security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,952 Commits 1 Branch 0 Tags
f2490007e80ef8e877d95fb02c6b5dcd3f09a907
Commit Graph

277 Commits

Author SHA1 Message Date
Samirbous f2490007e8 [New] Potential Execution via XZBackdoor (#3555) 
* [New] Potential Execution via XZBackdoor

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-04-02 05:15:04 +01:00
Ruben Groenewoud a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) 2024-03-21 13:48:41 +01:00
Ruben Groenewoud 4179180fcb [New Rules] mprotect() RWX Binary Execution (#3507) 
* [New Rules] mprotect() RWX Binary Execution

* Added rule names

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml
 2024-03-13 22:11:44 +01:00
Ruben Groenewoud 9f8638a004 [Tuning] event.action and event.type change (#3495) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-13 10:11:21 +01:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Ruben Groenewoud 9c4ba4559d [Tuning] Linux DR Tuning - Part 12 (#3464) 
* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:09:38 +01:00
Ruben Groenewoud ed4a7fc15b [Tuning] Linux DR Tuning - Part 14 (#3467) 
* [Tuning] Linux DR Tuning - Part 14

* Update privilege_escalation_sudo_cve_2019_14287.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 16:45:47 +01:00
Ruben Groenewoud 60fda8d756 [Tuning] Linux DR Tuning - Part 13 (#3465) 
* [Tuning] Linux DR Tuning - Part 13

* updated date bump

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update privilege_escalation_netcon_via_sudo_binary.toml

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update rules/linux/privilege_escalation_shadow_file_read.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-03-07 16:28:06 +01:00
Ruben Groenewoud ef66c57030 [Tuning] Linux DR Tuning - Part 11 (#3463) 
* [Tuning] Linux DR Tuning - Part 11

* Update persistence_message_of_the_day_creation.toml

* Update persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update persistence_linux_user_added_to_privileged_group.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 12:20:31 +01:00
Ruben Groenewoud a76a3755d9 [Tuning] Linux DR Tuning - Part 10 (#3462) 
* [Tuning] Linux DR Tuning - Part 10

* updated_date bump

* Update persistence_kworker_file_creation.toml

* Update persistence_linux_backdoor_user_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:45:17 +01:00
Ruben Groenewoud fd84573212 [Tuning] Linux DR Tuning - Part 9 (#3461) 
* [Tuning] Linux DR Tuning - Part 9

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update lateral_movement_ssh_it_worm_download.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:33:28 +01:00
Ruben Groenewoud 08f946b394 [Tuning] Linux DR Tuning - Part 8 (#3460) 
* [Tuning] Linux DR Tuning - Part 8

* Update impact_esxi_process_kill.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 11:01:08 +01:00
Ruben Groenewoud c537fb9c22 [Tuning] Linux DR Tuning - Part 7 (#3458) 
* [Tuning] Linux DR Tuning - Part 7

* Update execution_potential_hack_tool_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:46:48 +01:00
Ruben Groenewoud f37a3bfd48 [Tuning] Linux DR Tuning - Part 6 (#3457) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:09:14 +01:00
Ruben Groenewoud ae3f4737ab [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 09:53:46 +01:00
Ruben Groenewoud 83abf8d42c [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 15:28:28 +01:00
Ruben Groenewoud 5a80423003 [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 10:49:42 -03:00
Ruben Groenewoud 089e6671aa [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml
 2024-02-20 15:38:54 +01:00
Ruben Groenewoud 3484cac7eb [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:18:27 +01:00
Ruben Groenewoud 5e6e4a359b [Tuning] Linux DR Tuning - Part 3 (#3454) 2024-02-20 14:50:58 +01:00
Ruben Groenewoud 1dc7fd6a42 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml
 2024-02-20 14:38:19 +01:00
Ruben Groenewoud 0e48747aa6 [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
 2024-02-20 14:17:17 +01:00
Ruben Groenewoud d41855a2ac [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-06 14:47:37 +01:00
Ruben Groenewoud 90d64f0714 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now
 2024-02-06 10:49:36 +01:00
Ruben Groenewoud 208b2e999c [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence
 2024-02-06 10:29:27 +01:00
Ruben Groenewoud 4f303ab77e [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query
 2024-02-06 10:19:42 +01:00
Ruben Groenewoud 381ccf43ed [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-26 09:36:56 +01:00
Ruben Groenewoud 48d8b650e5 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-01-22 16:28:22 +01:00
Ruben Groenewoud ec5f4d596c [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix
 2024-01-22 09:17:53 +01:00
Ruben Groenewoud 26747aa8a4 [Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350) 
* [Security Content] Add IGs to Persistence - 2

