security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
662 Commits 1 Branch 0 Tags
e897a6760429ea46da15ebbca1609b62fd37fee9
Commit Graph

46 Commits

Author SHA1 Message Date
Ross Wolf e897a67604 Fix fleet package generation (#1296) 
* Fix fleet package generation
* Add .lstrip()
* Lint fix
* Add newline
 2021-06-17 06:16:09 -06:00
Ross Wolf f6839e98d1 Simplify version locking code and fix 7.13.0 lock (#1295) 
* Update version lock overwrite command
* Fix tooling and restore old version lock
* Lint fix
* Fix tests
* Remove dead code
* Filter to prod+deprecated rules
* Cast set -> list
* Store deprecation info
* Add correct version.lock.json (finally)
* Fix "stack_version" typo
* Remove stack_version
* Back out main.py changes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-06-16 18:02:47 -06:00
Ross Wolf 61e5b44c44 [Fleet] Update template and packaging code for fleet packages (#1280) 
* Update template and packaging code for fleet packages
* Fix linting
 2021-06-15 07:54:50 -06:00
Ross Wolf 90c6f24e8f Lock the versions from 7.13.0 (#1256) 2021-06-04 16:15:33 -06:00
Ross Wolf eb40c52c7c Port historical schemas to jsonschema (#1084) 
* Port historical schemas to jsonschema
* Add marshmallow-json dependency
* Mark etc/api_schemas as binary
* Remove gitattributes attempt
* Lint fix
* Apply PR feedback
* Additional PR feedback
* Extract stack version from packages.yml
* Fix the backport schemas
* Cache the schema reads
* Add migration for #1167
* Make a separate 'migration not found' error
 2021-05-13 14:27:32 -06:00
Justin Ibarra 7040538a9a bump packages version to 7.14 2021-04-30 11:32:18 -08:00
Justin Ibarra a0a3143a52 Refresh beats and ecs schemas (#1140) 
* download new beats and ecs schemas
* add beats download func by version and download v7.11.2
 2021-04-22 09:49:06 -08:00
Ross Wolf 791c911b9e Merge branch '7.12' into main 2021-04-15 16:17:59 -06:00
Justin Ibarra 462fab3ff8 Update threshold rule schema to disallow empty field string (#1098) 
* Update threshold rule schema to disallow empty field string
* lock versions for rule changes
 2021-04-14 04:56:38 -08:00
Justin Ibarra b5bd9d2fe1 Bump version for endpoint promotion rules for 7.12.1 (#1082) 
* Bump version for endpoint promotion rules
* remove timestamp_override 
* lock versions
 2021-04-12 05:55:51 -08:00
Justin Ibarra 92313b479a Lock 7.12 rule versions (#1083) 
* lock versions for 7.12 rules
* Update promotion rules to match kibana with timestamp_override field
 2021-04-06 10:48:17 -08:00
Ross Wolf 07be6b701d Change the asset .type field (#1075) 2021-04-05 10:50:58 -06:00
Justin Ibarra d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) 
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
 2021-03-16 21:31:33 -08:00
Justin Ibarra fc9dfde2c4 Generate an integrations package from a release (#983) 
* Generate an integrations package files during a release build
 2021-03-09 13:30:12 -09:00
brokensound77 4b5d2542cf Merge remote-tracking branch 'upstream/main' into merge-7.12-to-main 2021-03-08 14:41:21 -09:00
brokensound77 a77bd6178f Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 
# Conflicts:
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
 2021-02-17 14:11:50 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
brokensound77 6ce418877f Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 
# Conflicts:
#	etc/version.lock.json
#	rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
#	rules/cross-platform/impact_hosts_file_modified.toml
#	rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
#	rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
#	rules/linux/defense_evasion_timestomp_touch.toml
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
#	rules/macos/credential_access_credentials_keychains.toml
#	rules/macos/credential_access_promt_for_pwd_via_osascript.toml
#	rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
#	rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
#	rules/promotions/external_alerts.toml
#	rules/windows/collection_email_powershell_exchange_mailbox.toml
#	rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
#	rules/windows/collection_winrar_encryption.toml
#	rules/windows/command_and_control_common_webservices.toml
#	rules/windows/command_and_control_encrypted_channel_freesslcert.toml
#	rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
#	rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
#	rules/windows/command_and_control_teamviewer_remote_file_copy.toml
#	rules/windows/credential_access_cmdline_dump_tool.toml
#	rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
#	rules/windows/credential_access_credential_dumping_msbuild.toml
#	rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
#	rules/windows/credential_access_dump_registry_hives.toml
#	rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
#	rules/windows/credential_access_iis_connectionstrings_dumping.toml
#	rules/windows/credential_access_kerberoasting_unusual_process.toml
#	