security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23 Commits 1 Branch 0 Tags
e7ebb45ae0803601b34360ac2f0d6aa655e6261a
Commit Graph

14 Commits

Author SHA1 Message Date
Jonhnathan d3aa90f6a8 [Rule Tuning] Remove logs-windows.* index (#1928) 
* Remove `logs-windows.*` index

* Update discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 0943ffba5f)
 2022-04-14 12:27:47 +00:00
Jonhnathan 2889bf7d4e MInor changes from Investigation Guides Review (#1927) 
(cherry picked from commit 258418785f)
 2022-04-14 00:55:20 +00:00
Mika Ayenson 10bc32b9aa remove min_stack_version so old versions get config note (#1926) 2022-04-13 16:13:27 -04:00
Jonhnathan c3ab31632f [Security Content] Current Investigation Guides Review (#1896) 
* Modify investigation guides

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Rewrite and apply previous reviews

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/windows/credential_access_spn_attribute_modified.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit ebeb270075)
 2022-04-13 01:07:09 +00:00
Jonhnathan 03677ca4e8 [Security Content] Add Investigation Guides - 5 (#1895) 
* [Security Content] Add Investigation Guides - 5

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 46f5af436e)
 2022-04-13 00:15:04 +00:00
Jonhnathan 7fdf870d31 [Security Content] Add Investigation Guides - 3 (#1836) 
* [Security Content] Add Investigation Guides - 3
* Adjust Investigation Guides and Config
* Adjust Config

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

(cherry picked from commit 3a5fceac3b)
 2022-04-13 00:00:52 +00:00
Jonhnathan deed08b896 Update discovery_net_command_system_account.toml (#1912) 
(cherry picked from commit 3b6c594a22)
 2022-04-11 18:05:59 +00:00
Jonhnathan 3c503f7c95 [Security Content] Add Investigation Guides - 4 (#1871) 
* [Security Content] Add Investigation Guides - 4

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/initial_access_script_executing_powershell.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* lint

* Update persistence_user_account_creation.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* .

* Fixes and lint

* .

* .

* revert modifications

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update impact_stop_process_service_threshold.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 290763d9bb)
 2022-04-10 18:38:57 +00:00
Jonhnathan c425d98de1 [Rule Tuning] Add EQL optional field syntax (#1910) 
* Add optional EQL syntax

* Add min_stack_version

(cherry picked from commit 49074ddeaa)
 2022-04-05 19:35:15 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Jonhnathan 8d322f40c0 Svchost spawning Cmd - False Positives Tuning (#1894) 
(cherry picked from commit e1b4a0d87c)
 2022-03-31 22:30:43 +00:00
Jonhnathan 4ed2fbe932 [Security Content] Adjust Investigation Guides to be less generic (#1805) 
* PowerShell Suspicious Script with Audio Capture Capabilities

* PowerShell Keylogging Script

* PowerShell MiniDump Script

* Potential Process Injection via PowerShell

* PowerShell Suspicious Discovery Related Windows API Functions

* Suspicious Portable Executable Encoded in Powershell Script

* PowerShell PSReflect Script

* Startup/Logon Script added to Group Policy Object

* Group Policy Abuse for Privilege Addition

* Scheduled Task Execution at Scale via GPO

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Adjust Posh desc

* .

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* .

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_group_policy_scheduled_task.toml

* Update rules/windows/privilege_escalation_group_policy_iniscript.toml

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 8a59b49fea)
 2022-03-31 14:31:43 +00:00
Jonhnathan 5a263b253d [Security Content] Add Investigation Guides - 2 (#1822) 
* Add Investigation Guides for Windows Rules - First half

* + 1/2

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update credential_access_mod_wdigest_security_provider.toml

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_amsienable_key_mod.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update command_and_control_certutil_network_connection.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update collection_winrar_encryption.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

(cherry picked from commit a3d7427d29)
 2022-03-30 17:46:02 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00