security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,423 Commits 1 Branch 0 Tags
dev-v1.5.45
Commit Graph

3423 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mika Ayenson, PhD 25f3d6a879 [FR] Add copilot instructions to catch the gotchas (#5733) 
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-18 10:37:00 -06:00
Samirbous 2605d38018 [New] Potential Notepad Markdown RCE Exploitation (#5729) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
 2026-02-18 16:19:56 +00:00
Jonhnathan 6d0471768f [Rule Tuning] PowerShell Rules Revamp - 9 (#5706) 
* [Rule Tuning] PowerShell Rules Revamp - 9

* .

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* update disclaimer

* update tags
 2026-02-18 12:22:24 -03:00
Terrance DeJesus 93d20b1233 [Rule Deprecation] M365 Teams Guest & External Access Rules (#5721) 
Fixes #5720
 2026-02-18 10:00:24 -05:00
Jonhnathan 5d98a212fc [Rule Tuning] Potential Timestomp in Executable Files (#5727) 
* [Rule Tuning] Potential Timestomp in Executable Files

* Update defense_evasion_timestomp_sysmon.toml
 2026-02-18 11:14:54 -03:00
Samirbous 183b337a01 [Tuning] Elastic Agent Service Terminated (#5730) 
* Update defense_evasion_elastic_agent_service_terminated.toml

* Update defense_evasion_elastic_agent_service_terminated.toml
 2026-02-17 22:30:34 +00:00
Isai 386c8f7e7a [New Rule] AWS GuardDuty Member Account Manipulation (#5688) 
* [New Rule] AWS GuardDuty Member Account Manipulation

Detects attempts to manipulate GuardDuty member account relationships within AWS Organizations. This includes actions like `DisassociateFromAdministratorAccount`, `DeleteMembers`, `StopMonitoringMembers`, and `DeleteInvitations` that break centralized security visibility. These actions are often precursors to or alternatives for fully deleting GuardDuty detectors, allowing adversaries to operate undetected in member accounts. The idea for this rule was inspired by defense evasion techniques highlighted in Permiso's research on Scattered Spider, and expanded to include other relevant API calls that could be abused for the same purpose.

Existing Related Coverage: We already detect `DeleteDetector` via defense_evasion_guardduty_detector_deletion.toml. This new rule complements that coverage by catching the manipulation of GuardDuty member relationships, actions that break org-level visibility without requiring full detector deletion.

* toml file name change

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-17 16:32:20 -05:00
Terrance DeJesus 4299831b90 [Rule Tuning] M365 Identity Excessive SSO Login Errors Reported (#5677) 
* [Rule Tuning] M365 Identity Excessive SSO Login Errors Reported
<!-- This issue will be created in repo elastic/detection-rules (https://github.com/elastic/detection-rules). Changing this line has no effect. -->
Fixes #5676

* adjusted file name

* adjusted message to STS codes; removed generic SAML request andresponse codes
 2026-02-17 13:55:24 -05:00
Ruben Groenewoud 0c7e6516f9 [Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732) 2026-02-17 17:49:56 +01:00
Terrance DeJesus e94ee9d873 [New Rule] Okta Admin Console Login Failure (#5669) 
Fixes #5668
 2026-02-17 10:01:07 -05:00
Samirbous 41a8256aa3 [tuning] LLM DNS queries (#5709) 
* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Apply suggestion from @w0rk3r

* Update command_and_control_common_llm_endpoint.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-13 13:54:52 +00:00
Samirbous 60606ecd4e [New] Elastic Defend Alert Followed by Telemetry Loss (#5716) 
* [New] Elastic Defend Alert Followed by Telemetry Loss

Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint
telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate
endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.

