security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • fcc8aaaf63 [Rule Tuning] Fix missing Winlogbeat index (#3976) Jonhnathan 2024-08-09 12:46:33 -03:00
  • 207dc55ede [Rule Tuning] Windows File-based Rules Tuning (#3963) Jonhnathan 2024-08-09 12:26:58 -03:00
  • f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) Jonhnathan 2024-08-09 11:14:33 -03:00
  • 698e830f9f [Rule Tuning] Removing Minimum Stack Compatibility (#3974) Terrance DeJesus 2024-08-08 11:47:48 -04:00
  • fe9ba15a2a [Rule Tuning] Tuning Suspicious HTML File Creation for Performance (#3480) Terrance DeJesus 2024-08-08 11:12:55 -04:00
  • 25ad765acb [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) Jonhnathan 2024-08-08 12:02:23 -03:00
  • d7c7d9b1c3 Interactive Shell Spawned via Hidden Process Sync RTA (#3937) protections machine 2024-08-09 00:12:01 +10:00
  • f47053b904 Suspicious Execution via a Hidden Process Sync RTA (#3938) protections machine 2024-08-09 00:03:49 +10:00
  • ec1f617fdc APT Package Manager Command Execution Sync RTA (#3940) protections machine 2024-08-08 23:49:44 +10:00
  • e277ecd230 Suspicious Execution via setsid and nohup Sync RTA (#3941) protections machine 2024-08-08 23:41:51 +10:00
  • 292d7b9215 Egress Network Connection from DPKG Directory Sync RTA (#3942) protections machine 2024-08-08 23:27:33 +10:00
  • ed9b145ebd System V Init (init.d) Egress Network Connection Sync RTA (#3943) protections machine 2024-08-08 23:18:05 +10:00
  • 3cefbbe057 System V Init (init.d) Executed Binary from Unusual Location Sync RTA (#3944) protections machine 2024-08-08 23:08:55 +10:00
  • fff326a7d4 Egress Network Connection by MOTD Child Sync RTA (#3945) protections machine 2024-08-08 23:00:03 +10:00
  • aea7d578ed Systemd Executing Binary in Unusual Location Sync RTA (#3766) Eric Forte 2024-08-08 08:45:31 -04:00
  • cdc4e21aac Scheduled Job Executing Binary in Unusual Location Sync RTA (#3952) protections machine 2024-08-08 22:31:56 +10:00
  • 0532f9f210 Egress Network Connection from RPM Package Sync RTA (#3951) protections machine 2024-08-08 22:23:22 +10:00
  • ff3d51721a [Rule Tuning] Tuning Persistent Scripts in the Startup Directory (#3479) Terrance DeJesus 2024-08-06 18:42:53 -04:00
  • 47d7a3acaa [DaC] Beta Release (#3889) Eric Forte 2024-08-06 18:07:12 -04:00
  • f9717e71bb Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3961) github-actions[bot] 2024-08-06 19:37:36 +05:30
  • 2ee5ae1f19 Fix Version Bump for Related Integrations (#3960) shashank-elastic 2024-08-06 18:48:24 +05:30
  • a6f1aa6fd7 [Rule Tuning] Windows Registry Rules Tuning - 2 (#3958) Jonhnathan 2024-08-06 08:45:08 -03:00
  • 9b85079da1 [Rule Tuning] Windows Registry Rules Tuning - 1 (#3957) Jonhnathan 2024-08-06 08:35:17 -03:00
  • 11636b159d [New Rule] Outlook Home Page Registry Modification (#3946) Jonhnathan 2024-08-05 11:27:58 -03:00
  • fbaac66f9f [Rule Tuning] Accepted Default Telnet Port Connection (#3954) Jonhnathan 2024-08-03 20:15:06 -03:00
  • 392e813e7a [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935) Jonhnathan 2024-08-02 16:37:45 -03:00
  • 93d928625d [Tuning] Executable Bit Set for Potential Persistence Script (#3929) Ruben Groenewoud 2024-08-02 21:13:19 +02:00
  • ff3f66cacf [Rule Tuning] AWS S3 Object Versioning Suspended (#3953) Jonhnathan 2024-08-02 13:36:11 -03:00
  • dfdc214be8 [New Rule] Potential Relay Attack against a Domain Controller (#3928) Jonhnathan 2024-08-02 13:03:20 -03:00
  • 8d3ec2b8a3 [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947) Jonhnathan 2024-08-01 14:06:08 -03:00
  • 485312d5f2 [Rule Tuning] System Binary Moved or Copied (#3933) Ruben Groenewoud 2024-08-01 18:47:58 +02:00
  • 62982f9d8c [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910) Isai 2024-08-01 00:30:02 -04:00
