sigma-rules

Author	SHA1	Message	Date
Samirbous	ec27bf8545	Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#3691 )	2024-05-17 21:30:16 -07:00
Eric Forte	707ca32ab1	[FR] Add --force flag to update-lock-versions (#3693 ) * Add --force flag to update-lock-versions * Add type hinting	2024-05-17 20:25:08 -04:00
Mika Ayenson	43b3a4b080	[Bug] Support spaces with capital letters (#3689 )	2024-05-17 09:04:43 -05:00
Mika Ayenson	79f575b33c	[FR] Normalize yml ext to yaml (#3675 )	2024-05-15 15:18:39 -05:00
Samirbous	f0b226c2b0	[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3677 ) * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-15 18:11:49 +01:00
Jonhnathan	0eef7f62ff	[Rule Tuning] Windows Service Installed via an Unusual Client (#3671 ) * [Rule Tuning] Windows Service Installed via an Unusual Client * Update privilege_escalation_windows_service_via_unusual_client.toml * Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-05-15 10:31:44 -03:00
github-actions[bot]	f3585da503	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676 )	2024-05-15 17:04:22 +05:30
shashank-elastic	50a8b52cd5	Prepare For Next Elastic Stack 8.15 (#3670 )	2024-05-15 00:31:02 +05:30
Mika Ayenson	f07a9e6fbc	[FR] Add max_signal note, unit test, and rule tuning (#3669 )	2024-05-14 11:15:12 -05:00
Terrance DeJesus	608b801088	[New Rule] Building Block Rule - AWS IAM Login Profile Added to User (#3633 ) * new rule 'AWS IAM Login Profile Added to User' * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-14 11:10:43 -04:00
Terrance DeJesus	2375297879	[New Rule] Route53 Resolver Query Log Configuration Deleted (#3592 ) * new rule 'Route53 Resolver Query Log Configuration Deleted' * added investigation guide * adjusted investigation notes * Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-14 10:24:20 -04:00
Samirbous	a1ef8c9fc0	[New] Unusual Execution via Microsoft Common Console File (#3663 ) * [New] Unusual Execution via Microsoft Common Console File https://www.genians.co.kr/blog/threat_intelligence/facebook * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_initial_access_via_msc_file.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-05-14 15:07:26 +01:00
Samirbous	83462a3087	[New] Potential File Download via a Headless Browser (#3660 ) * [New] Potential File Download via a Headless Browser * Update command_and_control_headless_browser.toml * Update command_and_control_headless_browser.toml * Update command_and_control_common_webservices.toml * Update command_and_control_headless_browser.toml * Update command_and_control_headless_browser.toml	2024-05-14 13:55:14 +01:00
Terrance DeJesus	d505b95f3c	[New Rule] AWS EC2 AMI Shared with Another Account (#3600 ) * new rule 'AWS EC2 AMI Shared with Another Account' * linted; updated UUID * added investigation guide * updated description * fixed spelling errors * Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * fixed spacing issue --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-14 01:56:26 -04:00
Terrance DeJesus	38e0f13e23	[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586 ) * new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance' * updated description and name * added investigation guide; adjusted description * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * updated query logic * fixed spacing issue * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-05-13 23:07:39 -04:00
Mika Ayenson	78837549e8	[FR] Bundle KQL & Kibana libs into base dependencies (#3662 )	2024-05-13 14:29:03 -05:00
Eric Forte	094ef22604	[Bug] Update Rule Formatter (#3668 ) * Update Rule Formatter * Only apply fix to Note	2024-05-13 15:00:01 -04:00
Jonhnathan	6150f222b2	[New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517 ) * [New Rule] Alternate Data Stream Creation at Volume Root Directory * Update defense_evasion_root_dir_ads_creation.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-13 08:35:12 -03:00
