security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,731 Commits 1 Branch 0 Tags
f02ccfef64b4ffaeded44eb2bfcd3216ed144468
Commit Graph

2731 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Terrance DeJesus f02ccfef64 [New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens (#4628) 
* adding new rule 'AWS IAM or STS API Calls via Temporary Session Tokens'

* updated name and query logic

* updated query logic

* changed rule to new terms

* fixed logic

* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml

* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml

* updated investigation guide; scoped to IAM only; updated naming

* updating file name

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-04-24 15:39:51 -04:00
Sergey Polzunov 191396e5e8 Version bump (#4655) 2025-04-24 13:19:36 -04:00
Sergey Polzunov b7a324b2e8 Revert "fix: Cleaning up the hashable content for the rule (#4621)" (#4654) 
This reverts commit 80c4f7eacc.
 2025-04-24 19:05:17 +02:00
Colson Wilhoit 84966f02a1 [Tuning] Update DPRK ByBit Hunting Queries (#4645) 
* fix

* markdown generate

* adding missing streamlit hunting query

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-04-24 07:58:06 -05:00
Sergey Polzunov 80c4f7eacc fix: Cleaning up the hashable content for the rule (#4621) 2025-04-24 14:33:26 +05:30
Isai b429be2bda [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4648) 2025-04-24 10:19:06 +05:30
github-actions[bot] 70062c3991 Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4649) 2025-04-24 07:12:12 +05:30
shashank-elastic 34231160ee Fix versions for changes in required_fileds (#4640) 2025-04-24 06:28:18 +05:30
Jonhnathan b9ed05562d [Rule Tuning] User Added to Privileged Group in Active Directory (#4646) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 06:12:33 +05:30
Jonhnathan e8e76972f5 [Rule Tuning] Replace legacy winlog.api usage (#4647) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 05:52:38 +05:30
shashank-elastic 54fadc8e2e Add 8.18 and 9.0 beats schemas (#4641) 2025-04-24 05:36:45 +05:30
Terrance DeJesus bbfc026c95 [New Hunt] New Hunting Queries for DPRK ByBit (#4644) 
* new hunting queries for macOS DPRK

* added docker hunting queries
 2025-04-23 16:41:23 -04:00
Samirbous ea31143b83 [New] Suspicious Azure Sign-in via Visual Studio Code (#4639) 
* Create initial_access_entra_login_visual_code_phish.toml

* Update non-ecs-schema.json

* Update initial_access_entra_susp_visual_code_signin.toml

* Update pyproject.toml

* Update initial_access_entra_susp_visual_code_signin.toml

* Update non-ecs-schema.json
 2025-04-23 14:06:05 +01:00
Samirbous f8e91be329 [New] RemoteMonologue Attack rules (#4604) 
* [New] RemoteMonologue Attack rules

https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
    https://github.com/xforcered/RemoteMonologue

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-22 15:26:57 -03:00
Jonhnathan 1bab74179e [New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635) 
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation

* Update execution_posh_malicious_script_agg.toml
 2025-04-22 13:36:04 -03:00
Colson Wilhoit c80319d462 [Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547) 2025-04-22 21:23:01 +05:30
Jonhnathan 8361cfd205 [New Rule] Potential PowerShell Obfuscation via String Reordering (#4595) 
* [New Rule] Potential PowerShell Obfuscation via String Reordering

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
 2025-04-22 12:26:55 -03:00
Jonhnathan 364d9dd3bc [New Rule] Threat Intel Email Indicator Match (#4598) 
* [New Rule] Threat Intel Email Indicator Match

* Update threat_intel_indicator_match_email.toml

* Update pyproject.toml

* Adds IG

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-04-22 12:15:36 -03:00
Jonhnathan a495b4b9b2 [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627) 2025-04-22 11:59:06 -03:00
Jonhnathan a9f99137f3 [New Rule] Dynamic IEX Reconstruction via Method String Access (#4634) 2025-04-22 11:47:03 -03:00
Colson Wilhoit 4ef72457d3 [Tuning] MacOS DR Tuning PR (#4546) 
* [Tuning] MacOS DR Tuning PR

* tunings

* tuning

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* fix

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-21 17:32:05 -05:00
Terrance DeJesus c58d59eeb7 [New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625) 
* adding new rule 'AWS CLI with Kali Linux Fingerprint Identified'

* updating rule logic

* updating mitre mapping

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-21 12:06:57 -04:00
Terrance DeJesus 94237798a5 [New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626) 
* adding new rule 'AWS IAM Virtual MFA Device Registration Attempt with Session Token'

* updating rule

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-21 11:02:14 -04:00
Terrance DeJesus 96c2d0ca85 [New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses (#4624) 
* adding new rule 'AWS STS Temporary IAM Session Token Used from Multiple Addresses'

