security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • afbca3ee75 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4147) github-actions[bot] 2024-10-09 20:56:57 -05:00
  • 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) Terrance DeJesus 2024-10-09 21:08:38 -04:00
  • 4edef2ea80 [FR][DAC] Import Rules Verbose Message (#4093) Eric Forte 2024-10-09 17:19:59 -04:00
  • 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) Terrance DeJesus 2024-10-09 15:25:36 -04:00
  • 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) Terrance DeJesus 2024-10-07 12:11:57 -04:00
  • 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) Terrance DeJesus 2024-10-03 12:47:40 -04:00
  • 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) Terrance DeJesus 2024-10-02 15:50:22 -04:00
  • 51859e57f3 Sync RTA Base64 or Xxd Decode Argument Evasion (#4113) protections machine 2024-10-02 03:40:34 +10:00
  • e6646790d5 Sync RTA Suspicious Echo Execution (#4110) protections machine 2024-10-02 03:27:13 +10:00
  • 264938236c Sync RTA Hexadecimal Payload Execution (#4109) protections machine 2024-10-02 03:17:04 +10:00
  • 9e539e82f4 Sync RTA Potential Process Injection via dd (#4108) protections machine 2024-10-02 03:06:56 +10:00
  • 37ba89bc3e Sync RTA Linux Telegram API Request (#4107) protections machine 2024-10-02 02:58:29 +10:00
  • 80143b23b2 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4116) github-actions[bot] 2024-10-01 18:14:03 +05:30
  • a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) Samirbous 2024-10-01 13:00:38 +01:00
  • 5b41bbd5e9 [Tuning] Updated references (#4114) Ruben Groenewoud 2024-10-01 13:43:14 +02:00
  • ef4e433d97 [Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules (#4105) Terrance DeJesus 2024-09-28 18:13:03 -04:00
  • 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) Samirbous 2024-09-28 11:46:46 +01:00
  • ef95a541f4 Fix GenAI Request Model ID Field (#4111) shashank-elastic 2024-09-27 21:59:02 +05:30
  • a3e89a7fab [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) (#4106) Ruben Groenewoud 2024-09-27 14:48:03 +02:00
  • b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) Mika Ayenson 2024-09-25 15:19:20 -05:00
  • 0ed6b3f0a2 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4094) Isai 2024-09-24 09:32:12 -04:00
  • fab842b414 Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4091) github-actions[bot] 2024-09-19 23:25:32 +05:30
  • e2f1fcefa8 Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) (#4077) shashank-elastic 2024-09-19 23:12:01 +05:30
  • 5e0fb4a63e [Tuning] Add logs-panw.panos index to Network rules (#4089) Samirbous 2024-09-19 08:01:44 +01:00
  • df31c002ca [Bug] Handle formatting empty list (#4086) Mika Ayenson 2024-09-17 13:25:17 -05:00
  • def2a9ef09 [New] ROT encoded Python Script Execution (#4084) Samirbous 2024-09-17 16:52:46 +01:00
  • 9181c00586 [New Hunt] Add Initial Okta Hunting Queries (#4064) Terrance DeJesus 2024-09-16 14:36:44 -04:00
  • 574064272d Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4082) github-actions[bot] 2024-09-16 21:43:16 +05:30
  • 814130bf34 min_stack New Rules that use the S1 Integration (#4081) shashank-elastic 2024-09-16 20:12:09 +05:30
  • 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) Jonhnathan 2024-09-16 11:02:46 -03:00
  • 31ca246ea7 [New] Potential Foxmail Exploitation (#4044) Samirbous 2024-09-16 12:29:40 +01:00
  • 41a7a5f049 [New] Execution via Windows Command Debugging Utility (#3918) Samirbous 2024-09-16 09:14:39 +01:00
  • f26d7fc81b [New] Persistence via a Windows Installer (#4055) Samirbous 2024-09-16 07:50:57 +01:00
  • b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) Samirbous 2024-09-16 07:39:39 +01:00
  • 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) Samirbous 2024-09-15 20:22:44 +01:00
