb40 Update base branch in integrations-pr command (#1733) 2022-01-26 20:52:24 -09:00
Justin Ibarra 30f5d62bf5 Update tests to account for non-backported deprecations (#1735) 
* Update tests to account for non-backported deprecations
* remove comment spacing
 2022-01-26 20:40:15 -09:00
Rick Boyd 179ebb5bdb Add pyproject.toml and setup.cfg (#1672) 
* add pyproject.toml
* add setup.cfg
 2022-01-26 14:13:49 -09:00
github-actions[bot] e42fee2d84 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 (#1732) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-01-26 13:54:18 -09:00
Justin Ibarra 84d55c829d Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix (#1649)" (#1731) 
This reverts commit 625d1df2bf.
 2022-01-26 11:41:12 -09:00
Justin Ibarra f7d93e20d4 fix bug in yaml parsing for github workflows (#1725) 
* fix bug in yaml parsing for github workflows

* fix kibana version
 2022-01-25 18:56:29 -09:00
Justin Ibarra 2e78da5c9a Prepare for creation of 8.1 branch (#1700) 2022-01-25 18:11:59 -09:00
Jonhnathan b6d1c1476b [Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706) 
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
 2022-01-25 16:51:20 -09:00