sigma-rules

Author	SHA1	Message	Date
Eric Forte	581ef73bc0	[FR] [DAC] Add id support (#4208 )	2024-11-01 07:47:34 -04:00
Isai	b6847c7a48	[New Rule] AWS STS Role Chaining (#4209 ) * [New Rule] AWS STS Role Chaining Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior. * adding metadata query fields * removing index field	2024-10-30 12:18:04 -04:00
protections machine	1278c27967	Sync RTA Attempt to Fix Sensor Regex Error (#4213 )	2024-10-28 22:50:12 +05:30
github-actions[bot]	5d2940fa7c	Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4217 )	2024-10-28 21:07:46 +05:30
shashank-elastic	123e090e7d	Fix Minstack version for windows integration - Pahse 2 (#4216 )	2024-10-28 20:25:02 +05:30
shashank-elastic	92fe46b8ff	Fix Minstack version for windows integration (#4214 )	2024-10-28 19:28:10 +05:30
Ruben Groenewoud	9e4fce6586	[Rule Tuning] Potential Linux Hack Tool Launched (#4191 )	2024-10-25 17:23:48 +02:00
Ruben Groenewoud	b0bba39007	[Rule Tuning] Linux User Added to Privileged Group (#4206 )	2024-10-25 14:21:20 +02:00
protections machine	5d9b295bb6	Sync RTA Potential Mining Pool Command Detection (#4204 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-24 21:47:17 +05:30
protections machine	ae2adc766d	Sync RTA Renice or Ulimit Execution from Unusual Parent (#4203 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-24 21:38:49 +05:30
protections machine	4d41496e1d	Sync RTA Linux Powershell Egress Network Connection (#4202 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-24 20:35:15 +05:30
protections machine	933020a5c1	Sync RTA Suspicious Execution from Foomatic-rip or Cupsd Parent (#4201 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-24 19:49:15 +05:30
protections machine	6ec5c5b04b	Sync RTA Foomatic-rip Shell Execution (#4200 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-24 19:13:38 +05:30
shashank-elastic	be656ae740	Tune Bedrock rule to accept multivalued column (#4205 )	2024-10-23 20:48:56 +05:30
protections machine	77f0ee85d9	react_sync_rta_updates_4215 Network Connection by Foomatic-rip Child (#4196 )	2024-10-23 19:18:36 +05:30
protections machine	a54f83981e	Sync RTA File Downloaded via Curl or Wget to Hidden Directory (#4197 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 19:01:17 +05:30
protections machine	0ef122632e	Sync RTA Shared Object Load via LoLBin (#4198 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 18:48:11 +05:30
protections machine	f8d08f92f3	Sync RTA Suspicious Kernel Feature Activity (#4199 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 18:40:21 +05:30
protections machine	faafc4f19d	Sync RTA Potential Proxy Execution via PHP (#4195 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 16:07:32 +05:30
protections machine	c336e30dee	Sync RTA Suspicious Download and Redirect by Web Server (#4194 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 15:55:10 +05:30
protections machine	6a740a6a61	Sync RTA File Downloaded and Piped to Interpreter by Web Server (#4193 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 15:45:45 +05:30
protections machine	c5b108400c	Sync RTA File Downloaded from Suspicious Source by Web Server (#4192 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 15:15:56 +05:30
protections machine	91fbc39084	Sync RTA MSR Write Access Enabled (#4189 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 14:13:47 +05:30
protections machine	21c45f97fe	Sync RTA Reverse or Bind Shell via Suspicious Utility (#4187 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 13:37:44 +05:30
protections machine	9cb2974e70	Sync RTA Potential Gsocket Activity (#4186 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 13:21:33 +05:30
protections machine	fe6459d784	Sync RTA Bind Shell via Socket (#4185 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 12:10:45 +05:30
protections machine	08fc5a5e35	Sync RTA Bind Shell via Node (#4184 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 11:43:10 +05:30
protections machine	fb963628f2	Sync RTA Potential Proxy Execution via Sed (#4183 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 11:31:10 +05:30
