security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,469 Commits 1 Branch 0 Tags
febdafa1f484bc659fbd7a191fecd0b1cf8fea64
Commit Graph

2469 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
github-actions[bot] febdafa1f4 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291) 2024-12-09 21:38:33 +05:30
Terrance DeJesus 052672b09f [Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290) 2024-12-09 20:58:33 +05:30
Terrance DeJesus e7b88ae3fc [New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277) 
* new rule 'AWS IAM Login Profile Added for Root'

* added min-stack

* linted; fixed rule schema errors

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-09 08:55:20 -05:00
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00
shashank-elastic d3c05a08cc Add all historical versions for v8.17.0 and above packages (#4279) 2024-12-03 23:36:32 +05:30
shashank-elastic 801efb3d93 Protections for AWS Bedrock (#4270) 2024-12-03 21:56:39 +05:30
shashank-elastic 53cfeb76e3 Add event dataset for missing rule in Github integration (#4278) 2024-12-03 20:32:55 +05:30
github-actions[bot] 86cc61c233 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274) 
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16

* Update detection_rules/etc/version.lock.json

* Update Patch version for version lock changes

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-11-27 09:34:54 -05:00
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Ruben Groenewoud 4e28895e66 [Rule Tuning] Kernel Module Removal (#4269) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-11-25 21:13:44 +01:00
Terrance DeJesus 2d79494068 new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271) 2024-11-25 10:28:43 -05:00
shashank-elastic 04e1fc1436 Account for CCS '::' index pattern (#4258) 2024-11-13 11:17:08 +05:30
github-actions[bot] ebb3675ea0 Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267) 2024-11-11 22:29:22 +05:30
terrancedejesus 4a7f83e432 Version Lock File Reconcile Ref: #4266 2024-11-11 10:48:43 -05:00
Samirbous f36845318e [New] First Time Seen User Auth via DeviceCode Protocol (#4153) 
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-11 13:04:18 +00:00
Samirbous b66d0e0a0d [New] Remote Desktop File Opened from Suspicious Path (#4251) 2024-11-11 18:08:48 +05:30
Terrance DeJesus ef453d8f4d [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) 
* adding investigation fields to specific aws rules

* updated patch

* removing min-stack requirements

* removed user.name redundancy

* adjusted order of investigation fields

* adding source address
 2024-11-08 23:11:18 -05:00
Terrance DeJesus 33d832d4e4 [Rule Tuning] Tuning Process Termination followed by Deletion (#4173) 
* adding rule tuning

* adjusted operators; fixed missing quotes

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-11-08 16:38:17 -03:00
Ruben Groenewoud 56e61a6321 [New Rule] Potential Hex Payload Execution (#4241) 
* [New Rule] Potential Hex Payload Execution

* Update rules/linux/defense_evasion_hex_payload_execution.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:15:17 +01:00
Ruben Groenewoud 54bb319f7b [New Rule] Memory Swap Modification (#4239) 
* [New Rule] Memory Swap Modification

* Update rules/linux/impact_memory_swap_modification.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 19:06:55 +01:00
Ruben Groenewoud 3207ca37e4 [New Rule] Unusual Interactive Shell Launched from System User (#4238) 
* [New Rule] Unusual Interactive Shell Launched from System User

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update defense_evasion_interactive_shell_from_system_user.toml

* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:24:30 +01:00
Ruben Groenewoud 267a6b6fa6 [New Rule] Web Server Spawned via Python (#4236) 
* [New Rule] Web Server Spawned via Python

* Update execution_python_webserver_spawned.toml

* Update rules/linux/execution_python_webserver_spawned.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_python_webserver_spawned.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:16:19 +01:00
Ruben Groenewoud 83f31e1640 [New Rule] Directory Creation in /bin directory (#4227) 
* [New Rule] Directory Creation in /bin directory

* Description fix

* Update rules/linux/defense_evasion_directory_creation_in_bin.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 18:07:06 +01:00
Ruben Groenewoud 6040b6aee4 [New Rule] Hidden Directory Creation via Unusual Parent (#4226) 
* [New Rule] Hidden Directory Creation via Unusual Parent

* Update rules/linux/defense_evasion_hidden_directory_creation.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:58:13 +01:00
Ruben Groenewoud 43148a72f4 [New Rule] Security File Access via Common Utilities (#4243) 
* [New Rule] Security File Access via Common Utilities

