security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,180 Commits 1 Branch 0 Tags
dfef597794d4daf07eb4e8ebccd78bb64db930d4
Commit Graph

19 Commits

Author SHA1 Message Date
Samirbous d3420e3386 [Deprecate Rule] Suspicious Process from Conhost (#2222) 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:32:24 +02:00
Jonhnathan fc7a384d19 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-08-08 21:34:05 -03:00
Terrance DeJesus a76c51ae17 [Deprecation rule] DNS Activity to the Internet (#2221) 2022-08-02 20:59:35 -05:00
Samirbous a046dc0d29 [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.
 2022-08-02 18:30:57 +02:00
Samirbous e5ee8e024f [Deprecate Rule] File and Directory Discovery (#2217) 
* [Deprecate Rule] File and Directory Discovery

very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.

* Delete workspace.xml
 2022-08-02 17:57:28 +02:00
Samirbous 8d34416049 [Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209) 
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP

FPs in certain cases with no room for tuning.

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:28:26 +02:00
shashank-elastic 8afded11e7 Rule tuning as part of Linux Detection Rules Review (#2170) 2022-07-29 21:55:49 +05:30
shashank-elastic e9267e544c Rule(s) deprecation as part of Linux Detection Rule Review (#2163) 2022-07-26 18:48:25 +05:30
shashank-elastic 51b2d9da4b [Rule tuning] Linux binary(s) shell evasion threat (#1957) 
* Linux binary(s) shell evasion threat

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-05-25 08:32:53 +05:30
Jonhnathan 22dd7f0ada Deprecate PrintNightmare Rules (#1852) 2022-03-17 19:39:36 -03:00
Justin Ibarra 9c43151da4 [Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703) 2022-01-25 16:46:49 -09:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra b736d6e748 [Rule Tuning] Rule description tweaks (#1388) 2021-07-29 10:56:13 -08:00
Brent Murphy ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) 
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-04-21 15:10:06 -04:00
Samirbous 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) 
* [Deprecation] Process Discovery via Tasklist

* deprecation_date

* update date

* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 22:18:56 +02:00
Samirbous e323084433 [Deprecation] Trusted Developer Application Usage (#1118) 
* [Deprecation] Trusted Developer Application Usage

* update date
 2021-04-15 22:15:38 +02:00
Samirbous 511a74ef27 [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028) 
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* restored Execution via Regsvcs/Regasm

* restored changes

* deprecated 1rule, deleted 1 and tuned 1

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 10:05:09 +01:00
Justin Ibarra d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) 
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
 2021-03-16 21:31:33 -08:00