security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,180 Commits 1 Branch 0 Tags
dfef597794d4daf07eb4e8ebccd78bb64db930d4
Commit Graph

141 Commits

Author SHA1 Message Date
Mika Ayenson dfef597794 [Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service (#2192) 2022-08-23 10:10:40 -04:00
Mika Ayenson 2204459e73 [Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172) 2022-08-23 09:59:43 -04:00
Mika Ayenson 2326b30a87 [Rule Tuning] Suspicious Browser Child Process (#2138) 2022-08-23 09:56:23 -04:00
Jonhnathan 6e2d20362a [Rule Tuning] Standardizing Risk Score according to Severity (#2242) 2022-08-21 22:29:39 -03:00
Mika Ayenson d1bc53e295 [Rule Tuning] Persistence via Folder Action Script (#2174) 
* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:36:05 -04:00
Mika Ayenson 4f55e9b05f [Rule Tuning] Potential Persistence via Login Hook (#2177) 
* Exclude FPs for iMazing Profile Editor and backupd
 2022-08-05 14:25:31 -04:00
Mika Ayenson 058f11f650 [Rule Tuning] Sublime Plugin or Application Script Modification (#2180) 
* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-08-05 14:15:28 -04:00
Mika Ayenson ecd10b672a [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) 
* add case sensitive Python process name and T1548
 2022-08-02 14:21:00 -04:00
Mika Ayenson d8e0c0fee3 [Rule Tuning] Suspicious Calendar File Modification (#2187) 
* exclude fps for Mail.app
 2022-08-02 14:06:57 -04:00
Colson Wilhoit 998afcf9c4 [Rule Tuning] MacOS Installer Package Net Event (#2193) 
* [Rule Tuning] MacOS Installer Package Net Event

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update execution_installer_package_spawned_network_event.toml

just deleting a typo

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-07-28 15:16:10 -05:00
Mika Ayenson 3a557503d1 [Rule Tuning] Unexpected Child Process of macOS Screensaver Engine (#2184) 
* add screensaver subtechnique
 2022-07-27 14:49:22 -04:00
Mika Ayenson df670fac56 [Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123) 
* filter run by macOS os type
 2022-07-27 11:58:30 -04:00
Mika Ayenson fcc9cc9d8e fix typo in description (#2168) 2022-07-27 08:51:52 -04:00
Mika Ayenson cdafe17ffb [Rule Tuning] Authorization Plugin Modification (#2156) 
* exclude files altered by shove processes
 2022-07-27 08:34:23 -04:00
Mika Ayenson e6bab063dc [Rule Tuning] LaunchDaemon Creation or Modification and Immediate Loading (#2154) 
* update query
 2022-07-27 08:24:57 -04:00
Mika Ayenson b44714c83f filter Bitdefender FPs (#2109) 2022-07-25 10:12:30 -04:00
Mika Ayenson 286941cb8e [Rule Tuning] Attempt to Unload Elastic Endpoint Security Kernel Extension (#2134) 
* add subtechnique T1547/006/
 2022-07-23 11:22:27 -04:00
Mika Ayenson 1dc0fcec47 add CVE to tag (#2127) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-07-22 20:44:14 -04:00
Mika Ayenson f07c72254d update description (#2149) 2022-07-22 17:12:41 -04:00
Mika Ayenson b3334941f9 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#2147) 
* exclude jamf fp and add ssh subtechnique
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-07-22 17:10:09 -04:00
Mika Ayenson 84104773a6 exclude google drive FP (#2145) 2022-07-22 17:00:00 -04:00
Mika Ayenson 44ae72d054 [Rule Tuning] Suspicious Automator Workflows Execution (#2142) 
* add subtechnique

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-07-22 16:50:45 -04:00
Mika Ayenson f176b5ef57 update tags to include C2 tactic (#2140) 2022-07-22 16:39:25 -04:00
Colson Wilhoit d6527afd51 [Rule Tuning] Remove File Quarantine Attribute (#2129) 2022-07-22 15:25:12 -05:00
Mika Ayenson 1e28385ea4 [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#2136) 
* fix parens and exclude parent process FPs and update description
 2022-07-22 16:16:27 -04:00
Mika Ayenson d2be29b226 [Rule Tuning] Potential Privacy Control Bypass via TCCDB Modification (#2121) 
* add exception for Bitdefender
 2022-07-22 16:07:41 -04:00
Mika Ayenson cefb84ae15 [Rule Tuning] Modification of Environment Variable via Launchctl (#2119) 
* add exception for vmoptions
 2022-07-22 16:03:46 -04:00
Terrance DeJesus e8c39d19a7 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-07-22 14:30:34 -04:00
Mika Ayenson cd11001fe8 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#2117) 
* Add exceptions for browser FPs
 2022-07-22 14:26:48 -04:00
Mika Ayenson c1c83a536c [Rule Tuning] Kerberos Cached Credentials Dumping (#2103) 
* Updated description to include threat actor utilization
 2022-07-22 14:19:04 -04:00
Mika Ayenson a9de227cfa [Rule Tuning] Access to Keychain Credentials Directories (#2101) 
* rule tune to remove noisy FPs
 2022-07-22 14:14:12 -04:00
Mika Ayenson aaf9a708ae [Rule Tuning] Access of Stored Browser Credentials (#2098) 
* audit update : added technique T1539 and excluded additional cookies path
 2022-07-22 13:57:59 -04:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Mika Ayenson 92640f517a [Rule tuning] check for anything found in the emondClient directory (#1977) 
* check for anything found in the emondClient directory and add reference
 2022-05-18 12:33:23 -04:00
shashank-elastic 88f71233c9 Detection of suspicious crontab creation or modification (#1938) 
* Detection of suspicious crontab creation or modification

* Update rules/macos/persistence_crontab_creation.toml

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_crontab_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-04-27 12:08:32 +05:30
Jonhnathan 20d2e92cfe Review & Fix Invalid References (#1936) 2022-04-26 17:57:15 -03:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Damià Poquet Femenia 9ad3d39a32 Add Jamf Connect exception for macOS users enumeration rule (#1891) 
* Update discovery_users_domain_built_in_commands.toml

Jamf Connect uses ldapsearch to synchronize user passwords.

* change rule update date
 2022-03-28 13:13:28 -03:00
Stijn Holzhauer 3d4eaf4caf Adding path as stated in #1812 (#1889) 
* Adding path as stated in #1812

* Bumping updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-27 08:07:38 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Colson Wilhoit b564fa13fb MacOS FolderActionScripts Process List Update (#1723) 
* update and expand process list

* fix query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-25 14:27:27 -06:00
Colson Wilhoit cfd4d431dd MacOS Launch Daemon Creation Rule - Query Fix (#1722) 
* launch daemon creation syntax fix

* change updated date
 2022-01-25 12:47:51 -06:00
David French cdbd5a6515 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 08:22:58 -06:00
Jonhnathan f6421d8c53 Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs
 2021-09-21 11:04:16 -05:00
Justin Ibarra 655f7d91d0 [Rule tuning] Fix spacing in reference URLs (#1455) 2021-08-31 15:59:06 -08:00
Justin Ibarra d31ea6253e Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
 2021-08-04 14:16:10 -08:00
Ross Wolf 31f63e728e Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
 2021-06-22 09:10:28 -06:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00