security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,439 Commits 1 Branch 0 Tags
ee10be70b998fcf7610f6cf40ea4d545313951de
Commit Graph

36 Commits

Author SHA1 Message Date
Ruben Groenewoud 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) 
* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation
 2024-07-19 15:13:42 +02:00
Terrance DeJesus d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) 
* deprecating

* adjusted matury tag; updated dates
 2024-04-01 11:01:20 -04:00
Ruben Groenewoud 3fd0358b73 [Tuning] Linux BBR Tuning - Part 1 (#3469) 
* [Tuning] Linux BBR Tuning - Part 1

* [Tuning] Linux BBR Tuning - Part 1

* Update defense_evasion_processes_with_trailing_spaces.toml

* Update defense_evasion_processes_with_trailing_spaces.toml

* One more tuning

* Update collection_linux_suspicious_clipboard_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 17:19:12 +01:00
Terrance DeJesus 7e85854e7b deprecating 'Malicious Remote File Creation' (#3342) 2023-12-20 08:49:45 -05:00
Samirbous 341499a2bc [Deprecate] Potential Process Herpaderping Attempt (#3336) 
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-19 15:59:48 -05:00
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-12-18 09:36:21 +01:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
Ruben Groenewoud a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) 
* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml
 2023-08-03 15:25:33 +02:00
Jonhnathan f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-18 20:12:53 -03:00
shashank-elastic 3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-10 20:02:42 +05:30
Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905) 
* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-07-06 15:27:57 +02:00
Ruben Groenewoud 09719dd0c5 [Rule Tuning] Potential Shell via Web Server (#2585) 
* tuned web shell logic, and converted to EQL

* Removed old, created new rule to bypass "type" bug

* Revert "Removed old, created new rule to bypass "type" bug"

This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.

* Revert "tuned web shell logic, and converted to EQL"

This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.

* Deprecated old rule, added new

* formatting fix

* removed endgame index

* Fixed changes captured as edited, not created

* Update rules/linux/persistence_shell_activity_through_web_server.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fix conflict

* added host.os.type==linux for unit testing

* removed wildcards in process.args

* Update rules/linux/persistence_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed conflict by changing file name and changes

* Trying to resolve the GH conflict

* attempt to fix GH conflict #2

* Update persistence_shell_activity_by_web_server.toml

* Added endgame support

* Added OSQuery to investigation guide

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guide to add in future PR

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-05-05 09:47:49 +02:00
Terrance DeJesus bb4f7acf27 deprecate 'Google Workspace User Group Access Modified to Allow External Access' (#2576) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-03-02 11:29:14 -05:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Isai 7adb199afa [Deprecation] GCP Kubernetes Rolebindings Created or Patched (#2340) 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.

* move toml file to _deprecated

move toml file to _deprecated

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-11-09 12:51:52 -05:00
Jonhnathan 4844b69ced [Rule Deprecation] Web Application Suspicious Activity: No User Agent (#2295) 
* [Rule Deprecation] Web Application Suspicious Activity: No User Agent

* Update apm_null_user_agent.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 10:56:03 -07:00
Samirbous d3420e3386 [Deprecate Rule] Suspicious Process from Conhost (#2222) 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-16 16:32:24 +02:00
Jonhnathan fc7a384d19 [Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144) 
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2

* update date

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-08-08 21:34:05 -03:00
Terrance DeJesus a76c51ae17 [Deprecation rule] DNS Activity to the Internet (#2221) 2022-08-02 20:59:35 -05:00
Samirbous a046dc0d29 [Deprecate rule] Whitespace Padding in Process Command Line (#2218) 
very noisy and will require frequent tuning with very low TP rate.
 2022-08-02 18:30:57 +02:00
Samirbous e5ee8e024f [Deprecate Rule] File and Directory Discovery (#2217) 
* [Deprecate Rule] File and Directory Discovery

very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass.

* Delete workspace.xml
 2022-08-02 17:57:28 +02:00
Samirbous 8d34416049 [Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209) 
* [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP

FPs in certain cases with no room for tuning.

* Update privilege_escalation_krbrelayup_suspicious_logon.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-08-01 18:28:26 +02:00
shashank-elastic 8afded11e7 Rule tuning as part of Linux Detection Rules Review (#2170) 2022-07-29 21:55:49 +05:30
shashank-elastic e9267e544c Rule(s) deprecation as part of Linux Detection Rule Review (#2163) 2022-07-26 18:48:25 +05:30
shashank-elastic 51b2d9da4b [Rule tuning] Linux binary(s) shell evasion threat (#1957) 
* Linux binary(s) shell evasion threat

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-05-25 08:32:53 +05:30
Jonhnathan 22dd7f0ada Deprecate PrintNightmare Rules (#1852) 2022-03-17 19:39:36 -03:00
Justin Ibarra 9c43151da4 [Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703) 2022-01-25 16:46:49 -09:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra b736d6e748 [Rule Tuning] Rule description tweaks (#1388) 2021-07-29 10:56:13 -08:00
Brent Murphy ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) 
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-04-21 15:10:06 -04:00
Samirbous 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) 
* [Deprecation] Process Discovery via Tasklist

* deprecation_date

* update date

* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 22:18:56 +02:00
Samirbous e323084433 [Deprecation] Trusted Developer Application Usage (#1118) 
* [Deprecation] Trusted Developer Application Usage

* update date
 2021-04-15 22:15:38 +02:00
Samirbous 511a74ef27 [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028) 
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* restored Execution via Regsvcs/Regasm

* restored changes

* deprecated 1rule, deleted 1 and tuned 1

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-03-19 10:05:09 +01:00
Justin Ibarra d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) 
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
 2021-03-16 21:31:33 -08:00