security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,665 Commits 1 Branch 0 Tags
f6b6bee5c287d2d6806000ed3ce2b7c605a2bb35
Commit Graph

4 Commits

Author SHA1 Message Date
Ruben Groenewoud 056db6003e [Security Content] Added Compatibility note to all IGs (#2943) 
* added investigation guide note

* added ig notes

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* implemented note feedback

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 12:54:50 +02:00
Ruben Groenewoud 8de2684498 [Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868) 
* [Investigation Guide] 10 new Linux IG's 8.9

* Added 4 more IG tags

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* implemented feedback

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-19 17:13:24 +02:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Ruben Groenewoud 7c5f17e30c [New Rules] User / Group Creation & Privileged Group Addition (#2546) 
* [New Rules] user/group creation

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added backdoor user account

* added host.os.type == linux for unit testing fix

* unit testing fixes

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Added OSQuery to Investigation Guides

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guides to add in future PR

* Fixed some issues with the rules

* fixed typo

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-22 15:15:48 +02:00