security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,180 Commits 1 Branch 0 Tags
dfef597794d4daf07eb4e8ebccd78bb64db930d4
Commit Graph

7 Commits

Author SHA1 Message Date
Samirbous 049fbf7979 [Rule Tuning] Potential Remote Credential Access via Registry (#2203) 
* [Rule Tuning] Potential Remote Credential Access via Registry

Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)

* Update credential_access_remote_sam_secretsdump.toml
 2022-08-01 17:49:39 +02:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Jonhnathan 817b97f428 [Security Content] Refactor Existing Investigation Guides (#1959) 
* Initial commit

* Update Investigation guides - security-docs review

* Update command_and_control_dns_tunneling_nslookup.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply security-docs review

* Remove dot

* Update rules/windows/command_and_control_rdp_tunnel_plink.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply changes from review

* Apply the suggestion

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2022-05-18 12:59:39 -03:00
Terrance DeJesus e9f5585a9f [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) 
* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml
 2022-05-06 13:21:12 -04:00
Jonhnathan 3a5fceac3b [Security Content] Add Investigation Guides - 3 (#1836) 
* [Security Content] Add Investigation Guides - 3
* Adjust Investigation Guides and Config
* Adjust Config

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
 2022-04-12 15:58:50 -08:00
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
 2022-04-01 15:27:08 -08:00
Samirbous a6582351b5 [New Rule] Potential Remote Credential Access via Registry (#1804) 
* [New Rule] Potential Remote Credential Access via Registry

4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).

Example of data :

* Delete workspace.xml

* Update credential_access_remote_sam_secretsdump.toml

* Update credential_access_remote_sam_secretsdump.toml

* add non ecs field

* Update non-ecs-schema.json

* Update credential_access_remote_sam_secretsdump.toml

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-03 16:28:03 +01:00