security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,731 Commits 1 Branch 0 Tags
f02ccfef64b4ffaeded44eb2bfcd3216ed144468
Commit Graph

808 Commits

Author SHA1 Message Date
shashank-elastic 34231160ee Fix versions for changes in required_fileds (#4640) 2025-04-24 06:28:18 +05:30
Jonhnathan b9ed05562d [Rule Tuning] User Added to Privileged Group in Active Directory (#4646) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 06:12:33 +05:30
Jonhnathan e8e76972f5 [Rule Tuning] Replace legacy winlog.api usage (#4647) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-24 05:52:38 +05:30
Samirbous f8e91be329 [New] RemoteMonologue Attack rules (#4604) 
* [New] RemoteMonologue Attack rules

https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
    https://github.com/xforcered/RemoteMonologue

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

* Update rules/windows/defense_evasion_ntlm_downgrade.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-22 15:26:57 -03:00
Jonhnathan 1bab74179e [New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635) 
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation

* Update execution_posh_malicious_script_agg.toml
 2025-04-22 13:36:04 -03:00
Jonhnathan 8361cfd205 [New Rule] Potential PowerShell Obfuscation via String Reordering (#4595) 
* [New Rule] Potential PowerShell Obfuscation via String Reordering

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml

* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
 2025-04-22 12:26:55 -03:00
Jonhnathan a495b4b9b2 [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627) 2025-04-22 11:59:06 -03:00
Jonhnathan a9f99137f3 [New Rule] Dynamic IEX Reconstruction via Method String Access (#4634) 2025-04-22 11:47:03 -03:00
Jonhnathan e11fe78846 [Rule Tuning] Suspicious WMI Event Subscription Created (#4618) 
* [Rule Tuning] Suspicious Execution via Scheduled Task

* [Rule Tuning] Suspicious WMI Event Subscription Created
 2025-04-16 10:05:20 -03:00
Jonhnathan a5d9d6400a [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) 2025-04-07 22:59:08 +05:30
Samirbous 6d8cfda10f Update defense_evasion_microsoft_defender_tampering.toml (#4573) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-04-01 18:04:29 +01:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Samirbous 28a06fd25f Update defense_evasion_posh_assembly_load.toml (#4543) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-20 05:13:28 -03:00
Samirbous 290f0be959 Update defense_evasion_execution_suspicious_explorer_winword.toml (#4533) 2025-03-14 10:46:56 -03:00
Samirbous b1470a480b [New] WDAC Policy File by an Unusual Process (#4504) 
* [New] WDAC Policy File by an Unusual Process

https://github.com/logangoins/Krueger/tree/main

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-03-04 15:21:58 +00:00
Samirbous 46c4a80015 [Tuning] Remote File Copy to a Hidden Share (#4494) 
* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:50:02 -03:00
Samirbous 7b15acf9dd Update defense_evasion_amsi_bypass_powershell.toml (#4477) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:36:15 -03:00
Jonhnathan 0340335cf4 [Rule Tuning] Sysmon rules that uses event.action (#4496) 
* [Rule Tuning] Sysmon rules that uses `event.action`

* Adjust queries

* Fix unit test :thinking-hard:
 2025-02-27 11:24:42 -03:00
Jonhnathan 73aaad98f0 [Rule Tuning] MsBuild Making Network Connections (#4479) 
* [Rule Tuning] MsBuild Making Network Connections

* Remove Minstack

* Revert MMinstack removal

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-02-25 10:04:04 -03:00
Jonhnathan bc3e12da38 [Rule Tuning] Adapt Rules to work with Sysmon (#4480) 
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events

* bump updated_date

* Update rules/windows/lateral_movement_incoming_wmi.toml

* Update Logic to support sysmon data

* Update command_and_control_tool_transfer_via_curl.toml
 2025-02-25 09:54:18 -03:00
Samirbous 8e3ad57672 Update defense_evasion_via_filter_manager.toml (#4493) 2025-02-25 09:29:36 +00:00
Jonhnathan c0f12ddecf [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464) 
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml
 2025-02-19 12:54:31 -03:00
Jonhnathan b951e86a55 [Rule Tuning] Account Configured with Never-Expiring Password (#4459) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-17 07:19:33 -03:00
Jonhnathan 15177246cc [Rule Tuning] Windows - Improve Index Pattern Consistency (#4462) 2025-02-17 07:04:34 -03:00
Jonhnathan 5155f47b86 [Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445) 
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-07 18:42:28 -03:00
Samirbous 27e8b85840 Update execution_windows_script_from_internet.toml (#4452) 2025-02-07 14:52:56 +00:00
Jonhnathan be54140485 [Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444) 2025-02-05 17:32:57 -03:00
Jonhnathan 3e0ba33749 [Rule Tuning] Remote Execution via File Shares (#4448) 2025-02-05 14:51:47 -03:00
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Samirbous 8f73b88884 [Tuning / New] Execution of a downloaded windows script (#4434) 
* [New] Execution of a downloaded windows script