Colson Wilhoit	1fb58e1b61	[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435 ) * Update to use new data source * Exclude FPs * Update logic * Exclude FPs * Update to match ER logic * Exclude FP * Update to match endpoint rule and reduce FPs * Update logic to reduce FPs * Update logic to reduce FPs * Exclude FPs * Update logic to remove FPs * Update logic to reduce FPs * Update logic and min stack version to reduce FPs * Exclude FP * Remove FPs * Update logic and min stack to reduce FPs * Exclude FPs * Update logic and min stack to exclude FPs * Update logic and min stack to exclude FPs * Update logic to be more efficient * Update logic * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml * Update persistence_folder_action_scripts_runtime.toml * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/credential_access_credentials_keychains.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Fix * Fix * Fix * Update min stack comments * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_systemkey_dumping.toml * Update rules/macos/discovery_users_domain_built_in_commands.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Remove field --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-11 12:52:18 -05:00
Jonhnathan	11dca27974	[New Rule] Potential Widespread Malware Infection (#3656 ) * [New Rule] Potential Widespread Malware Infection * Update potential_widespread_malware_infection.toml * . * Update execution_potential_widespread_malware_infection.toml * Update rules/cross-platform/execution_potential_widespread_malware_infection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/execution_potential_widespread_malware_infection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2024-05-10 13:51:04 -03:00
Jonhnathan	6cc39a538f	[New Rule] Potential PowerShell HackTool Script by Author (#2472 ) * [New Rule] Potential PowerShell HackTool Script by Author * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-09 18:41:56 -07:00
terrancedejesus	69595a5f69	updated query logic	2024-05-09 18:31:50 -07:00
Jonhnathan	f85d7482fd	[New Rule] Potential PowerShell HackTool Script by Author (#2472 ) * [New Rule] Potential PowerShell HackTool Script by Author * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-09 13:00:41 -03:00
Samirbous	7a61070e08	[Tuning] Component Object Model Hijacking (#3655 ) * [Tuning] Component Object Model Hijacking * Update rules/windows/persistence_suspicious_com_hijack_registry.toml * Update persistence_suspicious_com_hijack_registry.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-08 17:44:35 +01:00
Eric Forte	65441b8e67	[FR] Update readme with wsl instructions for py312 (#3649 ) * Update README * Removed DaC Specifics * Add troubleshooting guide. * Update Troubleshooting.md Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-05-07 13:50:40 -04:00
Samirbous	4a2e2764cd	[New] Ransomware over SMB (#3638 ) * [New] Ransomware over SMB * Update impact_ransomware_note_file_over_smb.toml * Update impact_ransomware_file_rename_smb.toml * ++ * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_ransomware_file_rename_smb.toml * Update impact_ransomware_note_file_over_smb.toml * Update impact_high_freq_file_renames_by_kernel.toml	2024-05-07 06:38:14 +01:00
github-actions[bot]	84437bac03	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3650 ) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 * Bumping status checks * undo bump --------- Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2024-05-06 12:44:32 -04:00
Mika Ayenson	4396a91b40	[New Rule] Unusual High Confidence Misconduct Blocks Detected (#3647 )	2024-05-06 07:32:02 -05:00
Eric Forte	a4a0bc6a7e	[Bug] Query validation failing to capture InSet edge case with ip field types (#3572 ) * Move test case to separate file --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-05-06 07:58:42 -04:00
Mika Ayenson	51268581a8	[Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (#3646 )	2024-05-04 08:20:20 -05:00
Justin Ibarra	613457b97f	[New Rules] AWS Bedrock Guardrails Violations (#3641 ) * [New Rules] AWS Bedrock Guardrails Violations --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-05-03 20:55:27 -06:00
Mika Ayenson	2ffb0e7fe2	[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644 )	2024-05-03 18:01:53 -05:00
Mika Ayenson	c8c8c96956	[FR] Add ability to generate hunt index (#3643 )	2024-05-03 13:43:22 -05:00