rules/windows/credential_access_lsass_memdump_file_created.toml
#	rules/windows/credential_access_mimikatz_memssp_default_logs.toml
#	rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
#	rules/windows/defense_evasion_clearing_windows_event_logs.toml
#	rules/windows/defense_evasion_code_injection_conhost.toml
#	rules/windows/defense_evasion_cve_2020_0601.toml
#	rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
#	rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
#	rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
#	rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
#	rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
#	rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
#	rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
#	rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
#	rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
#	rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
#	rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
#	rules/windows/defense_evasion_hide_encoded_executable_registry.toml
#	rules/windows/defense_evasion_iis_httplogging_disabled.toml
#	rules/windows/defense_evasion_injection_msbuild.toml
#	rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
#	rules/windows/defense_evasion_masquerading_renamed_autoit.toml
#	rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
#	rules/windows/defense_evasion_masquerading_trusted_directory.toml
#	rules/windows/defense_evasion_modification_of_boot_config.toml
#	rules/windows/defense_evasion_port_forwarding_added_registry.toml
#	rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
#	rules/windows/defense_evasion_sdelete_like_filename_rename.toml
#	rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
#	rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
#	rules/windows/defense_evasion_suspicious_zoom_child_process.toml
#	rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
#	rules/windows/defense_evasion_unusual_dir_ads.toml
#	rules/windows/defense_evasion_unusual_system_vp_child_program.toml
#	rules/windows/defense_evasion_via_filter_manager.toml
#	rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
#	rules/windows/discovery_adfind_command_activity.toml
#	rules/windows/discovery_admin_recon.toml
#	rules/windows/discovery_file_dir_discovery.toml
#	rules/windows/discovery_net_command_system_account.toml
#	rules/windows/discovery_net_view.toml
#	rules/windows/discovery_peripheral_device.toml
#	rules/windows/discovery_process_discovery_via_tasklist_command.toml
#	rules/windows/discovery_query_registry_via_reg.toml
#	rules/windows/discovery_remote_system_discovery_commands_windows.toml
#	rules/windows/discovery_security_software_wmic.toml
#	rules/windows/discovery_whoami_command_activity.toml
#	rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
#	rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
#	rules/windows/execution_command_shell_started_by_powershell.toml
#	rules/windows/execution_command_shell_started_by_svchost.toml
#	rules/windows/execution_command_shell_started_by_unusual_process.toml
#	rules/windows/execution_command_shell_via_rundll32.toml
#	rules/windows/execution_from_unusual_directory.toml
#	rules/windows/execution_from_unusual_path_cmdline.toml
#	rules/windows/execution_shared_modules_local_sxs_dll.toml
#	rules/windows/execution_suspicious_cmd_wmi.toml
#	rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
#	rules/windows/execution_suspicious_pdf_reader.toml
#	rules/windows/execution_suspicious_powershell_imgload.toml
#	rules/windows/execution_suspicious_psexesvc.toml
#	rules/windows/execution_suspicious_short_program_name.toml
#	rules/windows/execution_via_compiled_html_file.toml
#	rules/windows/execution_via_hidden_shell_conhost.toml
#	rules/windows/execution_via_net_com_assemblies.toml
#	rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
#	rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
#	rules/windows/initial_access_script_executing_powershell.toml
#	rules/windows/initial_access_suspicious_ms_office_child_process.toml
#	rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
#	rules/windows/initial_access_unusual_dns_service_children.toml
#	rules/windows/initial_access_unusual_dns_service_file_writes.toml
#	rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
#	rules/windows/lateral_movement_execution_from_tsclient_mup.toml
#	rules/windows/lateral_movement_local_service_commands.toml
#	rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
#	rules/windows/lateral_movement_rdp_enabled_registry.toml
#	rules/windows/lateral_movement_rdp_tunnel_plink.toml
#	rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
#	rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
#	rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
#	rules/windows/persistence_adobe_hijack_persistence.toml
#	rules/windows/persistence_appcertdlls_registry.toml
#	rules/windows/persistence_appinitdlls_registry.toml
#	rules/windows/persistence_evasion_registry_ifeo_injection.toml
#	