* [New Rule] Security File Access via Common Utilities

* Update discovery_security_file_access_via_common_utility.toml
 2024-11-08 17:41:33 +01:00
Ruben Groenewoud f89e245e29 [New Rule] Potential Data Splitting Detected (#4235) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:32:59 +01:00
Ruben Groenewoud 3e268282d1 [New Rule] Private Key Searching Activity (#4242) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:13:55 +01:00
Ruben Groenewoud 40118186fb [New Rule] IPv4/IPv6 Forwarding Activity (#4240) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 17:06:07 +01:00
Ruben Groenewoud 993c60decb [New Rule] Curl SOCKS Proxy Activity from Unusual Parent (#4237) 
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent

* OS Type update

* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-08 16:51:18 +01:00
github-actions[bot] ee10be70b9 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4265) 2024-11-08 20:27:04 +05:30
shashank-elastic c2e0a9315c Fix extra new line in ATT&CK-coverage.md (#4263) 2024-11-08 20:13:21 +05:30
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Mika Ayenson 2ca746c4b4 [FR] Reset package version and push tag via ci (#4260) 2024-11-07 12:11:00 -06:00
Mika Ayenson 48a051e3f1 [FR] Fetch history for versioning workflow (#4259) 2024-11-07 11:57:33 -06:00
Mika Ayenson c615df680f [FR] Update the release versioning process and workflow (#4257) 2024-11-07 11:31:54 -06:00
Jonhnathan d1b102730c [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8 (#4233) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 8

* Update defense_evasion_powershell_windows_firewall_disabled.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:38:27 -03:00
Jonhnathan ef0f96c874 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-11-07 12:27:47 -03:00
Samirbous d2dfd46b3e Update credential_access_suspicious_lsass_access_generic.toml (#4188) 2024-11-07 13:56:53 +00:00
Mika Ayenson d9154c698a [Testing] Update release-drafter.yml (#4255) 2024-11-06 16:21:05 -06:00
Mika Ayenson b2b92b0edc [Testing] Update release-drafter.yml (#4254) 2024-11-06 16:00:18 -06:00
Mika Ayenson c1ac8f0fae [FR] DRAFT Release Workflow on PR Merge (#4253) 2024-11-06 15:36:09 -06:00
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
shashank-elastic 6a39009402 Add investigation guide for Amazon Bedrock Rules (#4247) 
* Add investigation guide for Amazon Bedrock Rules

* updated date

* review comments

* review comments

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-06 12:58:02 -05:00
Terrance DeJesus 1cc160fe2e [Rule Tuning] Add Investigation Guides to AWS Rules (#4249) 
* adding investigation guides for existing AWS rules

* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning

* adding back newline

* adjusted mitre att&ck mapping

* adjusted query and rule name

* updating date
 2024-11-06 12:29:14 -05:00
Terrance DeJesus c602042954 [New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource (#4246) 
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'

* adjusted name

* adjusted ESQL functions

* changed query comment

* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

* adjusted query

* added min-stack

* adjusted query
 2024-11-06 12:14:38 -05:00
Terrance DeJesus ef6344f5e6 [Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole (#4228) 
* tuning 'AWS STS Temporary Credentials via AssumeRole'

* linted; adjusted OR in quer

* added investigation guide

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* added new rule 'AWS STS Role Assumption by User'

* adjusted UUID

* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 12:01:07 -05:00
Terrance DeJesus f486571dc6 [New Rule] Adding Coverage for AWS SSM Command Document Created by Rare User (#4229) 
* new rule 'AWS SSM Command Document Created by Rare User'

* added another reference

* added investigation guide

* removed min-stack

* Update rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
 2024-11-06 11:53:51 -05:00
Terrance DeJesus 1c9177ef6f [New Rule] Adding Coverage for AWS IAM Create User via Assumed Role on EC2 Instance (#4244) 
* adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance'

* adding false-positive note

* changed file name

* added event.provider

* tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR

* updated query

* added BBR tag

* moved rule to BBR

* fixed BBR query

* moved rule to BBR
 2024-11-06 11:28:41 -05:00
Terrance DeJesus d5f36b3619 [New Rule] Adding Coverage for AWS SNS Email Subscription by Rare User (#4224) 
* adding new rule 'AWS SNS Email Subscription by Rare User'

* updated mitre; adjusted non-ecs schema; fixed query

* removed protocol inclusion in query

* fixed risk score

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 11:19:30 -05:00