Mika Ayenson	00b8a77f50	[FR] Add Hunt Structure and Initial LLM Queries 🚀 (#3637 )	2024-05-03 09:33:06 -05:00
Justin Ibarra	2668f5f762	[Bug] Fix missing indexes on navigator build (#3636 ) Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-05-01 15:50:54 -06:00
Justin Ibarra	54ff270c62	[New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635 ) * [New Rule] AWS S3 Bucket Enumeration or Brute Force Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-01 15:00:33 -06:00
github-actions[bot]	ca78f550fd	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3630 )	2024-04-30 18:06:01 +05:30
Ruben Groenewoud	e29994c338	[New Rule] Shell Configuration Modification (#3629 ) * [New Rule] Shell Configuration Modification * description update * uuid update * query update * query update * Update rules/linux/persistence_shell_configuration_modification.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-04-30 13:41:13 +02:00
Ruben Groenewoud	115c3a6dfd	[Rule Tuning] Linux DRs (#3628 )	2024-04-30 13:26:09 +02:00
Samirbous	8f6de1c235	[New] Potential privilege escalation via CVE-2022-38028 (#3616 ) * [New] Potential privilege escalation via CVE-2022-38028 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ * Update privilege_escalation_exploit_cve_202238028.toml * Update privilege_escalation_exploit_cve_202238028.toml * Update privilege_escalation_exploit_cve_202238028.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-04-29 15:10:27 +01:00
Justin Ibarra	c567d3731a	Refresh Kibana module with API updates (#3466 ) * Refresh Kibana module with API updates * add import/export commands * rename repo commands * add RawRuleCollection and DictRule objects * save exported rules to files; rule.from_rule_resource * strip unknown fields in schema * add remote cli test * update docs * bump kibana lib version --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-04-26 11:12:50 -06:00
github-actions[bot]	374f21fbc4	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615 )	2024-04-23 17:59:01 +05:30
shashank-elastic	7673ba484d	Fix minstack version for 0365 in azure integration rules (#3612 )	2024-04-22 19:17:49 +05:30
Terrance DeJesus	69d42ecc71	updating performance note (#3608 )	2024-04-18 16:36:07 -04:00
Terrance DeJesus	25dafb68f1	[Rule Tuning] Reverting To Previous Version (#3607 )	2024-04-18 15:19:27 -04:00
Terrance DeJesus	91e69ac322	[Rule Tuning] Tuning `Account Password Reset Remotely` (#3478 ) * tuning 'Account Password Reset Remotely' * adjusted note * fixing description * Update rules/windows/persistence_remote_password_reset.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * updated note about performance; toml lint * bumping min-stack to resolve version lock * reverting query to main --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-04-18 12:49:32 -04:00
Jonhnathan	6ae0902a38	[New Rule] Potential Windows Session Hijacking via CcmExec (#3602 ) * [New Rule] Potential Windows Session Hijacking via CcmExec * Update rules/windows/defense_evasion_sccm_scnotification_dll.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-04-18 12:57:35 -03:00
Jonhnathan	5004ff115c	[Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-16 13:26:42 -03:00
Terrance DeJesus	74312797bf	adjust aws rule index patterns and tags (#3595 )	2024-04-16 10:08:57 -04:00
Jonhnathan	c2d1586270	[Rule Tuning] Windows BBR Promotion (#3577 ) * [Rule Tuning] Windows BBR Promotion * Update non-ecs-schema.json * Update persistence_netsh_helper_dll.toml * Update persistence_werfault_reflectdebugger.toml * Update privilege_escalation_unquoted_service_path.toml * Update defense_evasion_msdt_suspicious_diagcab.toml * Update defense_evasion_suspicious_msiexec_execution.toml * Update discovery_security_software_wmic.toml * Revert "Update defense_evasion_msdt_suspicious_diagcab.toml" This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0. * Revert "Update defense_evasion_suspicious_msiexec_execution.toml" This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f. * Revert "Update discovery_security_software_wmic.toml" This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a. --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-04-16 09:28:17 -03:00

1 2 3 4 5 ...

2026 Commits