sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

8dc0963ae6 [Rule Tuning] LSASS Process Access via Windows API (#3824) Joe Desimone 2024-07-04 16:45:46 -04:00
5dcdb368f0 [New Rule] Potential PowerShell Obfuscated Script (#3864) Jonhnathan 2024-07-04 09:26:32 -03:00
208e330b44 [New Rule] Potential PowerShell Obfuscated Script (#3864) Jonhnathan 2024-07-04 09:26:32 -03:00
e027efeb53 [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) ar3diu 2024-07-03 17:39:15 +03:00
5048bc26bd [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) ar3diu 2024-07-03 17:39:15 +03:00
617991db0b Test case to check updated_date (#3818) shashank-elastic 2024-07-03 19:17:27 +05:30
50f0fb3518 Test case to check updated_date (#3818) shashank-elastic 2024-07-03 19:17:27 +05:30
e36686570f [New Rule] AWS RDS DB Instance Made Public (#3836) Isai 2024-07-03 01:01:52 -04:00
83be212632 [New Rule] AWS RDS DB Instance Made Public (#3836) Isai 2024-07-03 01:01:52 -04:00
85f949539c [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) Isai 2024-07-02 17:22:03 -04:00
3a5c5c20a8 [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled (#3851) Isai 2024-07-02 17:22:03 -04:00
634a3f50d5 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) Isai 2024-07-02 16:14:51 -04:00
9f4956f542 [New Rule] AWS RDS DB Instance or Cluster Password Modified (#3844) Isai 2024-07-02 16:14:51 -04:00
8e9f3659ed [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) Isai 2024-07-02 15:36:44 -04:00
43fbf94d8a [New Rule] AWS RDS Snapshot Shared with Another Account (#3831) Isai 2024-07-02 15:36:44 -04:00
594b8a1574 [New Rule] AWS RDS Snapshot Deleted (#3852) Isai 2024-07-02 14:01:15 -04:00
aaf014390b [New Rule] AWS RDS Snapshot Deleted (#3852) Isai 2024-07-02 14:01:15 -04:00
d59d462956 [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#3854) Terrance DeJesus 2024-07-02 13:02:52 -04:00
5ec1428de6 Create an Issue in Kibana for MITRE Updates (#3796) shashank-elastic 2024-07-02 18:57:41 +05:30
30ffe00012 Create an Issue in Kibana for MITRE Updates (#3796) shashank-elastic 2024-07-02 18:57:41 +05:30
6fb82a87e4 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) Terrance DeJesus 2024-07-01 15:50:12 -04:00
5fe7833312 [Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849) Terrance DeJesus 2024-07-01 15:50:12 -04:00
c4caabfe07 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) Jonhnathan 2024-07-01 13:45:19 -03:00
d5c34b5750 [Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848) Jonhnathan 2024-07-01 13:45:19 -03:00
0b808211f6 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) Terrance DeJesus 2024-07-01 10:31:26 -04:00
99a4d629c9 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) Terrance DeJesus 2024-07-01 10:31:26 -04:00
b671293b6b [Rule Tuning] Improve Compatibility in WIndows BBR Detection Rules (#3841) Jonhnathan 2024-07-01 10:41:00 -03:00
125084ceec [Rule Tuning] Improve Compatibility in WIndows BBR Detection Rules (#3841) Jonhnathan 2024-07-01 10:41:00 -03:00
d47d87386c [Rule Tuning] AWS RDS Snapshot Restored (#3809) Isai 2024-06-28 20:42:36 -04:00
f62644887e [Rule Tuning] AWS RDS Snapshot Restored (#3809) Isai 2024-06-28 20:42:36 -04:00
28f67e3ace Generate Better Index Keys (#3826) shashank-elastic 2024-06-28 23:18:09 +05:30
