security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,180 Commits 1 Branch 0 Tags
dfef597794d4daf07eb4e8ebccd78bb64db930d4
Commit Graph

14 Commits

Author SHA1 Message Date
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Jonhnathan 1f8813d02f [Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993) 
* Update credential_access_mimikatz_powershell_module.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update credential_access_mimikatz_powershell_module.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-05-25 17:02:21 -03:00
Jonhnathan 817b97f428 [Security Content] Refactor Existing Investigation Guides (#1959) 
* Initial commit

* Update Investigation guides - security-docs review

* Update command_and_control_dns_tunneling_nslookup.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply security-docs review

* Remove dot

* Update rules/windows/command_and_control_rdp_tunnel_plink.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply changes from review

* Apply the suggestion

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2022-05-18 12:59:39 -03:00
Jonhnathan ebeb270075 [Security Content] Current Investigation Guides Review (#1896) 
* Modify investigation guides

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Rewrite and apply previous reviews

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/windows/credential_access_spn_attribute_modified.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-04-12 22:05:13 -03:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Justin Ibarra 72c64de3f5 [Rule tuning] Update rules based on docs review (#1663) 
* [Rule tuning] Update rule verbiage based on docs review

* fix typos

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* revert TI rule changes since it was deprecated

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-28 10:41:22 -09:00
Jonhnathan f6421d8c53 Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs
 2021-09-21 11:04:16 -05:00
dstepanic17 9ff3873ee7 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-15 20:07:21 -05:00
Austin Songer 95e6458c6e [Rule Tuning] Mimikatz powershell module activity detected (#1297) 
* update query
* add indexes
 2021-07-20 23:08:04 -08:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Andrew Pease 66506139d9 [New Rule] Detects Mimikatz via Invoke-Mimikatz (#700) 
* initial commit

* lint

* note updates

* convert to eql and moved to dev

* convert to eql and moved to dev
 2020-12-09 14:51:45 -06:00