security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,681 Commits 1 Branch 0 Tags
dev-v1.0.3
Commit Graph

1893 Commits

Author SHA1 Message Date
shashank-elastic 2b3095a13c Update Max signals value to supported limits (#4556) 2025-03-27 09:02:25 +05:30
M. Visser 63c1f47689 [Rule Tuning] Added OWA (outlook for web) new AppID (#4568) 
* Added OWA (outlook for web) new AppID

**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule

**Description:**

This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`

### Context

Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
    

Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.

### Why this change?

The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.

### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)

* Update initial_access_microsoft_365_abnormal_clientappid.toml

Updated updated_date
 2025-03-26 15:15:28 -03:00
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Kirti Sodhi 955e973c00 Change description and name of problemchild ML detection-rules (#4545) 
Changed description and name of problemchild ML detection-rules
 2025-03-20 08:58:10 -04:00
Samirbous 28a06fd25f Update defense_evasion_posh_assembly_load.toml (#4543) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-20 05:13:28 -03:00
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
shashank-elastic 0993ced309 Deprecate Cloud Defend Rules (#4537) 2025-03-14 21:27:37 +05:30
Samirbous 290f0be959 Update defense_evasion_execution_suspicious_explorer_winword.toml (#4533) 2025-03-14 10:46:56 -03:00
Ruben Groenewoud d7d8c414ec [New Rule] File Creation in /var/log via Suspicious Process (#4528) 
* [New Rule] File Creation in /var/log via Suspicious Process

* ++

* ++
 2025-03-12 12:50:48 +01:00
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
 2025-03-11 11:25:10 -04:00
Terrance DeJesus aacb376acf [New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524) 
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'

* updating tactic tag

* adjusted query logic for user type

* updated Entra ID name
 2025-03-11 11:05:56 -04:00
Terrance DeJesus fd1369a164 [New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525) 
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'

* linted; updated UUID

* adjusted rule name and logic to focus on any rare authentication requirements

* adjusted file name
 2025-03-11 10:51:01 -04:00
shashank-elastic e28512a32f Deprecation Notice to Cloud Defend Rules (#4520) 
* Deprecation Notice to Cloud Defend Rules

* Udpate names in investigation guide

* Adding deprecation note under Setup field

* reverting back to setup field name

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-03-07 00:20:00 -05:00
Ruben Groenewoud 561ab703de [New Rule] Uncommon Destination Port Connection by Web Server (#4515) 2025-03-06 22:01:33 +05:30
Ruben Groenewoud fe0a9f4935 [New/Tuning] Docker Socket Enumeration (#4510) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 17:07:10 +01:00
Ruben Groenewoud 8dfa5da3bf [New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 16:57:33 +01:00
Ruben Groenewoud fe06843636 [New Rule] Unusual Process Spawned from Web Server Parent (#4513) 2025-03-06 16:46:12 +01:00
Ruben Groenewoud 7ce6aaf566 [New Rule] Unusual Command Execution from Web Server Parent (#4512) 
* [New Rule] Unusual Command Execution from Web Server Parent

* ++
 2025-03-06 16:25:38 +01:00
Kirti Sodhi a1d6ff4a50 Added ML detection-rules for new Security Host package (#4519) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-03-06 19:53:29 +05:30
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Samirbous b1470a480b [New] WDAC Policy File by an Unusual Process (#4504) 
* [New] WDAC Policy File by an Unusual Process

https://github.com/logangoins/Krueger/tree/main

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-03-04 15:21:58 +00:00
shashank-elastic 467034ee5b Deprecate an APM BBR rule (#4511) 2025-03-04 17:39:45 +05:30
Ruben Groenewoud b9e8115c2f [New Rule] Python Site or User Customize File Creation (#4500) 
* [New Rule] Python Site or User Customize File Creation

* Update persistence_site_and_user_customize_file_creation.toml

* Update persistence_site_and_user_customize_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:30:33 +01:00
Ruben Groenewoud d948279af6 [New Rule] Python Path File (pth) Creation (#4499) 
* [New Rule] Python Path File (pth) Creation

* ++

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:20:00 +01:00
Ruben Groenewoud f70eafb8e7 [New Rule] Successful SSH Authentication from Unusual User (#4481) 
* [New Rule] Succesful SSH Authentication from Unusual User

* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-03 11:55:27 +01:00
Jonhnathan 5653190d08 [Rule Tuning] Remove hardcoded logic from description (#4503) 2025-02-28 14:38:18 -03:00
Ruben Groenewoud 06002cd9ac [New Rule] Kill Command Execution (#4485) 
* [New Rule] Kill Command Execution