  • 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) Samirbous 2024-09-15 19:51:21 +01:00
  • b6162abefa [New] WPS Office Exploitation via DLL Hijack (#4043) Samirbous 2024-09-15 11:23:35 +01:00
  • 9255dafe53 [New] Detonate LNK TOP Rules (#4058) Samirbous 2024-09-15 10:49:17 +01:00
  • bb9a772870 [New Rule] Okta Public Client App OAuth Token Request with Client Credentials (#4074) Terrance DeJesus 2024-09-13 14:57:49 -04:00
  • cad3865fcf [New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 (#4076) Samirbous 2024-09-13 17:57:44 +01:00
  • c3160b9279 [New Rule] PowerShell Script with Windows Defender Tampering Capabilities (#4075) Jonhnathan 2024-09-13 11:51:19 -03:00
  • eda179bbe1 Skip Development Rules from Security Docs (#4073) shashank-elastic 2024-09-13 19:57:00 +05:30
  • 3e25ea8c2b [New Rule] AWS Bedrock Detections (#4072) shashank-elastic 2024-09-13 19:46:47 +05:30
  • df1f0bc98e [New Rule] Add Jamf Protect detection rules (#4047) Thijs Xhaflaire 2024-09-12 22:03:56 +02:00
  • 29051c2e33 [New Rule] Cross Platform: AWS SendCommand API Call with Run Shell Command Parameters (#4052) Terrance DeJesus 2024-09-11 13:40:25 -04:00
  • 8618b1ad73 Support toml lint for investigate transforms (#4066) shashank-elastic 2024-09-11 20:45:36 +05:30
  • 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) Jonhnathan 2024-09-11 10:49:41 -03:00
  • a8dd78d834 Sync RTA Hidden Executable Initiated Egress Network Connection (#4070) protections machine 2024-09-11 22:57:18 +10:00
  • 4cab0e7d04 Sync RTA Socat Reverse Shell or Listener Activity (#4071) protections machine 2024-09-11 22:44:29 +10:00
  • 6a76bbb8d2 Sync RTA Potential Persistence via Direct Crontab Modification (#4069) protections machine 2024-09-11 22:14:37 +10:00
  • 09a6803804 Sync RTA Kill Command Executed from Binary in Unusual Location (#4068) protections machine 2024-09-11 22:00:07 +10:00
  • dc9c58527f [Tuning] Unusual Network Activity from a Windows System Binary (#4065) Samirbous 2024-09-10 17:30:56 +01:00
  • 8d27b6069b [Rule Tuning] M365/Azure Brute-Forcing New Rule and Tuning; Deprecate Similar Rule (#4057) Terrance DeJesus 2024-09-10 11:26:40 -04:00
  • 0a08f5e677 [New Rule] New Microsoft 365 Impossible Travel Rules and Deprecation (#4054) Terrance DeJesus 2024-09-05 17:36:56 -04:00
  • e30dc312e4 [Tuning] Potential Execution via XZBackdoor (#4053) Samirbous 2024-09-05 20:13:32 +01:00
  • be611be8b3 [New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005) Terrance DeJesus 2024-09-05 10:08:32 -04:00
  • ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) Terrance DeJesus 2024-09-04 10:08:44 -04:00
  • 9f964b68a4 [New Rule] Root Certificate Installation (#4025) Ruben Groenewoud 2024-09-03 17:40:17 +02:00
  • 6a1ba19f7c Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4050) github-actions[bot] 2024-09-03 17:40:44 +05:30
  • a53f7d55a3 Testcase to check if Rule Type: BBR tag is present for all BBR rules (#4048) shashank-elastic 2024-09-02 21:29:31 +05:30
  • b3a75899d5 [New Rule] SELinux Configuration Creation or Modification (#4024) Ruben Groenewoud 2024-09-01 10:14:59 +02:00
  • 162b4e7be8 [New Rule] Access Control List Modification via setfacl (#4009) Ruben Groenewoud 2024-09-01 09:58:50 +02:00
  • fb07033159 [New Rule] Attempt to Disable Auditd Service (#4028) Ruben Groenewoud 2024-09-01 09:51:13 +02:00
  • 30cd1b6a00 [New Rule] Potential Defense Evasion via Doas (#4027) Ruben Groenewoud 2024-08-29 21:19:13 +02:00
  • 19b4a4d7dd [New Rule] SSL Certificate Deletion (#4026) Ruben Groenewoud 2024-08-29 21:10:59 +02:00
  • 1ff26cf53e [New Rule] New Rules AWS Multi-Region Discovery of EC2 Instances and Quotas (#4015) Terrance DeJesus 2024-08-28 13:42:32 -04:00
  • 3e831b82c3 Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#4029) Samirbous 2024-08-28 16:33:44 +01:00