* Update defense_evasion_missing_events_after_alert.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-13 10:00:27 +00:00
Terrance DeJesus 62cc9f105d [Rule Tuning] Okta User Assigned Administrator Role (#5671) 
Fixes #5670
 2026-02-12 09:33:25 -05:00
Ruben Groenewoud 64168f62c1 [New/Tuning] Misc. D4C Rules (#5710) 
* [New/Tuning] Misc. D4C Rules

* Added IGs

* ++

* Update rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @Aegrah

* Update persistence_modification_of_persistence_relevant_files.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2026-02-12 10:52:16 +01:00
Eric Forte f306404fe5 [Bug] CLI adds frequency field to system actions (.cases), causing import failure (#5690) 
* No frequency field to cases
 2026-02-11 15:18:20 -05:00
Eric Forte f74c04d11a [Bug] ESQL validation keep Clause Reported Missing Metadata Fields (#5717) 
* Update Keep Field to Handle Comments

* Update for handling inline comments

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-11 15:02:23 -05:00
Jonhnathan 51cf7574a9 [Rule Deprecation] PowerShell Rules (#5707) 
* [Rule Deprecation] PowerShell Rules

* Update defense_evasion_posh_obfuscation_index_reversal.toml
 2026-02-11 16:49:33 -03:00
Jonhnathan 4980a3b50c [Rule Tuning] PowerShell Rules Revamp - 8 (#5705) 
* [Rule Tuning] PowerShell Rules Revamp - 8

* update disclaimer

* Apply suggestion from @w0rk3r

* Update rules/windows/execution_posh_psreflect.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 16:32:04 -03:00
Jonhnathan 3065b10f91 [Rule Tuning] PowerShell Rules Revamp - 7 (#5704) 
* [Rule Tuning] PowerShell Rules Revamp - 7

* update disclaimer
 2026-02-11 16:02:48 -03:00
Jonhnathan 9be58755ae [Rule Tuning] PowerShell Rules Revamp - 6 (#5700) 
* [Rule Tuning] PowerShell Rules Revamp - 6

* .

* [Rule Tuning] PowerShell Rules Revamp - 7

* Revert "[Rule Tuning] PowerShell Rules Revamp - 7"

This reverts commit 378f8c8b6409ea1e4bad0e86027c05e0a7db9950.

* update disclaimer
 2026-02-11 15:50:49 -03:00
Jonhnathan 20450660df [Rule Tuning] PowerShell Rules Revamp - 5 (#5699) 
* [Rule Tuning] PowerShell Rules Revamp - 5

* Update defense_evasion_posh_obfuscation_backtick.toml

* update disclaimer
 2026-02-11 15:36:48 -03:00
Jonhnathan 2d4d56bf21 [Rule Tuning] PowerShell Rules Revamp - 4 (#5698) 
* [Rule Tuning] PowerShell Rules Revamp - 4

* bump

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_posh_compressed.toml

* update disclaimer

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 15:26:05 -03:00
Jonhnathan 5489c107b0 [New Rule] Potential PowerShell Obfuscated Script via High Entropy (#5554) 
* [New Rule] Potential PowerShell Obfuscated Script via High Entropy

* Update defense_evasion_posh_high_entropy.toml

* Add investigation guide

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml
 2026-02-11 09:50:19 -03:00
github-actions[bot] df9c27d82e Lock versions for releases: 8.19,9.1,9.2,9.3 (#5708) 2026-02-10 11:14:23 +05:30
shashank-elastic 70d7f2b6b1 Monthly Manifest and Schema Updation (#5697) 2026-02-10 09:17:04 +05:30
Ruben Groenewoud 229f3adf75 [New/Tuning] Misc. New D4C Rules and Tunings (#5692) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New/Tuning] Misc. New D4C Rules and Tunings

* Added IGs for High Severity Rules

* Apply suggestion from @Aegrah

* ++

* Update discovery_privilege_boundary_enumeration_from_interactive_process.toml

* ++

* Update rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_interactive_file_creation_followed_by_execution.toml

* Some updates based on feedback

* Rule name changes

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-09 16:58:27 +01:00
Samirbous 2b5472a9b3 [Tuning/New] Solarwinds Post Exploit (#5696) 
* [Tuning/New] Solawrwinds Post Exploit

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and  supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.

* Update initial_access_potential_webhelpdesk_exploit.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-02-09 13:57:52 +00:00
Isai 793d79b063 [New Rule] AWS EC2 Serial Console Access Enabled (#5687) 
* [New Rule] AWS EC2 Serial Console Access Enabled

Detects when an adversary enables the EC2 Serial Console feature at the AWS account level. This technique was documented by Permiso in their LUCR-3 Scattered Spider research as a defense evasion method that provides out-of-band access to EC2 instances, completely bypassing network-based security monitoring, VPCs, and security groups. Enabling serial console access is extremely rare in production environments, making this a high-signal detection with minimal false positive risk. I've tested this query against alert and prod telemetry and found rare instances.