using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution

* Update defense_evasion_posh_assembly_load.toml

* Update execution_powershell_susp_args_via_winscript.toml

* Update guides

* Update defense_evasion_network_connection_from_windows_binary.toml

* Update execution_windows_script_from_internet.toml

* Update execution_windows_script_from_internet.toml

* Update rules/windows/execution_windows_script_from_internet.toml

* Update rules/windows/execution_powershell_susp_args_via_winscript.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_windows_script_from_internet.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_windows_script_from_internet.toml

* Create command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update execution_windows_script_from_internet.toml

* Create defense_evasion_indirect_exec_forfiles.toml

* Update execution_windows_script_from_internet.toml

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-02-03 14:33:59 +00:00
Jonhnathan fccfafea6b [Rule Tuning] Improve Detection Compatibility with Non-English Logs (#4410) 
* [Rule Tuning] Improve Detection Compatibility with Non-English Logs

* Update rules/windows/persistence_dontexpirepasswd_account.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_disable_kerberos_preauth.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2025-01-23 16:12:42 -03:00
Mika Ayenson 7c6c77932c [FR] Add Remaining Guides (#4412) 2025-01-22 14:43:30 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Jonhnathan d55d5d9695 [New Rule] File with Right-to-Left Override Character Created/Executed (#4396) 
* [New Rule] File with Right-to-Left Override Character Created/Executed

* Update defense_evasion_right_to_left_override.toml

* Update defense_evasion_right_to_left_override.toml
 2025-01-21 16:41:49 -03:00
Samirbous 1dfc84c37d [Tuning] Powershell Rules (#4395) 
* [Tuning] Powershell Rules

few complementary tuning to add some extra patterns.

* Update defense_evasion_amsi_bypass_powershell.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-20 12:12:37 +00:00
Jonhnathan 447fce3b08 [Rule Tuning] Suspicious Communication App Child Process (#4369) 2025-01-15 12:13:10 -03:00
Samirbous bcca0a2016 [New] Sensitive Audit Policy Sub-Category Disabled (#4373) 
* [New] Sensitive Audit Policy Sub-Category Disabled

https://elasticstack.slack.com/archives/C016E72DWDS/p1736784727633579

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-14 12:13:45 -03:00
Samirbous 419e5c1ad3 [Tuning] Suspicious WMI Event Subscription Created (#4327) 
* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

* Update detection_rules/etc/non-ecs-schema.json

* Update pyproject.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-06 09:40:26 -03:00
Jonhnathan aca416a779 [Rule Tuning] Windows misc Rule Tuning (#4298) 2025-01-02 07:44:01 -03:00
rad9800 c99cf9279d [Tuning] Uncommon Registry Persistence Change (#4286) 
* Update persistence_registry_uncommon.toml

Add registry rules for additional SMSS persistence vectors

* Update persistence_registry_uncommon.toml

* Update persistence_registry_uncommon.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-12-25 19:06:58 -03:00
Samirbous b66d0e0a0d [New] Remote Desktop File Opened from Suspicious Path (#4251) 2024-11-11 18:08:48 +05:30
Terrance DeJesus 33d832d4e4 [Rule Tuning] Tuning Process Termination followed by Deletion (#4173) 
* adding rule tuning

* adjusted operators; fixed missing quotes

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-11-08 16:38:17 -03:00
Jonhnathan d1b102730c [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8

* Update defense_evasion_powershell_windows_firewall_disabled.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:38:27 -03:00
Jonhnathan ef0f96c874 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:27:47 -03:00
Samirbous d2dfd46b3e Update credential_access_suspicious_lsass_access_generic.toml (#4188) 2024-11-07 13:56:53 +00:00
Jonhnathan 6c2dad966a [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9 (#4234) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 9

* .

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:39:32 -03:00
Jonhnathan a743b9c8c4 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 (#4231) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6

* Update credential_access_cmdline_dump_tool.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Revert "Update defense_evasion_powershell_windows_firewall_disabled.toml"

This reverts commit d2df2a848290425ebfe0bb5157332ad0611f726f.

* Update lateral_movement_via_wsus_update.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 15:00:43 -03:00
Jonhnathan d5b5ba387d [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 (#4230) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5

* Update collection_winrar_encryption.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-05 14:46:10 -03:00
Jonhnathan 63956a6f51 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225) 2024-11-05 14:22:14 -03:00