security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,962 Commits 1 Branch 0 Tags
fbfc696a86d3ec826fbd13fb8957d294f155dc17
Commit Graph

17 Commits

Author SHA1 Message Date
Colson Wilhoit 4ef72457d3 [Tuning] MacOS DR Tuning PR (#4546) 
* [Tuning] MacOS DR Tuning PR

* tunings

* tuning

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* fix

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-04-21 17:32:05 -05:00
Jonhnathan ab89dfb98d [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447) 2025-02-05 15:09:27 -03:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Colson Wilhoit 1fb58e1b61 [Tuning] MacOS Comprehensive Detection Rule Tuning (#3435) 
* Update to use new data source

* Exclude FPs

* Update logic

* Exclude FPs

* Update to match ER logic

* Exclude FP

* Update to match endpoint rule and reduce FPs

* Update logic to reduce FPs

* Update logic to reduce FPs

* Exclude FPs

* Update logic to remove FPs

* Update logic to reduce FPs

* Update logic and min stack version to reduce FPs

* Exclude FP

* Remove FPs

* Update logic and min stack to reduce FPs

* Exclude FPs

* Update logic and min stack to exclude FPs

* Update logic and min stack to exclude FPs

* Update logic to be more efficient

* Update logic

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/credential_access_credentials_keychains.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Fix

* Fix

* Fix

* Update min stack comments

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Remove field

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-05-11 12:52:18 -05:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
shashank-elastic 7854081cc0 Setup Guide information for MacOS rules (#3274) 2023-11-22 20:18:22 +05:30
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-03-05 11:41:19 -07:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Ross Wolf 31f63e728e Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date
 2021-06-22 09:10:28 -06:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00