  • 0c38662cf3 [FR] [DAC] Add Support for Known Types to Auto-generated Schemas (#3985) Eric Forte 2024-08-28 10:48:00 -04:00
  • f7b7a04d53 [FR] Add Better Error Handling for CUSTOM_RULES_DIR (#3990) Eric Forte 2024-08-28 10:30:45 -04:00
  • 6aaccc64a6 [New Rule] AWS CLI Command with Custom Endpoint URL (#4002) Terrance DeJesus 2024-08-28 09:58:08 -04:00
  • e60c21b37b [Rule Tuning] Enumeration of Privileged Local Groups Membership (#4016) Jonhnathan 2024-08-27 09:54:19 -03:00
  • cb739fb161 Sync RTA Linux Production Tuning (#4014) protections machine 2024-08-27 04:27:42 +10:00
  • ba76c20b3d Update import rules to repo help text. (#4013) Eric Forte 2024-08-26 10:20:32 -04:00
  • 70c3a6f7b1 [Rule Tuning] Potential privilege escalation via CVE-2022-38028 (#4004) Jonhnathan 2024-08-22 15:32:28 -03:00
  • 162a48c97f [New Rule] Openssl Client or Server Activity (#3930) Ruben Groenewoud 2024-08-22 16:53:31 +02:00
  • dfbf86e853 Update ProblemChild detection rules with High and Low probability (#4000) Kirti Sodhi 2024-08-22 09:17:41 -04:00
  • b6b6f6b482 [New Rule] First Occurrence AWS STS Temporary Credential Request by User (#3991) Terrance DeJesus 2024-08-21 20:17:10 -04:00
  • 5493165440 [New Rule] AWS Signin Single Factor Console Login via Federated Session (#3992) Terrance DeJesus 2024-08-21 18:19:54 -04:00
  • 589aa33508 [Bug] Add historical Rules as Default when Build Package (#4003) Eric Forte 2024-08-21 18:00:02 -04:00
  • c77356c0f2 Refresh Integration Manifest and Schema (#4001) shashank-elastic 2024-08-21 22:24:05 +05:30
  • fbe47298cf Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3997) august_updates github-actions[bot] 2024-08-20 23:46:25 +05:30
  • 0c25cfb82e Remove unused @click.pass_context (#3996) shashank-elastic 2024-08-20 23:11:22 +05:30
  • 760d9f6398 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3995) github-actions[bot] 2024-08-20 21:32:43 +05:30
  • 2559b7bb41 [Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898) Terrance DeJesus 2024-08-20 11:53:46 -04:00
  • d3dc231315 Refresh ECS, Beats manifest and schemas (#3993) shashank-elastic 2024-08-20 20:45:20 +05:30
  • 10ba6ad5a6 [FR] Add Alert Suppression for Addtional Rule Types (#3986) Mika Ayenson 2024-08-15 15:03:45 -05:00
  • 4c44f98cd6 [Rule Tuning] LSASS Process Access via Windows API (#3975) Jonhnathan 2024-08-14 11:42:18 -03:00
  • 400b4dbd23 [Bug] [DAC] Fix Kibana action connector export to export details with action connectors (#3984) Eric Forte 2024-08-13 14:28:17 -04:00
  • 3500c3db15 [Rule Tuning] Tuning Direct Outbound SMB Connection (#3485) Terrance DeJesus 2024-08-13 13:53:07 -04:00
  • 74d8186aeb [Rule Tuning] Tuning MsBuild Making Network Connections (#3482) Terrance DeJesus 2024-08-13 12:55:08 -04:00
  • f4c6939987 Fix Attribute Issue in RTA common.py (#3983) shashank-elastic 2024-08-13 21:32:45 +05:30
  • b0fd8659a2 Fix Windows Path for file (#3981) shashank-elastic 2024-08-13 20:46:28 +05:30
  • d0597e4260 Create Nested Directories (#3980) Eric Forte 2024-08-13 09:40:49 -04:00
  • e607d521b8 Add Unit Test test_index_or_data_view_id_present (#3967) shashank-elastic 2024-08-12 17:48:05 +05:30
  • c58ae92dd1 [New Rule] Dynamic Linker Creation or Modification (#3969) Ruben Groenewoud 2024-08-10 10:25:55 +02:00
  • 55e81c1169 [Rule Tuning] Attempt to Disable IPTables or Firewall (#3972) Ruben Groenewoud 2024-08-10 10:18:11 +02:00
  • b6ffb10ab2 [Rule Tuning] System Log File Deletion (#3970) Ruben Groenewoud 2024-08-10 10:04:56 +02:00
  • 6e3e5f6373 [Rule Tuning] Potential Disabling of AppArmor (#3971) Ruben Groenewoud 2024-08-10 09:51:45 +02:00
  • 8950d33539 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#3964) Jonhnathan 2024-08-09 13:23:16 -03:00
  • 20f4242566 [Rule Tuning] Simple KQL to EQL Conversion (#3948) Jonhnathan 2024-08-09 13:11:27 -03:00