security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,905 Commits 1 Branch 0 Tags
f37a3bfd487a92dcbbbb6b77a1372d59cccd634a
Commit Graph

264 Commits

Author SHA1 Message Date
Ruben Groenewoud f37a3bfd48 [Tuning] Linux DR Tuning - Part 6 (#3457) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 10:09:14 +01:00
Ruben Groenewoud ae3f4737ab [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 09:53:46 +01:00
Ruben Groenewoud 83abf8d42c [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 15:28:28 +01:00
Ruben Groenewoud 5a80423003 [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-06 10:49:42 -03:00
Ruben Groenewoud 089e6671aa [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml
 2024-02-20 15:38:54 +01:00
Ruben Groenewoud 3484cac7eb [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-20 15:18:27 +01:00
Ruben Groenewoud 5e6e4a359b [Tuning] Linux DR Tuning - Part 3 (#3454) 2024-02-20 14:50:58 +01:00
Ruben Groenewoud 1dc7fd6a42 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml
 2024-02-20 14:38:19 +01:00
Ruben Groenewoud 0e48747aa6 [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
 2024-02-20 14:17:17 +01:00
Ruben Groenewoud d41855a2ac [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-06 14:47:37 +01:00
Ruben Groenewoud 90d64f0714 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now
 2024-02-06 10:49:36 +01:00
Ruben Groenewoud 208b2e999c [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence
 2024-02-06 10:29:27 +01:00
Ruben Groenewoud 4f303ab77e [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query
 2024-02-06 10:19:42 +01:00
Ruben Groenewoud 381ccf43ed [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-26 09:36:56 +01:00
Ruben Groenewoud 48d8b650e5 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-01-22 16:28:22 +01:00
Ruben Groenewoud ec5f4d596c [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix
 2024-01-22 09:17:53 +01:00
Ruben Groenewoud 26747aa8a4 [Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350) 
* [Security Content] Add IGs to Persistence - 2

* [Security Content] Add IGs to Persistence - 2

* fixes

* fix

* added ig note
 2024-01-20 19:36:32 +01:00
shashank-elastic 1a2ef4b867 Linux Process Capabilities Enrichment Detection Rules (#3366) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
 2024-01-18 22:49:43 +05:30
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Ruben Groenewoud 4301dacfb8 [New Rule] Network Connection via Sudo Binary (#3389) 
* [New Rule] Network Connection via Sudo Binary

* description grammar fix
 2024-01-17 09:47:58 +01:00
Ruben Groenewoud a9285445cf [New Rule] Kernel Driver Load by non-root User (#3378) 
* [New Rule] Kernel Driver Load by non-root User

* setup note change

* removed unnecessary index
 2024-01-17 09:34:25 +01:00
shashank-elastic 24d5528ab0 Linux Rule Tuning (#3379) 2024-01-11 18:07:03 +05:30
Ruben Groenewoud df86882036 [Rule Tuning] Dynamic Linker Copy (#3349) 2024-01-08 10:56:31 +01:00
Ruben Groenewoud 6c91c1597d [Rule Tuning] Linux DR Tuning - Part 3 (#3322) 
* [Rule Tuning] Linux DR Tuning - Part 3

* small fix

* typo

* coffee

* Update persistence_cron_job_creation.toml

* Update persistence_shared_object_creation.toml
 2024-01-08 10:16:44 +01:00
Ruben Groenewoud 36226e5428 [Rule Tuning] Linux DR Tuning - Part 2 (#3321) 
* [Rule Tuning] Linux DR Tuning - Part 2

* [Rule Tuning] Linux DR Tuning - Part 2

* fix

* Update execution_shell_suspicious_parent_child_revshell_linux.toml
 2024-01-08 10:07:38 +01:00
Ruben Groenewoud b533642272 [Rule Tuning] Linux DR Tuning - Part 1 (#3316) 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml
 2024-01-08 09:50:15 +01:00
Ruben Groenewoud 91a757a018 [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) 
* [Security Content] Add Investigation Guides to Linux C2 Rules

* Applied feedback
 2023-12-18 17:02:40 +01:00
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-12-18 09:36:21 +01:00
Ruben Groenewoud 6c614eb102 [Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288) 
* [Security Content] Add IGs to Persistence Rules

* Cleaned query

* IG description fix

* Added related rules

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-11 13:53:06 +01:00
Ruben Groenewoud 840958d117 [New Rule] Suspicious File Creation via Kworker (#3237) 
* [New Rule] Suspicious File Creation via Kworker