  • f2eb78219c [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time (#3923) Isai 2024-07-31 16:55:49 -04:00
  • 1b58d0640b [New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922) Isai 2024-07-31 15:52:59 -04:00
  • a28af59d02 [New Rule] AWS EC2 Instance Interaction with IAM Service (#3920) Isai 2024-07-31 15:44:02 -04:00
  • 65cacb4960 [New Rule] Potential Active Directory Replication User Backdoor (#3014) Jonhnathan 2024-07-31 12:02:34 -03:00
  • 134b842361 [Rule Tuning] Removed Endgame from Incompatible Rules (#3931) Ruben Groenewoud 2024-07-31 09:26:38 +02:00
  • 823e8fd140 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3926) github-actions[bot] 2024-07-25 18:38:08 +05:30
  • dce5bbd904 Update Rule minstack (#3925) shashank-elastic 2024-07-25 17:45:55 +05:30
  • f3b0dc1954 Prep for next release 8.16 (#3919) shashank-elastic 2024-07-24 20:49:56 +05:30
  • 896946ad1b [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#3917) Jonhnathan 2024-07-24 12:01:10 -03:00
  • baee89de9b Revert "Prep for next release 8.16 (#3914)" eric-forte-elastic 2024-07-23 14:06:04 -04:00
  • 4245a815d2 Prep for next release 8.16 (#3914) shashank-elastic 2024-07-23 22:34:03 +05:30
  • 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" Mika Ayenson 2024-07-23 09:50:04 -05:00
  • 01135085f6 Prep for Release 8.16 (#3913) shashank-elastic 2024-07-23 20:12:26 +05:30
  • 5536a78d89 [New Rule] Potential WSUS Abuse for Lateral Movement (#3908) Jonhnathan 2024-07-22 17:04:08 -03:00
  • 6bc1913473 [Rule Tuning] PowerShell Rules (#3903) Jonhnathan 2024-07-22 08:39:40 -03:00
  • a71bbe0cf8 [Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905) Ruben Groenewoud 2024-07-19 15:21:35 +02:00
  • 76fdd549a3 [Rule Tuning] Misc. DR Rule Tuning (#3904) Ruben Groenewoud 2024-07-19 15:13:42 +02:00
  • 322162f097 [New Rule] AWS S3 Bucket Replicated to Another Account (#3895) Isai 2024-07-18 22:52:39 -04:00
  • e9cb2228e6 [New Rule] AWS S3 Object Versioning Suspended (#3894) Isai 2024-07-18 22:14:46 -04:00
  • 80f85cff4d [New Rule] AWS S3 Bucket Server Access Logging Disabled (#3892) Isai 2024-07-18 18:28:19 -04:00
  • 6ac278df0c [tuning] Connection to Commonly Abused Web Services (#3901) Samirbous 2024-07-18 13:59:53 +01:00
  • 1384742f07 [New Rule] Service DACL Modification via sc.exe (#3900) Jonhnathan 2024-07-17 19:39:50 -03:00
  • 39350847d6 [New Rules] Git Hook execution/netcon (#3896) Ruben Groenewoud 2024-07-17 15:28:37 +02:00
  • 83d6eeb844 [New Rule] RPM Package Installed by Unusual Parent Process (#3882) Ruben Groenewoud 2024-07-17 15:12:17 +02:00
  • 8c5910b1a6 [New Rule] Unsafe Docker Container Creation (#3884) Ruben Groenewoud 2024-07-17 15:03:07 +02:00
  • e5d08a2c38 [Rule Tuning] Updated setup guide (#3885) Ruben Groenewoud 2024-07-17 14:39:38 +02:00
  • eca7185901 Remove Rule:Promotion labels and add other relavent labels (#3902) shashank-elastic 2024-07-17 17:41:05 +05:30
  • 56e8e059b6 [New Rules] Docker Entrypoint Netcon / Nsenter Escape (#3883) Ruben Groenewoud 2024-07-15 13:07:36 +02:00
  • 82a0cc80a7 [New Rules] DPKG Execution/Installation (#3879) Ruben Groenewoud 2024-07-15 12:59:03 +02:00
  • ffb68174f9 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#3887) Jonhnathan 2024-07-15 06:41:45 -03:00
  • 2110ad53f0 [FR] Support new_terms schema import/export w/custom format (#3890) Mika Ayenson 2024-07-12 17:17:09 -05:00
  • bd345d4c19 [Bug] Hunting - Add UTF-8 Encoding for all Read and Write Operations (#3886) Terrance DeJesus 2024-07-11 18:07:14 -04:00
  • 361e97a256 [FR] Add API auth to Kibana module (#3815) Justin Ibarra 2024-07-11 14:19:41 -07:00
  • 44658ea5f6 [Rule Tunings] Change from to prevent double alerts (#3868) Isai 2024-07-11 13:02:10 -04:00
  • f0ab897f99 [Rule Tunings] AWS Administrator Access Policy Attached Rules (#3867) Isai 2024-07-11 12:49:03 -04:00