protections machine	6d430be209	Sync RTA Bind Shell via Netcat Traditional (#4182 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 11:23:12 +05:30
protections machine	2e1daeeaa0	Sync RTA Base64 Shebang Payload Decoded via Built-in Utility (#4181 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 11:12:43 +05:30
protections machine	31d3b6417b	Sync RTA Potential Proxy Execution via Tcpdump (#4180 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 11:00:09 +05:30
protections machine	3e1fe91a1c	Sync RTA Potential Proxy Execution via Sysctl (#4179 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 10:52:28 +05:30
protections machine	519a3688c8	Sync RTA Potential Proxy Execution via Split (#4178 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 10:37:38 +05:30
protections machine	fff957c0f5	Sync RTA Potential Proxy Execution via Pidstat (#4177 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 10:27:11 +05:30
protections machine	bc821f56e1	Sync RTA System Binary Proxy Execution via ld.so (#4176 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-23 10:12:44 +05:30
protections machine	fb4bc72607	Sync RTA Potential Proxy Execution via Crash (#4175 ) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-22 21:49:13 +05:30
protections machine	d1f44270e1	Sync RTA Potential Process Masquerading via Exec Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2024-10-22 21:41:27 +05:30
shashank-elastic	275c7288a3	Add testcase to check for related_integrations based on index (#4096 )	2024-10-22 00:17:30 +05:30
Terrance DeJesus	d0225c37df	[Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169 ) * tuning 'Unusual Instance Metadata Service (IMDS) API Request' * added missing bracket * linted * Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml * removed intelephense whitelisting --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-10-18 11:50:57 -04:00
Ruben Groenewoud	42f6c8f9a5	[Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165 )	2024-10-18 17:13:44 +02:00
Ruben Groenewoud	b309bcb7ae	[Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166 ) * [Rule Tuning] Q2 Linux DR Tuning - Part 5 * Update persistence_suspicious_ssh_execution_xzbackdoor.toml * Update persistence_rpm_package_installation_from_unusual_parent.toml	2024-10-18 17:02:26 +02:00
Ruben Groenewoud	601254488b	[BBR Promotion] Q2 Linux BBR Promotion (#4172 ) * [BBR Promotion] Q2 Linux BBR Promotion * Update collection_linux_clipboard_activity.toml * Update defense_evasion_creation_of_hidden_files_directories.toml	2024-10-18 16:55:09 +02:00
Ruben Groenewoud	592ad0fe9a	[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171 ) * [Rule Tuning] Q2 Linux DR Tuning - BBR * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * Update discovery_potential_memory_seeking_activity.toml * Update discovery_potential_memory_seeking_activity.toml	2024-10-18 16:45:23 +02:00
Ruben Groenewoud	09bd4cef16	[Rule Tuning] Q2 Linux DR Tuning - CP (#4170 ) * [Rule Tuning] Q2 Linux DR Tuning - CP * Update command_and_control_non_standard_ssh_port.toml	2024-10-18 16:38:14 +02:00
Ruben Groenewoud	ac6a49eeea	[Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167 )	2024-10-18 16:25:54 +02:00
Ruben Groenewoud	39fc23cb3d	[Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164 ) * [Rule Tuning] Q2 Linux DR Tuning - Part 3 * Update execution_suspicious_executable_running_system_commands.toml	2024-10-18 16:18:14 +02:00
Ruben Groenewoud	3982228132	[Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163 )	2024-10-18 16:07:09 +02:00
Ruben Groenewoud	af9f9e2456	[Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162 ) * [Rule Tuning] Q2 Linux DR Tuning - Part 1 * Update defense_evasion_binary_copied_to_suspicious_directory.toml	2024-10-18 15:59:51 +02:00
Terrance DeJesus	61b731c300	[Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in `MFA Deactivation with no Re-Activation for Okta User Account` (#4145 ) * tuning * added note about whitelisting user agent * removed extra new line	2024-10-16 11:41:50 -04:00
shashank-elastic	b1e91ddb14	Add setuptools as project dependency (#4160 )	2024-10-16 20:09:23 +05:30

1 2 3 4 5 ...

2409 Commits