Existing Related Coverage: We already detect `SendSerialConsoleSSHPublicKey` via lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml, which catches the usage of serial console. This new rule closes the gap by detecting the enablement of serial console access, the prerequisite step that must occur before an attacker can leverage this out-of-band channel.

* raising severity and risk score
 2026-02-06 17:34:55 -05:00
Mika Ayenson, PhD ac6ead4346 [Rule Tuning] Update LLM Verdict for COMPLETION Rules 2026-02-06 11:25:22 -06:00
Colson Wilhoit 43d3f3b467 [New] Endpoint Rule Conversion PR (#5658) 
* update

* [New] Endpoint Rule Conversion PR

* fix: replace invalid rule_ids with valid UUIDs

* fix: remove malformed TOML in docker_outbound_connection rule

* fix: rename Security Software Discovery rule to avoid name collision

* fix: remove rule using unsupported 'as event' alias syntax

* fix: add timestamp_override, investigation guides, and fix MITRE mapping

- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'

* Enhance investigation guides for 19 high-severity macOS SIEM rules

Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)

Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
  pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
  curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression

* Fix investigation guide tests: add Resources tag and fix OAST title

- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
  'Network Connection to OAST Domain via Script Interpreter'

* Remove duplicate detection_rules 2 folder from PR

* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule

Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule

Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)

* fix: ESQL formatting and wildcard versioning patterns

- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)

* fix: remove duplicate Script Interpreter rule

Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)

* fix: add timestamp_override to Pbpaste and Gatekeeper rules

- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml

EQL/KQL rules require timestamp_override: event.ingested

* fix: remove perl from Script Interpreter rule

Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_manual_chromium_extension_loading.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_startup_item_plist_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix ESQL syntax error in AWS S3 connection rule

Remove trailing comma before BY clause in STATS command that caused a parsing_exception.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-06 10:53:44 -06:00
Ruben Groenewoud 440ff43810 [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules (#5685) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
 2026-02-06 09:38:56 +01:00
Isai 1c59a6adde [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5657) 
* [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded

This rule was very loud in telemetry since it's last tuning. ~8,938 alerts in last 24 hours. All false positives due to regex pattern matches for file names like `enc` as part of /filetransfertmsadherence/ and absence/; `lock` as part of citations-blocks/.

I've reworked this rule based on more research into common ransom note file name keywords and replaced the list here with the most common keywords. For `file` (the most common) and `back`, I was still seeing false positives so decided to alert on a combination of either or these 2 words in conjunction with any of the other words from the list. I also changed the regex to be case-insensitive.

With this new query, I see only true positive results within the last year all from known testing events.

I changed the toml file name so the rule looks new but it is just tuned.

I've updated the description and investigation guide, and added the study I used as a reference: https://www.mdpi.com/2073-431X/10/11/145#computers-10-00145-f002

Test data is in our stack, script for executing is here:

Screenshot of new working query in our test stack

* Apply suggestions from code review

* removing redundany regex pattern
 2026-02-05 21:34:38 -05:00
yuriShafet 64cca9e1ba [Rule Tuning] Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (#5523) (#5686) 
Add EQL exclusions for benign activity:
Opera GX renderer children,
Slack creating slack children,
Node using playwright to create chrome process
Python editors accessing reg.exe
Logitech manager activity
 and Zabbix script paths.
 2026-02-05 15:54:26 -05:00
Colson Wilhoit 80968035bb MacOS detection rules tuning (#5667) 
* Sync macOS detection rules with endpoint-rules logic

- Fix Bifrost Kerberos query logic (broken parentheses grouping)
- Add authenticate pattern and NinjaRMM exclusion to osascript phishing rule
- Update SCP privacy bypass to use 127.0.0.? loopback pattern
- Add wildcard EndpointSecurity pattern to kext unload rule

* Fix Safari settings rule to use targeted approach

- Change from broad catch-all with exclusions to targeted dangerous settings
- Only detect IncludeDevelopMenu and JavaScript setting changes
- Reduces false positives from benign Safari preference changes