  • 80ac2794f2 [Rule BugFix] Google Workspace Oauth2 new app (#3436) George Papakyriakopoulos 2024-07-11 17:45:17 +03:00
  • 21485b16fa [Tuning & Changes] Misc rule/hunt tuning (#3875) Ruben Groenewoud 2024-07-11 14:55:33 +02:00
  • c62321f810 [FR] Detection Rule PR Guidelines and Issue Forms (#3850) Mika Ayenson 2024-07-10 17:18:45 -05:00
  • 59a10be7c8 Unit Test to validate from field in toml file (#3866) shashank-elastic 2024-07-10 22:41:53 +05:30
  • 70411664cf [Bug] Normalize Hunting Index Link Generation (#3872) Terrance DeJesus 2024-07-10 11:01:59 -04:00
  • 6e7ece4384 [Rule Tuning] Fix event.action conditions - AD Rules (#3874) Jonhnathan 2024-07-10 10:33:14 -03:00
  • b303b8296b [Rule Tuning] LSASS Memory Dump Creation (#3810) ar3diu 2024-07-10 14:12:38 +03:00
  • ec6038b9d9 Added Schema Check for Data View ID and Index (#3830) Eric Forte 2024-07-09 15:05:12 -04:00
  • 8909a95486 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3880) integration-v8.11.21 github-actions[bot] 2024-07-09 19:13:24 +05:30
  • 6a28881b5f Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3880) github-actions[bot] 2024-07-09 19:13:24 +05:30
  • b66d6e06aa Fix Double Bump For Rule Microsoft Management Console File from Unusual Path (#3878) shashank-elastic 2024-07-09 17:59:51 +05:30
  • 308b755d92 [Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account (#3860) Terrance DeJesus 2024-07-08 13:07:44 -04:00
  • 7f3c977192 [Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account (#3860) Terrance DeJesus 2024-07-08 13:07:44 -04:00
  • a6e4f4ff54 [New Hunt] Persistence through System V Init (#3871) Ruben Groenewoud 2024-07-08 16:35:54 +02:00
  • b230f8372a [New Hunt] Persistence through System V Init (#3871) Ruben Groenewoud 2024-07-08 16:35:54 +02:00
  • 767a81c5b4 [Bug] Persistence ssh key generation index pattern (#3873) Joe Desimone 2024-07-08 09:27:52 -04:00
  • 6a2f5e7138 [Bug] Persistence ssh key generation index pattern (#3873) Joe Desimone 2024-07-08 09:27:52 -04:00
  • 23ae08c0da Use command masquerading in linux_compress rta script (#3782) Jesse Sant 2024-07-07 23:59:00 -07:00
  • c32e17c0e7 Use command masquerading in linux_compress rta script (#3782) Jesse Sant 2024-07-07 23:59:00 -07:00
  • 532245cc20 [New Hunt] Add Initial Linux Hunting Files (#3847) Terrance DeJesus 2024-07-05 14:01:12 -04:00
  • f0b2cb7c87 [New Hunt] Add Initial Linux Hunting Files (#3847) Terrance DeJesus 2024-07-05 14:01:12 -04:00
  • 215d5a0861 [New Rule] AWS S3 Object Encryption Using External KMS Key (#3861) Isai 2024-07-05 12:25:55 -04:00
  • c9f50a2d5c Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614) Samirbous 2024-07-05 12:58:07 +01:00
  • 1d57e0c779 Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614) Samirbous 2024-07-05 12:58:07 +01:00
  • be5dad8941 [New Rule] Linux Shadow File Modification (#3737) Ruben Groenewoud 2024-07-05 10:03:24 +02:00
  • 64f0e258cb [New Rule] Linux Shadow File Modification (#3737) Ruben Groenewoud 2024-07-05 10:03:24 +02:00
  • bc89f5eed5 [New] Sensitive Registry Hive Access via RegBack (#3855) Samirbous 2024-07-05 07:50:23 +01:00
  • 801aab82cc [New] Sensitive Registry Hive Access via RegBack (#3855) Samirbous 2024-07-05 07:50:23 +01:00
  • 38c43f2936 [Tuning] Ransomware over SMB (#3808) Samirbous 2024-07-05 07:26:57 +01:00
  • 15e9c9aa5e [Tuning] Ransomware over SMB (#3808) Samirbous 2024-07-05 07:26:57 +01:00
  • 461e72cf9c [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3685) Samirbous 2024-07-05 05:46:40 +01:00
  • cd716e5248 [Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3685) Samirbous 2024-07-05 05:46:40 +01:00
  • 328bf38e8b [Rule Tuning] LSASS Process Access via Windows API (#3824) Joe Desimone 2024-07-04 16:45:46 -04:00