security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,376 Commits 1 Branch 0 Tags
dev-v1.5.39
Commit Graph

957 Commits

Author SHA1 Message Date
Terrance DeJesus c75fc7e487 [Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663) 
Fixes #5662
 2026-02-03 09:38:14 -05:00
Jonhnathan 2f9dc7af53 [Rule Tuning] PowerShell Rules Revamp - 2 (#5623) 
* [Rule Tuning] PowerShell Rules Revamp - 2

* Update credential_access_mimikatz_powershell_module.toml

* Apply suggestions from code review
 2026-01-26 19:35:05 -03:00
Jonhnathan 6843d11b09 [Rule Tuning] PowerShell Rules Revamp - 3 (#5625) 
* [Rule Tuning] PowerShell Rules Revamp - 3

* Apply suggestion from @w0rk3r
 2026-01-26 19:11:29 -03:00
Jonhnathan fc55e8b308 [Rule Tuning] PowerShell Rules Revamp - 1 (#5619) 
* [Rule Tuning] PowerShell Rules Revamp - 1

* bump
 2026-01-26 19:01:48 -03:00
Samirbous 88e0b14709 [Tuning] ESQL Dynamic unique value fields (#5569) 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:34:16 +00:00
Samirbous 7221db6b36 [Tuning] Potential Ransomware Behavior - Note Files by System (#5595) 
* [Tuning] Potential Ransomware Behavior - Note Files by System

added host.id and removed noisy patterns (writes to non C drive)

* Update impact_high_freq_file_renames_by_kernel.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 13:15:54 +00:00
Samirbous 30c7833f08 [Tuning] Rare Connection to WebDAV Target (#5604) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-26 12:51:09 +00:00
Samirbous ccfb69244a [Tuning] Rare Connection to WebDAV Target (#5556) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-23 11:17:19 +00:00
Jonhnathan 9055d564f5 [Rule Tuning] Web Server Rules (#5581) 2026-01-20 15:30:57 -03:00
Samirbous 31de1789c4 [Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560) 
* [Tuning] Reduce NewTerm history_window_start for Windows Rules

Reduce Windows NewTerm rules history_window_start from 14d to 5d.

* Update execution_command_shell_started_by_svchost.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update persistence_scheduled_task_updated.toml
 2026-01-16 12:46:45 +00:00
G. Blue Team Detection 3ab961da42 Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547) 
* Docs: improve WinRAR/7-Zip encrypted archive rule guidance

Clarifies the rule description and expands investigation and false positive guidance
to help analysts distinguish data staging for exfiltration from common benign
administrative and backup workflows. No detection logic or query changes.

* Update rules/windows/collection_winrar_encryption.toml

* Change updated_date to 2026/01/12

Bump update_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-12 19:51:08 -03:00
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 5081735acc [New] Potential Persistence via Mandatory User Profile (#5530) 
* [New] Potential Persistence via Mandatory User Profile

https://deceptiq.com/blog/ntuser-man-registry-persistence

* Update persistence_suspicious_user_mandatory_profile_file.toml

* Update persistence_suspicious_user_mandatory_profile_file.toml
 2026-01-09 09:35:47 +00:00
Samirbous fde2fa972e [Tuning] Process Created with an Elevated Token (#5532) 
* [Tuning] Process Created with an Elevated Token

https://github.com/elastic/detection-rules/issues/5492

* Update privilege_escalation_via_token_theft.toml
 2026-01-09 09:23:37 +00:00
Samirbous f98f4e5a95 [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml
 2026-01-07 21:03:44 +00:00
Samirbous 08663dee79 Update persistence_webshell_detection.toml (#5524) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-02 12:45:50 -03:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Jonhnathan a9bdfaaea3 [Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486) 
* [Rule Tuning] PowerShell Misc Tuning/Severity Bump

* bump sev
 2025-12-18 03:30:22 -08:00
Jonhnathan 5ec8e3e500 [Rule Tuning] Communication App Rules (#5487) 
* [Rule Tuning] Communication App Rules

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-18 02:38:18 -08:00
Samirbous 2cc1a341de Update lateral_movement_credential_access_kerberos_correlation.toml (#5455) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-12 18:14:26 +00:00
Samirbous ef0ec1ac83 Update defense_evasion_suspicious_short_program_name.toml (#5454) 2025-12-12 17:25:00 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
Jonhnathan 56574c99c3 [Rule Tuning] Potential Masquerading as Svchost (#5439) 
* [Rule Tuning] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* to_lower

