security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,905 Commits 1 Branch 0 Tags
f37a3bfd487a92dcbbbb6b77a1372d59cccd634a
Commit Graph

1905 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Groenewoud f37a3bfd48 [Tuning] Linux DR Tuning - Part 6 (#3457) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:09:14 +01:00
Ruben Groenewoud ae3f4737ab [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 09:53:46 +01:00
github-actions[bot] bf3932f384 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3491) 2024-03-06 23:10:02 +05:30
shashank-elastic a4094df732 Prepare For Next Elastic Stack Minor Release (#3490) 2024-03-06 21:26:54 +05:30
Ruben Groenewoud 83abf8d42c [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 15:28:28 +01:00
Ruben Groenewoud 5a80423003 [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 10:49:42 -03:00
terrancedejesus b0ad5c97ca reverting changes suggested in PR#3478 2024-03-01 06:50:03 -05:00
terrancedejesus b4a3702fcb updated description 2024-03-01 06:46:12 -05:00
Terrance DeJesus 8e0ca421ca [Bug] Fix URL links in autogenerated security docs (#3474) 
* added content() class method for guide and setup

* removed non-existent variable

* removed unnecessary newlines

* adjusted levels for titles

* reverting changes

* added method to convert markdown links to asciidoc

* adjusted regex to include trailing periods

* fixing linting errors

* adjusted regex pattern

* added content() class method for guide and setup

* stripped # out of investigation guide, setup or note

* adjusted formatting outcome

* changed function call

* fixed linting errors

* fixing auto-formatting for rule asciidoc

* fixing URL link removal

* fixing URL link removal

* removed strip() from string for setup

* fixed linting errors

* fixed linting errors

* adjusting code formatting for convert_markdown_to_asciidoc
 2024-02-23 16:50:33 -05:00
Mika Ayenson 542053719b [FR] Skip eql optimizations on parsing query for unique fields (#3443) 2024-02-20 20:25:51 -06:00
github-actions[bot] 7815d23110 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3459) 2024-02-20 22:56:59 +05:30
sbousseaden 853e18950f [Tuning] Tuning Windows - 3 Rules (#3388) 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:56:28 +00:00
Ruben Groenewoud 089e6671aa [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml
 2024-02-20 15:38:54 +01:00
Ruben Groenewoud 3484cac7eb [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:18:27 +01:00
Ruben Groenewoud 5e6e4a359b [Tuning] Linux DR Tuning - Part 3 (#3454) 2024-02-20 14:50:58 +01:00
Ruben Groenewoud 1dc7fd6a42 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml
 2024-02-20 14:38:19 +01:00
Ruben Groenewoud 0e48747aa6 [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
 2024-02-20 14:17:17 +01:00
Ruben Groenewoud a637bcec38 [FR] NON_DATASET_PACKAGE list & Data Source tag for Auditd_manager (#3430) 
* [FR] Add Auditd_Manager to NON_DATASET_PACKAGE

* Changed alphabetical order

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-19 09:37:02 +01:00
Samirbous 4809de6584 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml
 2024-02-15 19:14:25 +00:00
Jonhnathan 5334601b6f [Rule Tuning] Windows BBR Tuning - 3 (#3382) 
* [Rule Tuning] Windows BBR Tuning - 3

* Update defense_evasion_service_disabled_registry.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-14 15:00:43 -03:00
Jonhnathan 1a8271db2f [Rule Tuning] Windows BBR Tuning - 4 (#3384) 
* [Rule Tuning] Windows BBR Tuning - 4

* Update discovery_system_time_discovery.toml
 2024-02-14 14:21:07 -03:00
Jonhnathan f233909e7d [Rule Tuning] Windows BBR Tuning - 6 (#3386) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-14 12:49:25 -03:00
Jonhnathan 97e49795ab [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-14 10:23:06 -03:00
Jonhnathan ae00f30574 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-14 09:58:31 -03:00
Mika Ayenson df6dd09db4 [FR] Add New Kibana Schema Issue Template (#3441) 2024-02-13 16:36:01 -06:00
Mika Ayenson c3ca01ebcc [FR] Add support for Threshold Alert Suppression (#3433) 2024-02-12 09:55:46 -06:00
Terrance DeJesus 06b97ec79b [Bug] Adjust build-release CLI and fix links when generating security docs (#3434) 
* removed historical argument; added setup string; fixed links

