security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,586 Commits 1 Branch 0 Tags
ea26ea77d7e99dae852c6fc1787afdc5b3ec0f2c
Commit Graph

11 Commits

Author SHA1 Message Date
Jonhnathan d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) 
* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml
 2023-07-31 11:03:57 -03:00
Jonhnathan 6966a6df09 [New Rule] Building Block Rules - Part 3 (#2924) 
* [New Rule] Building Block Rules - Part 3

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Apply suggestions from code review

* Update rules_building_block/discovery_generic_account_groups.toml

* Apply suggestions from code review

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-31 10:28:25 -03:00
Mika Ayenson 3813a08f59 [FR] Add support for BBR rules to the rule loader (#2968) 
---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-07-27 11:27:04 -05:00
Ruben Groenewoud 9cc4b0e348 [New BBR] Potential Suspicious File Edit (#2960) 
* [New BBR] Potential Suspicious File Edit

* Added a few more interesting files

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-07-26 15:22:56 +02:00
shashank-elastic 93845626b7 Potential Cross Site Scripting ( XSS ) (#2922) 2023-07-20 19:12:00 +05:30
shashank-elastic 8b808b9b83 New Cross Platform BBR Rules (#2920) 2023-07-19 21:27:23 +05:30
shashank-elastic f920bc6151 New Linux BBR Rules (#2917) 2023-07-19 20:12:59 +05:30
Jonhnathan 7949b8a03e [New Rule] Building Block Rules - Part 1 (#2912) 
* [New Rule] Building Block Rules - Part 1

* Update defense_evasion_powershell_clear_logs_script.toml

* Update discovery_posh_generic.toml

* .

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-18 20:01:43 -03:00
Jonhnathan ff2c951136 [New Rule] Potential Masquerading as Communication Apps (#2780) 
* [New Rule] Potential Masquerading as Communication Apps

* ocd

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Apply suggestions from code review

* Merge branch 'main' into comms_masquerade

* Move to BBR folder

* Revert "Merge branch 'main' into comms_masquerade"

This reverts commit 726c63c0cab782a83d9f505e54e55d4edd1f5589.
 2023-06-30 11:46:54 -03:00
Jonhnathan 5da2771c12 [New Rule] [BBR] Expired or Revoked Driver Loaded (#2880) 
* [New Rule] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml

* Update rules_building_block/privilege_escalation_expired_driver_loaded.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-06-27 09:18:35 -03:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00