security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,803 Commits 1 Branch 0 Tags
ee5fa810aa3d5a4c4f1cfc0288ede2da0d938866
Commit Graph

1307 Commits

Author SHA1 Message Date
Ruben Groenewoud ee5fa810aa [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 84824c67fd)
 2023-12-18 08:41:02 +00:00
Samirbous 9f513da1c0 [Tuning] Suspicious Script Object Execution (#3339) 
* Update defense_evasion_suspicious_scrobj_load.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 4b183be124)
 2023-12-14 23:54:28 +00:00
Samirbous 5b8e686583 [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 07b952b7bc)
 2023-12-14 23:44:37 +00:00
Justin Ibarra 5d5bb7ed16 [Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331) 
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit aff7f37b92)
 2023-12-14 22:08:52 +00:00
Justin Ibarra 35589e47a7 [Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329) 
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit a7b9a61942)
 2023-12-14 18:26:27 +00:00
Samirbous c4b6e810d1 [Tuning] Suspicious Managed Code Hosting Process (#3338) 
* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update defense_evasion_suspicious_managedcode_host_process.toml

(cherry picked from commit 8b2aed4fc0)
 2023-12-14 17:56:43 +00:00
Samirbous 077041fef5 [Tuning] Multiple Logon Failure Followed by Logon Success (#3340) 
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

(cherry picked from commit 727c23e3d2)
 2023-12-14 17:45:47 +00:00
Samirbous 6dad9359c4 [Rule Tuning] Account Password Reset Remotely (#3335) 
* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml

(cherry picked from commit 7a4f1224dc)
 2023-12-14 17:27:05 +00:00
Apoorva Joshi c5606e7f3f Update Advanced Analytics config guides (#3302) 
* Updating config guides for Advanced Analytics rules

* More updates

* Update setup instructions for LMD

* Adding more guides

* update TestRuleTiming unit test to ignore advanced analytic rules

* fixed flake error

* Moving config guides under setup instead of note

* Removing leading and trailing whitespace

* Updates as requested by PM

* Updating related integrations, minor updates to setup guides

* fixing unit tests to ignore analytic packages with multiple integration tags

* Update tests/test_all_rules.py

* fixing linting errors

---------

Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 9a9f5437f2)
 2023-12-13 15:58:18 +00:00
Terrance DeJesus c7469afefe updating min-stack for Okta rule (#3318) 
(cherry picked from commit 631f8841ad)
 2023-12-12 17:32:05 +00:00
Terrance DeJesus b70bbe0841 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 93d71acb91)
 2023-12-12 15:36:56 +00:00
Jonhnathan c55eb80d2a [Rule Tuning] Windows DR Tuning - 6 (#3246) 
* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6f4c323929)
 2023-12-12 14:42:50 +00:00
Ruben Groenewoud 0ed1db8aab [Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288) 
* [Security Content] Add IGs to Persistence Rules

* Cleaned query

* IG description fix

* Added related rules

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6c614eb102)
 2023-12-11 12:58:05 +00:00
Jonhnathan 87f8498b68 [Security Content] Introduce Investigate Plugin in Investigation Guides (#3080) 
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit aeb1f91320)
 2023-12-08 18:59:26 +00:00
Jonhnathan be07759888 [Security Content] Add Windows Investigation Guides (#3095) 
* [Security Content] Add Windows Investigation Guides

* Update defense_evasion_rundll32_no_arguments.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update rules/windows/defense_evasion_rundll32_no_arguments.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/execution_ms_office_written_file.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update privilege_escalation_posh_token_impersonation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

(cherry picked from commit eb7c5f6717)
 2023-12-08 14:35:53 +00:00
Ruben Groenewoud 7c5664d34d [New Rule] Suspicious File Creation via Kworker (#3237) 
* [New Rule] Suspicious File Creation via Kworker

* Update rules/linux/persistence_kworker_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 840958d117)
 2023-12-07 22:06:24 +00:00
Ruben Groenewoud 4d1fb91520 [New Rule] UID Elevation from Unknown Executable (#3239) 
* [New Rule] UID Elevation from Unknown Executable

