security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,232 Commits 1 Branch 0 Tags
dev-v1.5.21
Commit Graph

933 Commits

Author SHA1 Message Date
theusername-sudo 3bcacdb4ee Update lateral_movement_scheduled_task_target.toml to fix null values (#5228) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-08 18:40:20 +05:30
Samirbous 8ddf8a838e Update defense_evasion_masquerading_as_svchost.toml (#5416) 2025-12-08 12:15:40 +00:00
Samirbous 896b6a214a [Tuning] Rare Connection to WebDAV Target (#5415) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2025-12-05 22:31:01 +00:00
Jonhnathan b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) 
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

* Update defense_evasion_posh_obfuscation_proportion_special_chars.toml

* ++, powershell.file.*

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 13:17:02 +01:00
Jonhnathan bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) 
* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml
 2025-12-02 08:30:54 -08:00
Jonhnathan 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) 2025-12-01 07:54:23 -08:00
Jonhnathan aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) 2025-12-01 07:45:03 -08:00
Jonhnathan 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_suspicious_powershell_imgload.toml

* I need some coffee
 2025-12-01 07:28:25 -08:00
Samirbous 5e1ac4f450 [Tuning] Powershell Atomics test gaps for T1059.001 (#5380) 
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
 2025-12-01 15:06:48 +00:00
Jonhnathan 20d86c8b47 [Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383) 2025-12-01 05:06:38 -08:00
Samirbous c3d09165c4 [Tuning] Suspicious Kerberos Authentication Ticket Request (#5364) 
* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml
 2025-11-26 18:45:30 +00:00
Samirbous f0e9281854 [New] Potential Masquerading as Svchost (#5305) 
* [New] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-11-19 12:10:11 +00:00
Samirbous 64cc823481 [Tuning] Outbound Scheduled Task Activity via PowerShell (#5287) 
https://github.com/elastic/detection-rules/issues/5286

Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):
 2025-11-17 10:02:50 +00:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Samirbous 7b7082e9f4 [New] Command Obfuscation via Unicode Modifier Letters (#5311) 
* [New] Command Obfuscation via Unicode Modifier Letters

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* ++

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml
 2025-11-13 21:29:07 +00:00
veritasr3x da9bfd0abc MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 (#5280) 
* Resolves Issue #5279

* Corrected the "updated_date" value

* Put the technique and sub-technique in the correct location

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-11 10:26:14 -05:00
shashank-elastic e938ecf41a Refresh Manifest and Schemas November Update (#5298) 2025-11-11 18:04:20 +05:30
Samirbous 34bd88a37e [Tuning] Potential Ransomware Behavior - Note Files by System (#5235) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update rules/windows/impact_high_freq_file_renames_by_kernel.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-10 18:22:37 +00:00
Samirbous 085ef447e8 [New] Windows Server Update Service Spawning Suspicious Processes (#5250) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

ttps://hawktrace.com/blog/CVE-2025-59287
 2025-11-10 18:10:32 +00:00
Samirbous 598e5c363f [New] Suspicious Kerberos Authentication Ticket Request (#5260) 
* [New] Suspicious Kerberos Authentication Ticket Request

Multi-datasource correlation to detect suspicious Kerberos Authentication Ticket Request from the source machine and the Domain Controller.

* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update lateral_movement_credential_access_kerberos_correlation.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-11-03 15:44:13 +00:00
shashank-elastic 818978975d Prep 9.2 (#5231) 2025-10-17 21:01:13 +05:30
Samirbous 64a8290b37 [New] Potential Command Shell via NetCat (#5221) 
* [New] Potential Command Shell via NetCat

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml
 2025-10-15 12:30:09 +01:00
Jonhnathan a31fb00614 [Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193) 2025-10-07 08:40:23 -07:00
shashank-elastic 3397b7e707 Monthly Schema Updates (#5187) 2025-10-06 21:39:14 +05:30
Samirbous 29c4c19d59 [Tuning] Startup or Run Key Registry Modification (#5137) 
* [Tuning] Startup or Run Key Registry Modification

high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.

* Update rules/windows/persistence_run_key_and_startup_broad.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-06 09:24:33 +01:00
Samirbous b4e9b48ad7 [New] Suspicious SeIncreaseBasePriorityPrivilege Use (#5150) 
* [New] Suspicious SeIncreaseBasePriorityPrivilege Us

https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main

https://x.com/sixtyvividtails/status/1970721197617717483

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-03 16:52:32 +01:00
Samirbous 66a0b6b97c [Tuning] Potential Ransomware Behavior - High count of Readme files by System (#5167) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-10-02 17:39:51 +01:00
Jonhnathan f75062a855 [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#5134) 
* Update execution_suspicious_powershell_imgload.toml

* Update execution_suspicious_powershell_imgload.toml
 2025-09-22 06:03:41 -07:00
Jonhnathan cd6c37e3b9 [Rule Tuning] Mark some field optional for 3rd party compatibility (#5135) 
* [Rule Tuning] Mark some field optional for 3rd party compatibility

