security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,969 Commits 1 Branch 0 Tags
e125a4e4cf6f6d67daa8076a4c259ed02bc9dd3f
Commit Graph

1969 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan e125a4e4cf [Rule Tuning] WRITEDAC Access on Active Directory Object (#3583) 2024-04-08 08:43:25 -03:00
Jonhnathan aa0cc42ff6 [Rule Tuning] Svchost spawning Cmd (#3578) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-08 07:50:20 -03:00
Terrance DeJesus 0cb42983c1 updated to v14.0 mitre ATT&CK (#3289) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-04-05 14:30:23 -04:00
Eric Forte e6f48ade01 Bump KQL lib Version (#3575) 2024-04-05 13:38:54 -04:00
Eric Forte fbb6df506e Update default (#3574) 2024-04-04 20:27:14 -04:00
Eric Forte 1566c29bae [Bug] KQL fails validation on uppercase keywords (#3568) 
* add todo

* Add a normalize_kql_keywords function to utils

* update rule loader to normalize and warn

* optimized loading

* fix linting

* Moved conversion to kql module.

* Updated unit test

* Refactor KQL parser to normalize keywords via flag

* Fix logic typo

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update lib/kql/kql/__init__.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated to fix unit tests and remove warnings

* linting typo

* Added comments

* remove unused imports

* Update kql.parse default

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-04 18:03:30 -04:00
Eric Forte fa75876322 [Bug] New Terms Rule Import Failing (#3569) 
* initial patch

* Update definitions to allow for brackets in name

* Update to prompt for required fields.

* Update detection_rules/cli_utils.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-04 17:37:13 -04:00
Mika Ayenson c35652c8c8 [Bug] Add explicit format preserver (#3566) 2024-04-04 15:50:48 -05:00
Eric Forte a9cc323d09 [Bug] Threshold Rule Importing Failures (#3560) 
* remove threshold specific req

* fix test event override

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-04-03 14:15:09 -04:00
Mirko Bez 153657029b Add filebeat-* index pattern to rules based on system.auth dataset (#3561) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-03 11:27:31 +02:00
shashank-elastic 3fbffa24ed Deprecate Releasing to a patch kibana version workflow (#3552) 2024-04-03 08:34:45 +05:30
github-actions[bot] 8d5bd3b0f6 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-04-02 23:59:42 +05:30
shashank-elastic 0e2eb5a84c Fix minstack version for O365 prod rules (#3565) 2024-04-02 21:33:18 +05:30
Jonhnathan 4ab7c9b178 [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution (#3545) 
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-04-02 11:06:08 -03:00
Samirbous 69173872da [Tuning] Connection to Commonly Abused Web Services (#3425) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-02 14:41:10 +01:00
Samirbous f025616cbd [New Rule] Suspicious Access to LDAP Attributes (#2504) 
* Create discovery_high_number_ad_properties.toml

* Update discovery_high_number_ad_properties.toml

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed tags; moved note to setup, updated date

* Update discovery_high_number_ad_properties.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2024-04-02 13:57:38 +01:00
Jonhnathan c781376188 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-02 06:35:14 -03:00
Samirbous f2490007e8 [New] Potential Execution via XZBackdoor (#3555) 
* [New] Potential Execution via XZBackdoor

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-02 05:15:04 +01:00
Jonhnathan b47b91b9ec [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-01 20:45:12 -03:00
Jonhnathan 67ca13c1ce [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-01 17:44:50 -03:00
Susan 400a84628e Update setup guide for ML integration packages (#3475) 
* Add more detail to ingest pipeline install

* Add more info to anomaly detection setup

* Update draft

* Fix typo

* Bulk add doc updates

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Address Kseniia feedback

* Update updated_date per review feedback

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-04-01 15:02:32 -04:00
Mika Ayenson bb907a4d76 [FR] Add support for investigation_fields (#3550) 2024-04-01 11:52:46 -05:00
shashank-elastic 8b215eac41 Fix create PR in release workflow (#3528) 2024-04-01 21:17:10 +05:30
Terrance DeJesus d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) 
* deprecating

* adjusted matury tag; updated dates
 2024-04-01 11:01:20 -04:00
Mika Ayenson b6a7e7ebda [FR] Add required-fields option to import-rules (#3546) 2024-03-28 18:29:47 -05:00
Jonhnathan 218c3bead6 [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) 
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script