* Update defense_evasion_kill_command_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:26:50 +01:00
Ruben Groenewoud 9bb3b9f204 [New Rule] Unusual File Transfer Utility Launched (#4487) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:15:21 +01:00
Ruben Groenewoud 029fd45bb1 [New Rule] Base64 Decoded Payload Piped to Interpreter (#4488) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:01:52 +01:00
Ruben Groenewoud a2a120858f [New Rule] Unusual Base64 Encoding/Decoding Activity (#4486) 
* [New Rule] Unusual Base64 Encoding/Decoding Activity

* Update defense_evasion_base64_decoding_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 10:09:48 +01:00
Ruben Groenewoud 8c250db3c3 [New Rule] Successful SSH Authentication from Unusual IP-Address (#4482) 
* [New Rule] Successful SSH Authentication from Unusual IP-Address

* Apply suggestions from code review

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 09:55:35 +01:00
Ruben Groenewoud 89f79c6e4f [New Rule] Successful SSH Authentication from Unusual SSH Public Key (#4478) 
* [New Rule] First Time Public Key Authentication

* Update initial_access_first_time_public_key_authentication.toml

* Update initial_access_first_time_public_key_authentication.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 09:44:51 +01:00
Ruben Groenewoud fe48309daf [New Rule] Linux User Account Credential Modification (#4484) 
* [New Rule] Linux User Account Credential Modification

* Update rules/linux/persistence_user_credential_modification_via_echo.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 16:42:11 +01:00
Ruben Groenewoud 342e18075b [New Rule] SSH Authorized Keys File Deletion (#4483) 
* [New Rule] Authorized Keys File Deletion

* Apply suggestions from code review

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 16:29:51 +01:00
Samirbous 46c4a80015 [Tuning] Remote File Copy to a Hidden Share (#4494) 
* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:50:02 -03:00
Samirbous 7b15acf9dd Update defense_evasion_amsi_bypass_powershell.toml (#4477) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-02-27 11:36:15 -03:00
Jonhnathan 0340335cf4 [Rule Tuning] Sysmon rules that uses event.action (#4496) 
* [Rule Tuning] Sysmon rules that uses `event.action`

* Adjust queries

* Fix unit test :thinking-hard:
 2025-02-27 11:24:42 -03:00
Ruben Groenewoud a614da5900 [New Rule] Remote File Creation in World Writeable Directory (#4475) 
* [New Rule] Remote File Creation in World Writeable Directory

* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml

* Update lateral_movement_remote_file_creation_world_writeable_dir.toml

* Update rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
 2025-02-26 10:11:55 +01:00
Ruben Groenewoud 59473f09ac [New Rule] Potential Malware-Driven SSH Brute Force Attempt (#4474) 
* [New Rule] Potential Malware-Driven SSH Brute Force Attempt

* Update impact_potential_bruteforce_malware_infection.toml

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

* Update impact_potential_bruteforce_malware_infection.toml
 2025-02-26 10:00:31 +01:00
Ruben Groenewoud 758e155231 [New Rule] High Number of Egress Network Connections from Unusual Executable (#4473) 
* [New Rule] High Number of Egress Network Connections from Unusual Executable

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

* Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-26 09:43:54 +01:00
Ruben Groenewoud 8a221325e9 [New Rule] Unusual Remote File Creation (#4476) 
* [New Rule] Unusual Remote File Creation

* Description update

* ++

* ++

* Update rules/linux/lateral_movement_unusual_remote_file_creation.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-02-26 09:30:47 +01:00
Jonhnathan 73aaad98f0 [Rule Tuning] MsBuild Making Network Connections (#4479) 
* [Rule Tuning] MsBuild Making Network Connections

* Remove Minstack

* Revert MMinstack removal

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-02-25 10:04:04 -03:00
Jonhnathan bc3e12da38 [Rule Tuning] Adapt Rules to work with Sysmon (#4480) 
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events

* bump updated_date

* Update rules/windows/lateral_movement_incoming_wmi.toml

* Update Logic to support sysmon data

* Update command_and_control_tool_transfer_via_curl.toml
 2025-02-25 09:54:18 -03:00
Samirbous 8e3ad57672 Update defense_evasion_via_filter_manager.toml (#4493) 2025-02-25 09:29:36 +00:00
Terrance DeJesus 4b7aa67213 [New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469) 
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'

* removed Azure data source tag; added saas tag

* removed Azure data source tag; added saas tag

* updated mitre mappings

* added tactic:collection tag

* removed file directory, added targeted_time_window to aggregation
 2025-02-21 10:45:04 -05:00