security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,037 Commits 1 Branch 0 Tags
dev-v1.4.3
Commit Graph

903 Commits

Author SHA1 Message Date
Jonhnathan 4476ac52a8 [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091) 
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms

* ++

* ++

* Update credential_access_dcsync_replication_rights.toml

* Update persistence_webshell_detection.toml

* ++

* Update persistence_webshell_detection.toml
 2025-09-15 09:38:03 -07:00
Jonhnathan 7bd9c52852 [Rule Tuning] Windows High Severity - 5 (#5096) 
* [Rule Tuning] Windows High Severity - 4

* Update privilege_escalation_windows_service_via_unusual_client.toml
 2025-09-15 09:29:37 -07:00
Jonhnathan 76c73f84f6 [Rule Tuning] Windows High Severity - 4 (#5095) 
* [Rule Tuning] Windows High Severity - 4

* Update initial_access_execution_from_inetcache.toml
 2025-09-15 09:18:55 -07:00
Jonhnathan 8d9822e8be [Rule Tuning] Fix process.pe.original_file_name Conditions (#5101) 
* [Rule Tuning] Fix process.pe.original_file_name Conditions

* --
 2025-09-15 09:06:23 -07:00
Jonhnathan d69ede2508 [Rule Tuning] Windows High Severity - 3 (#5094) 
* [Rule Tuning] Windows High Severity - 3

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml
 2025-09-15 08:34:43 -07:00
Jonhnathan 567b82cb2f [Rule Tuning] Windows High Severity - 2 (#5093) 
* [Rule Tuning] Windows High Severity - 2

* [Rule Tuning] Windows High Severity - 3

* Revert "[Rule Tuning] Windows High Severity - 3"

This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.
 2025-09-15 07:53:31 -07:00
Jonhnathan 7910f465cc [Rule Tuning] Windows High Severity - 1 (#5092) 
* [Rule Tuning] Windows High Severity - 1

* Update command_and_control_headless_browser.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update command_and_control_outlook_home_page.toml
 2025-09-15 07:44:20 -07:00
Jonhnathan 1dedea798a [Rule Tuning] Component Object Model Hijacking (#5065) 2025-09-11 17:18:05 -07:00
Jonhnathan aa97487b20 [Rule Tuning] PowerShell Rules (#5056) 
* [Rule Tuning] PowerShell Rules

* Update defense_evasion_posh_defender_tampering.toml

* [Rule Tuning] Connection to Commonly Abused Web Services

* Revert "[Rule Tuning] Connection to Commonly Abused Web Services"

This reverts commit 74dcea07e16a2b50ee8a372aef63a7c699e7c66a.
 2025-09-11 16:54:11 -07:00
Jonhnathan b5d77951b5 [Rule Tuning] Remote Execution via File Shares (#5066) 
* [Rule Tuning] Remote Execution via File Shares

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-11 16:40:59 -07:00
shashank-elastic 25539fd6c6 Delete Development Rules (#5084) 2025-09-10 23:24:28 +05:30
Jonhnathan 375082729a [Rule Tuning] Adjust process.code_signature.trusted condition (#5067) 
* [Rule Tuning] Adjust process.code_signature.trusted condition

* typo
 2025-09-08 08:42:17 -07:00
Jonhnathan 6ac71050dc [Rule Tuning] Remote File Download via PowerShell (#5062) 
* [Rule Tuning] Remote File Download via PowerShell

* Update command_and_control_remote_file_copy_powershell.toml

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update command_and_control_remote_file_copy_powershell.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-08 07:59:53 -07:00
Jonhnathan 4aa6c4e715 [Rule Tuning] Untrusted Driver Loaded (#5061) 
* [Rule Tuning] Untrusted Driver Loaded

* Update defense_evasion_untrusted_driver_loaded.toml
 2025-09-05 06:12:30 -07:00
Jonhnathan 9ee15a13b0 [Rule Tuning] Connection to Commonly Abused Web Services (#5060) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2025-09-04 11:58:13 -07:00
Samirbous 0bbad3bbf8 Update defense_evasion_modify_ownership_os_files.toml (#5051) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-02 08:18:35 -07:00
Jonhnathan 8d2ea9220b [New Rules] Potential Relay Attack against a Computer Account (#4826) 
* [New Rules] Potential Relay Attack against a Computer Account Rules

* update description

* .

* add min_stack

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-01 10:07:37 -07:00
Samirbous 464fb3951e [Tuning] Unusual Network Activity from a Windows System Binary (#5048) 2025-09-01 22:17:53 +05:30
Jonhnathan a31b3a36ad [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

* pending adjustments

* Update execution_windows_cmd_shell_susp_args.toml
 2025-09-01 09:30:21 -07:00
Samirbous a62ee7a8a2 [New] Active Directory Discovery using AdExplorer (#5047) 
* [New] Active Directory Discovery using AdExplorer

* Update discovery_ad_explorer_execution.toml

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:58:22 +01:00
Samirbous 40794368a7 [New] Connection to Common Large Language Model Endpoints (#5044) 
* [New] Connection to Common Large Language Model Endpoints