* Update credential_access_posh_relay_tools.toml

* Update execution_posh_hacktool_functions.toml

* Update credential_access_posh_relay_tools.toml

* Update credential_access_posh_relay_tools.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-03-28 07:05:35 -03:00
Jonhnathan 954a93c3b4 [New Rule] Creation of a DNS-Named Record (#3539) 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml
 2024-03-27 18:21:07 -03:00
Jonhnathan 67e9ebf8e1 [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) 
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation

* Update credential_access_adidns_wildcard.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-03-27 10:07:23 -03:00
Samirbous d7aff43621 [New] Suspicious Execution via ScreenConnect (#3541) 
* [New] Suspicious Execution via ScreenConnect

- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)

* Update command_and_control_screenconnect_childproc.toml

* Update rules/windows/initial_access_webshell_screenconnect_server.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_screenconnect_childproc.toml

* Update command_and_control_screenconnect_childproc.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-03-27 11:52:47 +00:00
ALEXANDER MA COTE 138447221f fix typo in lateral_movement_remote_services.toml (#3538) 2024-03-27 11:38:57 +01:00
Ruben Groenewoud 760b99bcc1 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) 2024-03-26 14:45:04 +01:00
Samirbous fc76a8bcb5 [New] Suspicious JetBrains TeamCity Child Process (#3532) 
* [New] Suspicious JetBrains TeamCity  Child Process

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml
 2024-03-25 16:32:56 +00:00
Eric Forte 3503786154 Update sort parameter (#3531) 2024-03-25 11:46:30 -04:00
github-actions[bot] eaf4658620 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-03-21 20:30:46 +05:30
Mika Ayenson fc7cc2c06a [Bug] Update lock versions dependencies (#3525) 2024-03-21 19:05:24 +05:30
Jonhnathan 779fa7710d [New Rules] Veeam Credential Access DRs (#3516) 
* [New Rules] Veeam Credential Access DRs

* bump

* Update credential_access_veeam_commands.toml

* Update credential_access_veeam_backup_dll_imageload.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_veeam_commands.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-21 10:00:48 -03:00
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00
Mika Ayenson e37bc6f781 Update README.md (#3524) 2024-03-20 13:32:26 -05:00
Mika Ayenson 07abc19932 [Rule Tuning] SMTP on Port 26/TCP (#3521) 2024-03-19 15:55:25 -05:00
Mika Ayenson 5c3523954e [FR] Update Python Dependency Versions (#3515) 2024-03-19 14:07:16 -05:00
Terrance DeJesus f6e79944f2 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) 
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'

* reverting lookback window

* missing word in description
 2024-03-15 19:08:28 -04:00
Mika Ayenson d26981f712 [FR] Independently package kql / kibana and bump to py3.12 (#3514) 2024-03-14 20:18:32 -05:00
Mika Ayenson 3d2a36be32 Revert "[FR] Independently package kql / kibana and bump to py3.12 (#3492)" 
This reverts commit fc139fc3c2.
 2024-03-14 19:48:50 -05:00
Mika Ayenson fc139fc3c2 [FR] Independently package kql / kibana and bump to py3.12 (#3492) 2024-03-14 19:14:25 -05:00
Mika Ayenson 8724077a0e [FR] Add support for dataviews in the rule schema (#3510) 2024-03-14 17:43:27 -05:00
Susan a4ecfe3ccf Beaconing - Add whitelist to rules, with some more processes (#3497) 
* Add whitelist to rules, with some more processes

* Update rules exceptionlist

* Update exceptions

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 15:51:02 -04:00
Jonhnathan c610e19114 [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 10:59:31 -03:00
Ruben Groenewoud 4179180fcb [New Rules] mprotect() RWX Binary Execution (#3507) 
* [New Rules] mprotect() RWX Binary Execution

* Added rule names

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml
 2024-03-13 22:11:44 +01:00
Jonhnathan f5254f3b5e [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump
 2024-03-13 10:27:44 -03:00
Ruben Groenewoud 9f8638a004 [Tuning] event.action and event.type change (#3495) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-13 10:11:21 +01:00