* [Security Content] Add IGs to Persistence - 2

* fixes

* fix

* added ig note
 2024-01-20 19:36:32 +01:00
shashank-elastic 1a2ef4b867 Linux Process Capabilities Enrichment Detection Rules (#3366) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
 2024-01-18 22:49:43 +05:30
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Ruben Groenewoud 4301dacfb8 [New Rule] Network Connection via Sudo Binary (#3389) 
* [New Rule] Network Connection via Sudo Binary

* description grammar fix
 2024-01-17 09:47:58 +01:00
Ruben Groenewoud a9285445cf [New Rule] Kernel Driver Load by non-root User (#3378) 
* [New Rule] Kernel Driver Load by non-root User

* setup note change

* removed unnecessary index
 2024-01-17 09:34:25 +01:00
shashank-elastic 24d5528ab0 Linux Rule Tuning (#3379) 2024-01-11 18:07:03 +05:30
Ruben Groenewoud df86882036 [Rule Tuning] Dynamic Linker Copy (#3349) 2024-01-08 10:56:31 +01:00
Ruben Groenewoud 6c91c1597d [Rule Tuning] Linux DR Tuning - Part 3 (#3322) 
* [Rule Tuning] Linux DR Tuning - Part 3

* small fix

* typo

* coffee

* Update persistence_cron_job_creation.toml

* Update persistence_shared_object_creation.toml
 2024-01-08 10:16:44 +01:00
Ruben Groenewoud 36226e5428 [Rule Tuning] Linux DR Tuning - Part 2 (#3321) 
* [Rule Tuning] Linux DR Tuning - Part 2

* [Rule Tuning] Linux DR Tuning - Part 2

* fix

* Update execution_shell_suspicious_parent_child_revshell_linux.toml
 2024-01-08 10:07:38 +01:00
Ruben Groenewoud b533642272 [Rule Tuning] Linux DR Tuning - Part 1 (#3316) 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml
 2024-01-08 09:50:15 +01:00
Ruben Groenewoud 91a757a018 [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) 
* [Security Content] Add Investigation Guides to Linux C2 Rules

* Applied feedback
 2023-12-18 17:02:40 +01:00
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-12-18 09:36:21 +01:00
Ruben Groenewoud 6c614eb102 [Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288) 
* [Security Content] Add IGs to Persistence Rules

* Cleaned query

* IG description fix

* Added related rules

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-11 13:53:06 +01:00
Ruben Groenewoud 840958d117 [New Rule] Suspicious File Creation via Kworker (#3237) 
* [New Rule] Suspicious File Creation via Kworker

* Update rules/linux/persistence_kworker_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 23:02:00 +01:00
Ruben Groenewoud 9c61231dc6 [New Rule] UID Elevation from Unknown Executable (#3239) 
* [New Rule] UID Elevation from Unknown Executable

* type change

* bump min stack

* Added additional exclusions

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 22:25:01 +01:00
Ruben Groenewoud 1071b12f00 [New Rule] Suspicious Kworker UID Elevation (#3238) 
* [New Rule] Suspicious Kworker UID Elevation

* Update privilege_escalation_kworker_uid_elevation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 20:59:07 +01:00
Ruben Groenewoud 38862b89e9 [Tuning] Small Linux DR Tuning (#3287) 2023-12-07 12:45:24 +01:00
shashank-elastic d52546eee5 Enhance Setup Guide information (#3256) 2023-11-03 19:05:29 +05:30
shashank-elastic 5c5d1b214b Setup information for Linux Rules - Set8 (#3200) 2023-10-30 20:58:40 +05:30
Ruben Groenewoud 618a1dbe06 [New Rule] Attempt to Clear Kernel Ring Buffer (#3217) 
* [New Rule] Attempt to Clear Kernel Ring Buffer

* Update defense_evasion_clear_kernel_ring_buffer.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-10-30 09:37:11 +01:00
Ruben Groenewoud 1ac3775743 [New Rule] Network Activity Detected via kworker (#3202) 
* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* [New Rule] Network Activity Detected via kworker

* White space

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_linux_kworker_netcon.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-25 15:24:55 +02:00