* fixing flake errors

* added types for command arguments

* adjusted get_release_diff to append strings for release tags

* set fetch-depth to 0 for integrations checkout in workflow

* changed the name of the workflow

* removed TODOs

* adjusted release docs workflow to remove prefix for release tags

* adjusted URL replacement only if pointed to docs site

* added elastic website to regex pattern

* add docstrings; adjusted regex; add note for stopgap

* added a note about the regex pattern for elastic URLs
 2024-02-12 10:08:06 -05:00
Justin Ibarra 298d1bce0d Add the Zen of Security Rules to philosophy (#3437) 2024-02-09 12:46:38 -07:00
Jonhnathan 21b559c97f [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-08 06:27:16 -03:00
github-actions[bot] 827dfa7327 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3431) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

* updated downloadable updates file to reconcile changes

* Removed spacing from downloadable updates file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-06 14:48:33 -05:00
Terrance DeJesus 7df7ab5101 [Bug] Update Prebuilt Detection Rules Release Process (#3403) 
* release fleet workflow updates; build package integration reference changes

* updated commit hash extraction to output to env

* adjusted bump-pkg-versions to only include release if necessary

* fixed flake errors

* add historical argument for build-release set to yes by default

* Update detection_rules/devtools.py

* fixed fleet workflow; updated registry data references

* updated job names

* removed extract commit hash job and consolidated into fleet pr job

* added echo statement for current branch before checkout

* removed id from extract commit hash
 2024-02-06 08:59:06 -05:00
Ruben Groenewoud d41855a2ac [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-06 14:47:37 +01:00
Ruben Groenewoud 90d64f0714 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now
 2024-02-06 10:49:36 +01:00
Ruben Groenewoud 208b2e999c [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence
 2024-02-06 10:29:27 +01:00
Ruben Groenewoud 4f303ab77e [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query
 2024-02-06 10:19:42 +01:00
Samirbous 6906a27c3a Update lateral_movement_remote_task_creation_winlog.toml (#3419) 2024-02-05 18:36:24 +00:00
Jonhnathan 8274f9a816 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-05 12:47:24 -03:00
Jonhnathan edd3556b63 [Rule Tuning] Startup or Run Key Registry Modification (#3367) 2024-02-05 12:28:06 -03:00
Samirbous 5a68ccfd0d [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml
 2024-02-02 14:19:22 +00:00
Jonhnathan 50df6f3e9b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-01 11:26:39 -03:00
Samirbous 4c74588c00 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml
 2024-01-31 16:55:01 +00:00
Samirbous d7f4d7972e [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml
 2024-01-30 11:43:28 +00:00
Ruben Groenewoud 381ccf43ed [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-26 09:36:56 +01:00
Ruben Groenewoud a66394c550 [New BBR] Reverse Connection through Port Knocking (#3219) 
* [New BBR] Reverse Connection through Port Knocking

* Attempt to fix unit testing error

* Mitre list fix?

* Revert "Mitre list fix?"

This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-24 16:30:31 +01:00
github-actions[bot] d093336125 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3402) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-01-23 16:36:55 -05:00
Jonhnathan 92804343bc [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml
 2024-01-23 16:48:31 -03:00
Jonhnathan e33389b2ef [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml
 2024-01-23 15:33:49 -03:00
Jonhnathan e0bdb59deb [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml
 2024-01-22 18:47:53 -03:00
Terrance DeJesus 164b7d4028 removed query var; using is_sequence method; removed integration var (#3395) 2024-01-22 15:23:07 -05:00
Isai 442435830f [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-22 12:48:31 -05:00