* Update rules/linux/persistence_kworker_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 23:02:00 +01:00
Ruben Groenewoud 9c61231dc6 [New Rule] UID Elevation from Unknown Executable (#3239) 
* [New Rule] UID Elevation from Unknown Executable

* type change

* bump min stack

* Added additional exclusions

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 22:25:01 +01:00
Ruben Groenewoud 1071b12f00 [New Rule] Suspicious Kworker UID Elevation (#3238) 
* [New Rule] Suspicious Kworker UID Elevation

* Update privilege_escalation_kworker_uid_elevation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 20:59:07 +01:00
Ruben Groenewoud 38862b89e9 [Tuning] Small Linux DR Tuning (#3287) 2023-12-07 12:45:24 +01:00
shashank-elastic d52546eee5 Enhance Setup Guide information (#3256) 2023-11-03 19:05:29 +05:30
shashank-elastic 5c5d1b214b Setup information for Linux Rules - Set8 (#3200) 2023-10-30 20:58:40 +05:30
Ruben Groenewoud 618a1dbe06 [New Rule] Attempt to Clear Kernel Ring Buffer (#3217) 
* [New Rule] Attempt to Clear Kernel Ring Buffer

* Update defense_evasion_clear_kernel_ring_buffer.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-10-30 09:37:11 +01:00
Ruben Groenewoud 1ac3775743 [New Rule] Network Activity Detected via kworker (#3202) 
* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* [New Rule] Network Activity Detected via kworker

* White space

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_linux_kworker_netcon.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-25 15:24:55 +02:00
Ruben Groenewoud 3855dd06d8 [New Rule] Potential Linux Hack Tool Launched (#3125) 
* [New Rule] Potential Linux Hack Tool Launched

* changed description slightly

* Updated description

* Update rules/linux/execution_potential_hack_tool_executed.toml

* Update rules/linux/execution_potential_hack_tool_executed.toml
 2023-10-23 21:35:43 +02:00
Ruben Groenewoud ff268cc6a0 [New Rule] Netcat Listener Established via rlwrap (#3124) 
* [New Rule] Netcat Listener Established via rlwrap

* Update rules/linux/execution_nc_listener_via_rlwrap.toml
 2023-10-23 17:31:26 +02:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
shashank-elastic 7254c582c5 Move Setup information into setup filed (#3206) 2023-10-23 19:28:18 +05:30
Ruben Groenewoud 9f41c9f35c [New Rule] Upgrade of Non-interactive Shell (#3113) 
* [New Rule] Upgrade of Non-interactive Shell

* Changed numbers to int

* Changed severity

* [New Rule] Pot. Rev Shell via Background Process

* Revert "[New Rule] Pot. Rev Shell via Background Process"

This reverts commit bbb36eae26561dbef4bf57f6c1388cebe7a8b88d.

* Update rules/linux/execution_interpreter_tty_upgrade.toml
 2023-10-18 16:47:07 +02:00
Ruben Groenewoud 6ea11cd9ad [New Rules] cap_setuid/cap_setgid privesc (#3075) 
* [New Rules] cap_setuid/cap_setgid privesc

* Update persistence_setuid_setgid_capability_set.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-18 16:24:01 +02:00
Ruben Groenewoud 4190c3a6a7 [New Rule] Potential SSH-IT SSH Worm Downloaded (#3121) 
* [New Rule]

* Fixed grammar mistake

* Update rules/linux/lateral_movement_ssh_it_worm_download.toml

* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
 2023-10-18 16:08:25 +02:00
Ruben Groenewoud 7d674db11e [New Rule] Pot. Network Scan Executed from Host (#3070) 2023-10-18 15:46:31 +02:00
shashank-elastic 276c0f9cd3 Setup information for Linux Rules - Set7 (#3190) 2023-10-17 19:45:01 +05:30
shashank-elastic 5a98208b53 Setup information for Linux Rules - Set6 (#3189) 2023-10-17 19:33:07 +05:30
shashank-elastic 2a48db0598 Setup information for Linux Rules - Set5 (#3188) 2023-10-17 19:11:20 +05:30
shashank-elastic 25b527c149 Setup information for Linux Rules - Set4 (#3179) 2023-10-17 18:59:31 +05:30
shashank-elastic d2c2987d72 Setup information for Linux Rules - Set3 (#3178) 2023-10-17 18:37:20 +05:30