security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,233 Commits 1 Branch 0 Tags
fcc8aaaf63ee8f736c4f6478de372c149889337a
Commit Graph

2233 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan fcc8aaaf63 [Rule Tuning] Fix missing Winlogbeat index (#3976) 
* [Rule Tuning] Fix missing Winlogbeat index

* bump
 2024-08-09 12:46:33 -03:00
Jonhnathan 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) 
* [Rule Tuning] Windows File-based Rules Tuning

* Update credential_access_lsass_memdump_file_created.toml

* .
 2024-08-09 12:26:58 -03:00
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
 2024-08-09 11:14:33 -03:00
Terrance DeJesus 698e830f9f [Rule Tuning] Removing Minimum Stack Compatibility (#3974) 
* removing min-stack

* removing min-stack

* updating date
 2024-08-08 11:47:48 -04:00
Terrance DeJesus fe9ba15a2a [Rule Tuning] Tuning Suspicious HTML File Creation for Performance (#3480) 
* tuning 'Suspicious HTML File Creation'

* TOML lint; reverted EQL function checks

* updated date
 2024-08-08 11:12:55 -04:00
Jonhnathan 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) 2024-08-08 12:02:23 -03:00
protections machine d7c7d9b1c3 Interactive Shell Spawned via Hidden Process Sync RTA (#3937) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 19:42:01 +05:30
protections machine f47053b904 Suspicious Execution via a Hidden Process Sync RTA (#3938) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 19:33:49 +05:30
protections machine ec1f617fdc APT Package Manager Command Execution Sync RTA (#3940) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 19:19:44 +05:30
protections machine e277ecd230 Suspicious Execution via setsid and nohup Sync RTA (#3941) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 19:11:51 +05:30
protections machine 292d7b9215 Egress Network Connection from DPKG Directory Sync RTA (#3942) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:57:33 +05:30
protections machine ed9b145ebd System V Init (init.d) Egress Network Connection Sync RTA (#3943) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:48:05 +05:30
protections machine 3cefbbe057 System V Init (init.d) Executed Binary from Unusual Location Sync RTA (#3944) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:38:55 +05:30
protections machine fff326a7d4 Egress Network Connection by MOTD Child Sync RTA (#3945) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:30:03 +05:30
Eric Forte aea7d578ed Systemd Executing Binary in Unusual Location Sync RTA (#3766) 
Co-authored-by: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:15:31 +05:30
protections machine cdc4e21aac Scheduled Job Executing Binary in Unusual Location Sync RTA (#3952) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-08 18:01:56 +05:30
protections machine 0532f9f210 Egress Network Connection from RPM Package Sync RTA (#3951) 2024-08-08 17:53:22 +05:30
Terrance DeJesus ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) 
* tuning 'Persistent Scripts in the Startup Directory'

* adjusted query logic; added note about performance

* adjusted query logic

* adjusted query logic; added note about performance

* removed newline

* adjusted query logic to be more inclusive

* adjusted query

* adjusted query to leave wildcard and substring searches towards the end

* TOML lint

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* adjusted note; removed setup

* adjusted note; removed setup

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-06 18:42:53 -04:00
Eric Forte 47d7a3acaa [DaC] Beta Release (#3889) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2024-08-06 18:07:12 -04:00
github-actions[bot] f9717e71bb Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3961) 2024-08-06 19:37:36 +05:30
shashank-elastic 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) 2024-08-06 18:48:24 +05:30
Jonhnathan a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) 2024-08-06 17:15:08 +05:30
Jonhnathan 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) 2024-08-06 17:05:17 +05:30
Jonhnathan 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) 2024-08-05 11:27:58 -03:00
Jonhnathan fbaac66f9f [Rule Tuning] Accepted Default Telnet Port Connection (#3954) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-03 20:15:06 -03:00
Jonhnathan 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) 2024-08-02 16:37:45 -03:00
Ruben Groenewoud 93d928625d [Tuning] Executable Bit Set for Potential Persistence Script (#3929) 2024-08-02 21:13:19 +02:00
Jonhnathan ff3f66cacf [Rule Tuning] AWS S3 Object Versioning Suspended (#3953) 2024-08-02 13:36:11 -03:00
Jonhnathan dfdc214be8 [New Rule] Potential Relay Attack against a Domain Controller (#3928) 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
 2024-08-02 13:03:20 -03:00
Jonhnathan 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-01 14:06:08 -03:00
Ruben Groenewoud 485312d5f2 [Rule Tuning] System Binary Moved or Copied (#3933) 2024-08-01 18:47:58 +02:00
Isai 62982f9d8c [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910) 
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User

* increased severity score

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-08-01 00:30:02 -04:00
Isai f2eb78219c [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time (#3923) 
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time

* Update discovery_new_terms_sts_getcalleridentity.toml

* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml

* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* rule name change, removed ec2

* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 16:55:49 -04:00
Isai 1b58d0640b [New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922) 
* [New Rule] AWS EC2 Instance Console Login via Assumed Role

* added reference for custom url creation

* added STS tag

* added event.provider to query

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:52:59 -04:00
Isai a28af59d02 [New Rule] AWS EC2 Instance Interaction with IAM Service (#3920) 
* [New Rule] AWS EC2 Instance Interaction with IAM Service

* Update rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-31 15:44:02 -04:00
Jonhnathan 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) 
* [New Rule] Potential Active Directory Replication User Backdoor

* Update credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

* Update rules/windows/credential_access_dcsync_user_backdoor.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-07-31 12:02:34 -03:00
Ruben Groenewoud 134b842361 [Rule Tuning] Removed Endgame from Incompatible Rules (#3931) 
* [Rule Tuning] Removed Endgame from Incompatible Rules

* ++
 2024-07-31 09:26:38 +02:00
github-actions[bot] 823e8fd140 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3926) 2024-07-25 18:38:08 +05:30
shashank-elastic dce5bbd904 Update Rule minstack (#3925) 2024-07-25 17:45:55 +05:30
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
Jonhnathan 896946ad1b [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#3917) 
* [New Rule] Active Directory Forced Authentication from Linux Host via SMB Pipes

* Update credential_access_forced_authentication_pipes.toml

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-24 12:01:10 -03:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
Jonhnathan 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) 
* [New Rule] Potential WSUS Abuse for Lateral Movement

* Update lateral_movement_via_wsus_update.toml

* Update lateral_movement_via_wsus_update.toml
 2024-07-22 17:04:08 -03:00
Jonhnathan 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) 2024-07-22 08:39:40 -03:00
Ruben Groenewoud a71bbe0cf8 [Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905) 
* [Rule Tuning] Misc. DR Rule Tuning - Part 2

* ++

* Update privilege_escalation_suspicious_uid_guid_elevation.toml

* Update rules/linux/persistence_systemd_service_creation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-07-19 15:21:35 +02:00
Ruben Groenewoud 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) 
* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation
 2024-07-19 15:13:42 +02:00
Isai 322162f097 [New Rule] AWS S3 Bucket Replicated to Another Account (#3895) 2024-07-18 22:52:39 -04:00