* type change

* bump min stack

* Added additional exclusions

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 9c61231dc6)
 2023-12-07 21:29:34 +00:00
Ruben Groenewoud 5aec8b4afe [New Rule] Suspicious Kworker UID Elevation (#3238) 
* [New Rule] Suspicious Kworker UID Elevation

* Update privilege_escalation_kworker_uid_elevation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 1071b12f00)
 2023-12-07 20:03:34 +00:00
Samirbous 17139b0278 [New] Rare SMB Connection to the Internet (#3300) 
* Create exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

* Update exfiltration_smb_rare_destination.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 7070eb3b34)
 2023-12-07 16:15:06 +00:00
Ruben Groenewoud d528af6bdb [Rule Tuning] UEBA new_terms process_executable (#3268) 
* [Rule Tuning] UEBA new_terms process_executable

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 1647a16fab)
 2023-12-07 15:42:41 +00:00
Ruben Groenewoud 7ab6b29c66 [Tuning] Small Linux DR Tuning (#3287) 
(cherry picked from commit 38862b89e9)
 2023-12-07 11:49:43 +00:00
Samirbous 97db361c09 [New] Process Created with a Duplicated Token (#3152) 
* [New] Process Created with a Duplicated Token

using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 7488c60090)
 2023-12-07 11:25:07 +00:00
Eric 268990dfec Fix syntax error in query (#3285) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a4ad0b6a24)
 2023-12-07 10:53:32 +00:00
Terrance DeJesus 6e6c2726fc [Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304) 
* tuning rule; adding investigation guide

* updated MITRE ATT&CK

* updated file name

* Updating description

* updated investigation guide

* fixed ATT&CK mappings; updated tags

(cherry picked from commit 5e1546c57c)
 2023-12-06 15:40:47 +00:00
Jonhnathan 4c5511254f [Rule Tuning] Windows DR Tuning - 5 (#3229) 
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit e5d676797e)
 2023-12-05 22:25:21 +00:00
Samirbous d9860ca855 [New] Interactive Logon by an Unusual Process (#3299) 
* Create privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

(cherry picked from commit e6df245ff3)
 2023-12-05 17:39:08 +00:00
Austin Songer 12d78bf05b [New Rule] Okta FastPass Phishing (#2782) 
* Create initial_access_fastpass_phishing.toml

* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 1f47e3c1a9)
 2023-11-28 14:31:01 +00:00
Terrance DeJesus cc3fb35b06 [New Rule] Okta MFA Bombing Attempt (#3278) 
* new rule 'Potential Okta MFA Bombing via Push Notifications'

* updated naming

* TOML lint

* adjusted duplicate rule ID

* added event category override; added until sequence statement

* added verify authentication success

* moved setup to separate field

* enhanced query optimization

(cherry picked from commit e6fef85899)
 2023-11-28 14:20:45 +00:00
Terrance DeJesus 00bf0b2d6f [New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267) 
* added new rule 'Multiple Okta Users with the Same Device Token Hash'

* moved rule to okta integration folder

* adjusted query to be optimized

* added false positive comment

* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml

(cherry picked from commit 69cb2f6fc6)
 2023-11-28 00:28:17 +00:00
Terrance DeJesus f3d55185c2 [New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263) 
* new Okta threshold rules for client addresses and sessions

* adjusting references

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0578bd4caa)
 2023-11-28 00:07:30 +00:00
Terrance DeJesus bff1ce7e5d [New Rule] Detection for Okta Sign-In Events via Third-Party IdP (#3259) 
* adding new rule 'Okta Sign-In Events via Third-Party IdP'

* fix creation date

* fixed query efficiency

* added investigation guide

* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 8eeb95f545)
 2023-11-27 23:35:54 +00:00
Terrance DeJesus 3e2cbe2163 adding new rule 'New Okta Identity Provider (IdP) Added by Admin' (#3258) 
(cherry picked from commit 73288af642)
 2023-11-27 23:11:28 +00:00
Terrance DeJesus 900e7a9ec0 [New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy (#3261) 
* new rule 'First Occurrence of Okta User Session Started via Proxy'

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

(cherry picked from commit 8321cfe018)
 2023-11-27 22:54:46 +00:00
Terrance DeJesus ab8ab6d596 [New Rule] Adding Detection for New Okta Authentication Behavior (#3260) 
* new rule 'New Okta Authentication Behavior Detected'

* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit f19506f3a2)
 2023-11-27 22:43:48 +00:00
Samirbous 315b4df8ca [New] First Time Seen NewCredentials Lgon Process (#3276) 
* Create privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 88f752bf8b)
 2023-11-27 18:42:12 +00:00
shashank-elastic a3388dbf36 Setup Guide information for MacOS rules (#3274) 
(cherry picked from commit 7854081cc0)
 2023-11-22 14:53:02 +00:00
Terrance DeJesus 633f364632 [New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations (#3279) 
* new rule 'Okta User Sessions Started from Different Geolocations'

* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml

(cherry picked from commit 832ee02aed)
 2023-11-21 22:36:50 +00:00
Jonhnathan 699c835043 [Rule Tuning] Fix Menasec Expired Links (#3271) 
(cherry picked from commit f53f46efd5)
 2023-11-14 13:23:48 +00:00
shashank-elastic 9c271c6591 Enhance Setup Guide information (#3256) 
(cherry picked from commit d52546eee5)
 2023-11-03 13:41:40 +00:00
shashank-elastic 90c06f5fce Setup information for Linux Rules - Set8 (#3200) 
(cherry picked from commit 5c5d1b214b)
 2023-10-30 15:34:50 +00:00
shashank-elastic a31d788dcb Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 
(cherry picked from commit a568c56bc1)
 2023-10-30 11:28:47 +00:00
Ruben Groenewoud 473039ceb8 [New Rule] Attempt to Clear Kernel Ring Buffer (#3217) 
* [New Rule] Attempt to Clear Kernel Ring Buffer

* Update defense_evasion_clear_kernel_ring_buffer.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 618a1dbe06)
 2023-10-30 08:42:54 +00:00
Colson Wilhoit 700b6c5168 [Tuning] Access to Stored Browser Credentials (#3066) 
* Exclude FPs

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 6400bb3237)
 2023-10-27 20:15:40 +00:00
Terrance DeJesus 936db2cd9b [Rule Tuning] Review and Tune Potential Malicious File Downloaded from Google Drive (#3197) 
* added tuning to remove signed binaries and benign processes

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit e7db39a492)
 2023-10-27 18:18:25 +00:00
Jonhnathan 924056878d [Rule Tuning] Windows DR Tuning - 4 (#3214) 
* [Rule Tuning] Windows DR Tuning - 4

* Update credential_access_remote_sam_secretsdump.toml

(cherry picked from commit 1133b3a8a9)
 2023-10-27 00:04:57 +00:00
Jonhnathan 44cf454ce2 [Rule Tuning] Windows DR Tuning - 3 (#3212) 
* [Rule Tuning] Windows DR Tuning - 3

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_moving_registry_hive_via_smb.toml

(cherry picked from commit 3d73427e29)
 2023-10-26 22:04:49 +00:00
Jonhnathan 4d98afbc1d [Rule Tuning] Windows DR Tuning - 2 (#3209) 
* [Rule Tuning] Windows DR Tuning - 2

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

* Update credential_access_kerberoasting_unusual_process.toml

* Update command_and_control_teamviewer_remote_file_copy.toml

(cherry picked from commit efa7c428ea)
 2023-10-26 21:17:05 +00:00
Jonhnathan aa62790ae6 [Rule Tuning] Windows DR Tuning - 1 (#3198) 
* [Rule Tuning] Windows DR Tuning - 1

* Update collection_winrar_encryption.toml

(cherry picked from commit a5240e4063)
 2023-10-26 20:26:43 +00:00
Ruben Groenewoud 85458c65cd [New Rule] Network Activity Detected via kworker (#3202) 
* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* [New Rule] Network Activity Detected via kworker

* White space

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_linux_kworker_netcon.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 1ac3775743)
 2023-10-25 13:30:50 +00:00
Terrance DeJesus 1b9aaa3730 [Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221) 
* adding adjusted Okta rules

* adding adjusted AWS rules

* adding adjusted AWS rules

(cherry picked from commit 3d57209705)
 2023-10-24 16:58:20 +00:00