rules/windows/persistence_gpo_schtask_service_creation.toml
#	rules/windows/persistence_local_scheduled_task_commands.toml
#	rules/windows/persistence_ms_office_addins_file.toml
#	rules/windows/persistence_ms_outlook_vba_template.toml
#	rules/windows/persistence_priv_escalation_via_accessibility_features.toml
#	rules/windows/persistence_registry_uncommon.toml
#	rules/windows/persistence_run_key_and_startup_broad.toml
#	rules/windows/persistence_services_registry.toml
#	rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
#	rules/windows/persistence_startup_folder_scripts.toml
#	rules/windows/persistence_suspicious_com_hijack_registry.toml
#	rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
#	rules/windows/persistence_suspicious_scheduled_task_runtime.toml
#	rules/windows/persistence_suspicious_service_created_registry.toml
#	rules/windows/persistence_system_shells_via_services.toml
#	rules/windows/persistence_user_account_creation.toml
#	rules/windows/persistence_via_application_shimming.toml
#	rules/windows/persistence_via_hidden_run_key_valuename.toml
#	rules/windows/persistence_via_lsa_security_support_provider_registry.toml
#	rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
#	rules/windows/persistence_via_update_orchestrator_service_hijack.toml
#	rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
#	rules/windows/privilege_escalation_named_pipe_impersonation.toml
#	rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
#	rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
#	rules/windows/privilege_escalation_rogue_windir_environment_var.toml
#	rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
#	rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
#	rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
#	rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
#	rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
#	rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
#	rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
#	rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
#	rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
#	rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
 2021-02-17 12:18:06 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Justin Ibarra 66be82808c lock versions for rule changes in v7.11.0 (#947) 2021-02-16 09:13:38 -09:00
Justin Ibarra 69f82a77eb bump package version to 7.13 2021-02-10 22:37:55 -09:00
brokensound77 bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main 
# Conflicts:
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
 2021-01-28 10:41:39 -09:00
brokensound77 288dbd7a84 lock versions file for 7.11 2021-01-28 10:36:46 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Justin Ibarra 7926e50b8f bump package version to 7.12 2020-12-09 13:51:19 -09:00
Brent Murphy 598e807a5c [New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657) 
* [New Rule] O365 Teams Custom Application Interaction Allowed

* rebrand to m365, still needed non ecs schema

* Update non-ecs-schema.json
 2020-12-08 17:36:47 -05:00
Justin Ibarra 0ed1e1df71 Add support to validate against dev ECS and beats schemas (#691) 2020-12-08 13:29:56 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
brokensound77 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main 2020-11-12 00:59:31 -09:00
brokensound77 123d523cf0 lock version changes for 7.10 2020-11-12 00:52:44 -09:00
Justin Ibarra fda1e7ef94 Bump zoom rule to production (#427) 2020-10-29 11:02:29 -08:00
Justin Ibarra 442b31bd2f Update packages.yml 2020-10-26 12:07:34 -08:00
Justin Ibarra 7c1e9c1ed5 Update package summary extras produced during package generation (#341) 
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
 2020-09-30 14:43:45 -08:00
Justin Ibarra aecf355582 Refresh beats schema for validation to 7.9.2 (#347) 2020-09-30 09:35:13 -08:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Justin Ibarra 6ad3344af3 Collect unique query fields per rule (#296) 2020-09-23 14:36:34 -08:00
Justin Ibarra b8e0c379c5 Update packages.yml 2020-09-02 14:10:46 -05:00
brokensound77 aec3ec31b9 Merge branch '7.9' into main 2020-08-27 15:54:44 -08:00
Justin Ibarra 4ffdc46ba7 Lock rule versions (#207) 2020-08-27 17:47:29 -05:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Justin Ibarra 9b70383898 Refresh ecs master and add beats v7.8.1 schemas (#156) 2020-08-17 12:33:20 -05:00
Ross Wolf 69a5b7e409 Lock versions for 7.9 release 2020-08-04 13:35:14 -06:00
Ross Wolf db4f50d4b8 Improve the validation and testing time (#61) 
* Improve the validation and testing time
* Lint fix
* Cache schema validation
 2020-07-15 08:05:55 -06:00
Craig Chamberlain a2a0b2bf0c [New Rule] AWS EC2 Snapshot Activity 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:10:06 -06:00
Ross Wolf e2d97b0a74 Remove unreachable and legacy code 
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-30 10:12:23 -06:00
Ross Wolf 3b305d3003 Add rule loader and dependencies 
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 23:17:42 -06:00