* bump
 2025-09-22 05:43:10 -07:00
shashank-elastic 657b504f46 Update investigation guides (#5112) 2025-09-16 18:34:37 +05:30
Jonhnathan 4476ac52a8 [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091) 
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms

* ++

* ++

* Update credential_access_dcsync_replication_rights.toml

* Update persistence_webshell_detection.toml

* ++

* Update persistence_webshell_detection.toml
 2025-09-15 09:38:03 -07:00
Jonhnathan 7bd9c52852 [Rule Tuning] Windows High Severity - 5 (#5096) 
* [Rule Tuning] Windows High Severity - 4

* Update privilege_escalation_windows_service_via_unusual_client.toml
 2025-09-15 09:29:37 -07:00
Jonhnathan 76c73f84f6 [Rule Tuning] Windows High Severity - 4 (#5095) 
* [Rule Tuning] Windows High Severity - 4

* Update initial_access_execution_from_inetcache.toml
 2025-09-15 09:18:55 -07:00
Jonhnathan 8d9822e8be [Rule Tuning] Fix process.pe.original_file_name Conditions (#5101) 
* [Rule Tuning] Fix process.pe.original_file_name Conditions

* --
 2025-09-15 09:06:23 -07:00
Jonhnathan d69ede2508 [Rule Tuning] Windows High Severity - 3 (#5094) 
* [Rule Tuning] Windows High Severity - 3

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml
 2025-09-15 08:34:43 -07:00
Jonhnathan 567b82cb2f [Rule Tuning] Windows High Severity - 2 (#5093) 
* [Rule Tuning] Windows High Severity - 2

* [Rule Tuning] Windows High Severity - 3

* Revert "[Rule Tuning] Windows High Severity - 3"

This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.
 2025-09-15 07:53:31 -07:00
Jonhnathan 7910f465cc [Rule Tuning] Windows High Severity - 1 (#5092) 
* [Rule Tuning] Windows High Severity - 1

* Update command_and_control_headless_browser.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update command_and_control_outlook_home_page.toml
 2025-09-15 07:44:20 -07:00
Jonhnathan 1dedea798a [Rule Tuning] Component Object Model Hijacking (#5065) 2025-09-11 17:18:05 -07:00
Jonhnathan aa97487b20 [Rule Tuning] PowerShell Rules (#5056) 
* [Rule Tuning] PowerShell Rules

* Update defense_evasion_posh_defender_tampering.toml

* [Rule Tuning] Connection to Commonly Abused Web Services

* Revert "[Rule Tuning] Connection to Commonly Abused Web Services"

This reverts commit 74dcea07e16a2b50ee8a372aef63a7c699e7c66a.
 2025-09-11 16:54:11 -07:00
Jonhnathan b5d77951b5 [Rule Tuning] Remote Execution via File Shares (#5066) 
* [Rule Tuning] Remote Execution via File Shares

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-11 16:40:59 -07:00
shashank-elastic 25539fd6c6 Delete Development Rules (#5084) 2025-09-10 23:24:28 +05:30
Jonhnathan 375082729a [Rule Tuning] Adjust process.code_signature.trusted condition (#5067) 
* [Rule Tuning] Adjust process.code_signature.trusted condition

* typo
 2025-09-08 08:42:17 -07:00
Jonhnathan 6ac71050dc [Rule Tuning] Remote File Download via PowerShell (#5062) 
* [Rule Tuning] Remote File Download via PowerShell

* Update command_and_control_remote_file_copy_powershell.toml

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update command_and_control_remote_file_copy_powershell.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-08 07:59:53 -07:00
Jonhnathan 4aa6c4e715 [Rule Tuning] Untrusted Driver Loaded (#5061) 
* [Rule Tuning] Untrusted Driver Loaded

* Update defense_evasion_untrusted_driver_loaded.toml
 2025-09-05 06:12:30 -07:00
Jonhnathan 9ee15a13b0 [Rule Tuning] Connection to Commonly Abused Web Services (#5060) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2025-09-04 11:58:13 -07:00
Samirbous 0bbad3bbf8 Update defense_evasion_modify_ownership_os_files.toml (#5051) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-02 08:18:35 -07:00
Jonhnathan 8d2ea9220b [New Rules] Potential Relay Attack against a Computer Account (#4826) 
* [New Rules] Potential Relay Attack against a Computer Account Rules

* update description

* .

* add min_stack

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-01 10:07:37 -07:00
Samirbous 464fb3951e [Tuning] Unusual Network Activity from a Windows System Binary (#5048) 2025-09-01 22:17:53 +05:30
Jonhnathan a31b3a36ad [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

* pending adjustments

* Update execution_windows_cmd_shell_susp_args.toml
 2025-09-01 09:30:21 -07:00
Samirbous a62ee7a8a2 [New] Active Directory Discovery using AdExplorer (#5047) 
* [New] Active Directory Discovery using AdExplorer

* Update discovery_ad_explorer_execution.toml

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:58:22 +01:00