* [New] Connection to Common Large Language Model Endpoints

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_common_llm_endpoint.toml

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:47:31 +01:00
Jonhnathan ba354ceff9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) 2025-09-01 08:25:52 -07:00
shashank-elastic 93ac471574 Monthly Schema Updates (#5046) 2025-09-01 20:42:42 +05:30
Samirbous 61af3e801d [New] Potential System Tampering via File Modification (#5043) 
* [New] Potential System Tampering via File Modification

* Update impact_mod_critical_os_files.toml

* Update rules/windows/impact_mod_critical_os_files.toml

* Create defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:52:26 +01:00
Samirbous e1205cb5c5 [New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001) 
* [New/Tuning] Windows Top Threats 2024/2025

1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:

* Update defense_evasion_mshta_susp_child.toml

* Update defense_evasion_script_via_html_app.toml

* Update defense_evasion_mshta_susp_child.toml

* Create defense_evasion_msiexec_remote_payload.toml

* Update defense_evasion_msiexec_remote_payload.toml

* ++

* Create execution_scripting_remote_webdav.toml

* Create execution_windows_fakecaptcha_cmd_ps.toml

* Create command_and_control_rmm_netsupport_susp_path.toml

* Update command_and_control_rmm_netsupport_susp_path.toml

* ++

* Update execution_jscript_fake_updates.toml

* Create command_and_control_dns_susp_tld.toml

* ++

* Create command_and_control_remcos_rat_iocs.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Update execution_scripts_archive_file.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* ++

* Create execution_nodejs_susp_patterns.toml

* Update execution_nodejs_susp_patterns.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Fix unit test errors

* Update defense_evasion_network_connection_from_windows_binary.toml

* Add system index

* Add tag

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Remove duplicate

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Create credential_access_browsers_unusual_parent.toml

* Update credential_access_browsers_unusual_parent.toml

* ++

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_mshta_susp_child.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_windows_phish_clickfix.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update execution_windows_phish_clickfix.toml

* Update rules/windows/defense_evasion_script_via_html_app.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_browsers_unusual_parent.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_nodejs_susp_patterns.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_script_via_html_app.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:41:51 +01:00
Jonhnathan b2bc6021f2 [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037) 
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths

* ++

* Update defense_evasion_workfolders_control_execution.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml
 2025-09-01 05:31:12 -07:00
Jonhnathan dd918b1f80 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5039) 2025-09-01 05:09:31 -07:00
Jonhnathan 79daf3fc68 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:28:14 -07:00
Jonhnathan ccedd45df1 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:07:38 -07:00
Jonhnathan 86dd350579 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:50:59 -07:00
Jonhnathan 7eec833ec8 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12

* Update rules/windows/persistence_app_compat_shim.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:40:03 -07:00
Jonhnathan 41dd521546 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:28:49 -07:00
Jonhnathan 9c08869575 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024) 2025-08-28 12:15:25 -07:00
Jonhnathan be18b4db16 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:04:55 -07:00
Jonhnathan 48dfb759cd [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022) 2025-08-28 11:51:45 -07:00
Jonhnathan 1af98a6170 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_proxy_execution_via_msdt.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:37:15 -07:00
Jonhnathan b91e73714e [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5

* Update defense_evasion_ms_office_suspicious_regmod.toml
 2025-08-28 11:26:09 -07:00
Jonhnathan 85a0d27b13 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:05:42 -07:00
Jonhnathan 0fbf57c1d9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:55:21 -07:00
Jonhnathan 8ab98458fa [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2

* Update defense_evasion_code_signing_policy_modification_registry.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:40:34 -07:00
Jonhnathan 00c6e785cb [Rule Tuning] Windows - Small Adjusts for Compatibility (#5032) 2025-08-28 10:20:13 -07:00
Jonhnathan 9c2ceb2bd7 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update command_and_control_outlook_home_page.toml

* Update command_and_control_outlook_home_page.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 06:43:09 -07:00
Samirbous 9dfc42aa1d [Tuning] Connection to Commonly Abused Web Services - alerts JetBrains to GH (#4973) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-08-18 17:21:04 +01:00
Jonhnathan 58f62fd138 [Rule Tuning] Suspicious Windows Powershell Arguments (#4961) 2025-08-18 09:02:04 -07:00
Jonhnathan 0507bcd150 [Rule Tuning] ES|QL PowerShell Rules (#4984) 2025-08-18 08:44:18 -07:00
Jonhnathan 273650d746 [Rule Tuning] Potential RemoteMonologue Attack (#4967) 
* [Rule Tuning] Potential RemoteMonologue Attack

* Update defense_evasion_regmod_remotemonologue.toml
 2025-08-18 08:22:53 -07:00
shashank-elastic c28b6d84b5 Investigation guides Update (#4990) 2025-08-18 20:36:46 +05:30
Jonhnathan 5f7b821e12 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#4976) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-08-18 06:29:28 -07:00
Samirbous 36b33e2c13 Update persistence_services_registry.toml (#4989) 2025-08-18 14:05:25 +01:00
Jonhnathan c8ee4c8ce3 [New Rule] Potential Web Shell ASPX File Creation (#4939) 
* [New Rule] Potential Web Shell ASPX File Creation

* Update persistence_web_shell_aspx_write.toml

* Update persistence_web_shell_aspx_write.toml
 2025-08-15 12:09:06 -03:00