sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
Samirbous	732770e855	[New Rule] Potential OpenSSH Backdoor Logging Activity (#749 ) * [New Rule] Known SSH Backdoor Logging File * updated query to common patterns * updated rule name * relinted * added extra path * renamed * adjusted some filepaths * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added kobalos OpenSSH credential stealer added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf * relinted * adjusted MITRE technique * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-05 21:27:15 +01:00

Author

SHA1

Message

Date

Justin Ibarra

3fc34b86f2

Update License to Elastic v2 (#944 )

2021-03-03 22:12:11 -09:00

Justin Ibarra

645a0cd67b

[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 )

* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation

2021-02-17 19:49:58 -09:00

Samirbous

732770e855

[New Rule] Potential OpenSSH Backdoor Logging Activity (#749 )

* [New Rule] Known SSH Backdoor Logging File

* updated query to common patterns

* updated rule name

* relinted

* added extra path

* renamed

* adjusted some filepaths

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added kobalos OpenSSH credential stealer

added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

* relinted

* adjusted MITRE technique

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2021-02-05 21:27:15 +01:00

3 Commits