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-09 13:56:38 -08:00
theusername-sudo 3bcacdb4ee Update lateral_movement_scheduled_task_target.toml to fix null values (#5228) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-08 18:40:20 +05:30
Samirbous 8ddf8a838e Update defense_evasion_masquerading_as_svchost.toml (#5416) 2025-12-08 12:15:40 +00:00
Samirbous 896b6a214a [Tuning] Rare Connection to WebDAV Target (#5415) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2025-12-05 22:31:01 +00:00
Jonhnathan b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) 
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

* Update defense_evasion_posh_obfuscation_proportion_special_chars.toml

* ++, powershell.file.*

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 13:17:02 +01:00
Jonhnathan bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) 
* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml
 2025-12-02 08:30:54 -08:00
Jonhnathan 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) 2025-12-01 07:54:23 -08:00
Jonhnathan aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) 2025-12-01 07:45:03 -08:00
Jonhnathan 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) 
* [Rule Tuning] Windows Misc Tuning

* Update execution_suspicious_powershell_imgload.toml

* I need some coffee
 2025-12-01 07:28:25 -08:00
Samirbous 5e1ac4f450 [Tuning] Powershell Atomics test gaps for T1059.001 (#5380) 
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
 2025-12-01 15:06:48 +00:00
Jonhnathan 20d86c8b47 [Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383) 2025-12-01 05:06:38 -08:00
Samirbous c3d09165c4 [Tuning] Suspicious Kerberos Authentication Ticket Request (#5364) 
* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml
 2025-11-26 18:45:30 +00:00
Samirbous f0e9281854 [New] Potential Masquerading as Svchost (#5305) 
* [New] Potential Masquerading as Svchost

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

* Update defense_evasion_masquerading_as_svchost.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-11-19 12:10:11 +00:00
Samirbous 64cc823481 [Tuning] Outbound Scheduled Task Activity via PowerShell (#5287) 
https://github.com/elastic/detection-rules/issues/5286

Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):
 2025-11-17 10:02:50 +00:00
Jonhnathan 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) 2025-11-14 08:46:24 -08:00
Samirbous 7b7082e9f4 [New] Command Obfuscation via Unicode Modifier Letters (#5311) 
* [New] Command Obfuscation via Unicode Modifier Letters

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* ++

* Update defense_evasion_obf_args_unicode_modified_letters.toml

* Update defense_evasion_obf_args_unicode_modified_letters.toml
 2025-11-13 21:29:07 +00:00
veritasr3x da9bfd0abc MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 (#5280) 
* Resolves Issue #5279

* Corrected the "updated_date" value

* Put the technique and sub-technique in the correct location

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-11 10:26:14 -05:00
shashank-elastic e938ecf41a Refresh Manifest and Schemas November Update (#5298) 2025-11-11 18:04:20 +05:30
Samirbous 34bd88a37e [Tuning] Potential Ransomware Behavior - Note Files by System (#5235) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update rules/windows/impact_high_freq_file_renames_by_kernel.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-11-10 18:22:37 +00:00
Samirbous 085ef447e8 [New] Windows Server Update Service Spawning Suspicious Processes (#5250) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

ttps://hawktrace.com/blog/CVE-2025-59287
 2025-11-10 18:10:32 +00:00
Samirbous 598e5c363f [New] Suspicious Kerberos Authentication Ticket Request (#5260) 
* [New] Suspicious Kerberos Authentication Ticket Request

Multi-datasource correlation to detect suspicious Kerberos Authentication Ticket Request from the source machine and the Domain Controller.

* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update lateral_movement_credential_access_kerberos_correlation.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-11-03 15:44:13 +00:00
shashank-elastic 818978975d Prep 9.2 (#5231) 2025-10-17 21:01:13 +05:30
Samirbous 64a8290b37 [New] Potential Command Shell via NetCat (#5221) 
* [New] Potential Command Shell via NetCat

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml

* Update execution_revshell_cmd_via_netcat.toml
 2025-10-15 12:30:09 +01:00
Jonhnathan a31fb00614 [Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193) 2025-10-07 08:40:23 -07:00
shashank-elastic 3397b7e707 Monthly Schema Updates (#5187) 2025-10-06 21:39:14 +05:30
Samirbous 29c4c19d59 [Tuning] Startup or Run Key Registry Modification (#5137) 
* [Tuning] Startup or Run Key Registry Modification

high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.

* Update rules/windows/persistence_run_key_and_startup_broad.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-06 09:24:33 +01:00
Samirbous b4e9b48ad7 [New] Suspicious SeIncreaseBasePriorityPrivilege Use (#5150) 
* [New] Suspicious SeIncreaseBasePriorityPrivilege Us

https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main

https://x.com/sixtyvividtails/status/1970721197617717483

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-03 16:52:32 +01:00