* Add Parallels Desktop exclusion to Hosts File Modified rule

- Excludes /Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd (5,074 alerts in 90 days)
 2026-02-05 11:20:16 -06:00
Ruben Groenewoud 64a08cd6af [New Rules] Misc. K8s RBAC Abuse Rules (#5673) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. K8s RBAC Abuse Rules

* --

* Update non-ecs-schema

* Update to make unit tests happy

* Mitre mapping updates

* Fix query logic for service account role bindings

* Fix formatting in persistence_service_account_bound_to_clusterrole rule
 2026-02-05 17:42:03 +01:00
Ruben Groenewoud 694376bd7a [Bug] Fix UTF-8 Encoding for Rule File Operations (#5684) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Bug] Fix UTF-8 Encoding for Rule File Operations
 2026-02-05 14:21:30 +01:00
Samirbous 00159a3eca [Tuning] M365 Exchange Inbox Phishing Evasion Rule Created (#5648) 
* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml

* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-05 10:02:57 -03:00
Ruben Groenewoud 3cba3d7982 [Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* Few more deprecations

* ++

* Update unit test syntax fix

* Update bad bytes

* ++
 2026-02-05 13:24:21 +01:00
Mika Ayenson, PhD aff945cb70 [New Rules] ESQL LLM-Based Alert Triage Rules (#5656) 
---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:32:36 -06:00
Mika Ayenson, PhD 94c17dff59 [New Rule] Execution via OpenClaw Agent (#5666) 2026-02-04 14:02:52 -06:00
ailiffa e6fafc914e [Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion (#5592) 
* [Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion

- Add Downloads folder to the suspicious paths list
- Modify directory matching logic from endswith~ to startswith~ to detect DLLs loaded from subdirectories of the executable's location

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Swap back to "endswith" and add chrome_elf.dll coverage.

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:16:14 -03:00
Samirbous 2b8fb44cb5 [New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665) 
* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.

https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

https://github.com/rapid7/metasploit-framework/pull/20917

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 16:09:55 +00:00
Mika Ayenson, PhD f6454e93e8 Update (#5675) 2026-02-04 09:15:53 -06:00
Samirbous fda9f00c2b [Tuning] M365 Exchange Inbox Forwarding Rule Created (#5647) 
* Update collection_exchange_new_inbox_rule.toml

* Update collection_exchange_new_inbox_rule.toml

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 13:50:55 +00:00
Samirbous d42ebdc3e6 [Tuning] Component Object Model Hijacking (#5651) 
* Update persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml
 2026-02-04 13:23:40 +00:00
Samirbous ed089d5d76 [Tuning] Svchost spawning Cmd (#5649) 
* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml
 2026-02-04 12:42:50 +00:00
Samirbous 362c459094 [New] Multiple Machine Learning Alerts by Influencer Field (#5660) 
* [New] Multiple Machine Learning Alerts by Influencer Field

This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.

* Update multiple_machine_learning_jobs_by_entity.toml

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json
 2026-02-04 12:25:59 +00:00
Sergey Polzunov 59e394f36b [doc fix] Adjust wording in the docs for Kibana import/export commands (#5600) 
* Wording fix

* Version bump

* Style fixes

* Style fix for tests
 2026-02-04 11:17:58 +01:00
Ruben Groenewoud c455d3d98a [Rule Tuning] Full Kubernetes Ruleset (#5659) 
* [Rule Tuning] Full Kubernetes Ruleset

* ++

* Update manifests & schemas

* Update pyproject.toml

* Added "kubernetes.audit.userAgent" to non_ecs

* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword

* Apply suggestion from @Aegrah

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostnetwork.toml

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostipc.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 10:42:41 +01:00
Ruben Groenewoud 7c03840737 [New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. D4C Rules related to (un)authenticated API Access

* Apply suggestion from @Aegrah

* [New Rule] Kubelet Certificate File Access Detected via Defend for Containers

* [New Rule] Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected

* [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request

* [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers

* Apply suggestion from @Aegrah

* Update execution_kubeletctl_execution.toml
 2026-02-04 09:58:42 +01:00