* updating rule assets

* updating mitre mapping

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-04-17 16:06:40 -04:00
Eric Forte 62feac3348 [Bug] Update Schema Prompt to include new_terms_fields (#4567) 
* Update Schema Prompt to include new_terms_fields

* Version Bump

* Ensure list of strings

* Update utils to support comma deliminated strings

* Also remove excess quotes

* Bump patch version

* Remove Union

* bump version
 2025-04-17 10:45:51 -04:00
Frederik Berg 6cb238bedb [Enhancement] Add flag to export rules via KQL search on name (#4594) 
* Add flag to export rules via KQL search on name

* Add KQL to help text

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* version patch bump

* flake8 trimming

* pyproject bump

* Bump version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-04-16 18:40:46 -04:00
Frederik Berg 9b682b752c Feature exclude tactic name (#4593) 
* Added new cli flag to exclude tactic name in rule file name

* added a shortcut for the flag and adjusted CLI readme

* Add no tactic flag also to import to prevent warnings

* Added info about unit test

* version bump

* Added no_tactic_filename as config option + fixed linting

* pyproject version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-16 16:02:14 -04:00
Eric Forte 033c82858c [FR] Add Support for Local Dates Flag (#4582) 
* Add support for local dates flag

* Use two variables

* Add support for import-rules-to-repo

* Revert arg formatting

* Update comment

* Pass Rule Path as Path Object

* Update to rule loader function

* Streamline metadata function

* Also support dictionaries

* Bump patch version

* Reduce complexity

* Add if path exists check

* Fix version bump
 2025-04-16 15:41:09 -04:00
Terrance DeJesus ba16e27edb [Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570) 
* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
 2025-04-16 13:58:17 -04:00
Terrance DeJesus 1a6669e5a6 [Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562) 
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'

* updated MITRE ATT&CK mappings

* updated index target

* updated patch version

* updating patch version

* bumping patch version

* updating patch version
 2025-04-16 12:21:41 -04:00
Jonhnathan e11fe78846 [Rule Tuning] Suspicious WMI Event Subscription Created (#4618) 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
 2025-04-16 10:05:20 -03:00
Jonhnathan 3eed0f5b6a [Rule Tuning] SSH Authorized Keys File Deletion (#4591) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 12:16:03 -03:00
Eric Forte ea7de8230c [FR] Add Kibana Action Connector Error to Exception List Workaround (#4583) 
* Add error catch for workaround

* Switch to set for efficiency

* Patch version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 09:18:50 -04:00
Eric Forte 108b64f0c2 [FR] Update Detection Rules MITRE Workflow to SHA Pin (#4581) 
* Update to pinned hash

* version bump
 2025-04-15 09:03:34 -04:00
shashank-elastic 595d204fe6 Remove Task List reference (#4605) 2025-04-15 09:22:56 +05:30
Ruben Groenewoud 3b1f780435 [D4C Conversion] Converting Compatible D4C Rules to DR (#4532) 
* [D4C Conversion] Converting Compatible D4C Rules to DR

* added host.os.type

* Rename

* Update rules/linux/execution_container_management_binary_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-10 14:26:40 +02:00
Ruben Groenewoud 05c9f6bbdb [FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… (#4529) 
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process

* Update process exclusions in TOML file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-08 18:19:18 +02:00
github-actions[bot] fbddc2e659 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4601) 2025-04-08 18:25:47 +05:30
Jonhnathan a5d9d6400a [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) 2025-04-07 22:59:08 +05:30
shashank-elastic 3966981dae Add investigation guides (#4600) 2025-04-07 20:55:39 +05:30
Jonhnathan 9577d53284 [Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-07 12:00:14 -03:00
Colson Wilhoit 753e8d8200 [New] Unusual Network Connection to Suspicious Top Level Domain (#4563) 2025-04-03 14:22:41 -05:00
Colson Wilhoit d4b2a35237 [New] Unusual Network Connection to Suspicious Web Service (#4569) 
* [New] Unusual Network Connection to Suspicious Web Service

* Update rule threat order

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-03 14:02:03 -05:00
Mika Ayenson, PhD 8bb5e2493b Update docset.yml (#4590) 
Remove diagnostic hint
 2025-04-03 13:46:01 -05:00
Jonhnathan e7806fc74f [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4589) 2025-04-02 09:52:34 -03:00
Samirbous 6d8cfda10f Update defense_evasion_microsoft_defender_tampering.toml (#4573) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-01 18:04:29 +01:00
Terrance DeJesus c6e37d6910 [Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557) 
* tuning Azure rule for illicit grant activity; creating new rule for M365

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

* adjusted tags

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
 2025-03-27 15:55:04 -04:00
Terrance DeJesus 280140650a tuning 'Azure Conditional Access Policy Modified' (#4558) 2025-03-27 15:43:46 -04:00
Terrance DeJesus 2f3f4fbdef deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559) 2025-03-27 10:09:34 -04:00
github-actions[bot] 51826ed32f Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4571) 2025-03-27 09:42:15 +05:30