949ceccc0f Generate Better Index Keys (#3826) shashank-elastic 2024-06-28 23:18:09 +05:30
408442e185 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) Terrance DeJesus 2024-06-28 12:59:24 -04:00
2e3aca62f0 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) Terrance DeJesus 2024-06-28 12:59:24 -04:00
a1b34e0211 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) integration-v8.11.20 github-actions[bot] 2024-06-28 17:49:18 +05:30
aef9fe8ec4 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) github-actions[bot] 2024-06-28 17:49:18 +05:30
2133e1f1a3 [FR] Limit historical rules to the latest 2 (#3842) Mika Ayenson 2024-06-28 06:42:10 -05:00
357204e1c5 [FR] Limit historical rules to the latest 2 (#3842) Mika Ayenson 2024-06-28 06:42:10 -05:00
c46e92791f [New Rules] Git Hook Execution/File Creation (#3832) Ruben Groenewoud 2024-06-28 11:34:32 +02:00
b311d49c2a [New Rules] Git Hook Execution/File Creation (#3832) Ruben Groenewoud 2024-06-28 11:34:32 +02:00
1c404b7861 [New Rule] DNF Package Manager Plugin File Creation (#3822) Ruben Groenewoud 2024-06-28 11:14:48 +02:00
f33c25b118 [New Rule] DNF Package Manager Plugin File Creation (#3822) Ruben Groenewoud 2024-06-28 11:14:48 +02:00
1dad651fcc [New Rules] rc.local Execution Rules (#3813) Ruben Groenewoud 2024-06-28 09:59:26 +02:00
edc501accf [New Rules] rc.local Execution Rules (#3813) Ruben Groenewoud 2024-06-28 09:59:26 +02:00
96060d50fa Update defense_evasion_microsoft_defender_tampering.toml (#3840) Samirbous 2024-06-28 08:16:11 +01:00
b97069c3e9 Update defense_evasion_microsoft_defender_tampering.toml (#3840) Samirbous 2024-06-28 08:16:11 +01:00
a3eae479ff [New BBR] AWS RDS DB Snapshot Created (#3828) Isai 2024-06-27 23:59:33 -04:00
a8ce53f82f [New BBR] AWS RDS DB Snapshot Created (#3828) Isai 2024-06-27 23:59:33 -04:00
733c138b18 [New Rule & Tuning] Systemd Generator Created (#3801) Ruben Groenewoud 2024-06-27 22:00:48 +02:00
cd4fe07c2c [New Rule & Tuning] Systemd Generator Created (#3801) Ruben Groenewoud 2024-06-27 22:00:48 +02:00
4b88408acf [Rule Tuning] rc.local/rc.common File Creation (#3805) Ruben Groenewoud 2024-06-27 21:50:49 +02:00
e941645b2f [Rule Tuning] rc.local/rc.common File Creation (#3805) Ruben Groenewoud 2024-06-27 21:50:49 +02:00
2f292dacb4 [Rule Tuning] System V Init Script Created (#3811) Ruben Groenewoud 2024-06-27 21:38:34 +02:00
68bf4e453e [Rule Tuning] System V Init Script Created (#3811) Ruben Groenewoud 2024-06-27 21:38:34 +02:00
efd192d5f6 [Rule Tuning] Executable Bit Set for Potential Persistence Script (#3812) Ruben Groenewoud 2024-06-27 21:29:30 +02:00
460b314f49 [Rule Tuning] Executable Bit Set for Potential Persistence Script (#3812) Ruben Groenewoud 2024-06-27 21:29:30 +02:00
9193e4e9ff Trim codeowners (#3829) Justin Ibarra 2024-06-27 11:36:58 -07:00
74dd230e2d Trim codeowners (#3829) Justin Ibarra 2024-06-27 11:36:58 -07:00
61be78d1f6 [Rule Tuning] LSASS Process Access via Windows API (#3839) Jonhnathan 2024-06-27 12:22:13 -03:00
7693d785aa [Rule Tuning] LSASS Process Access via Windows API (#3839) Jonhnathan 2024-06-27 12:22:13 -03:00
2bf7df1890 [New Rule] Privilege Escalation via SUID/SGID (#3793) Ruben Groenewoud 2024-06-27 16:50:09 +02:00
c3ba7b1262 [New Rule] Privilege Escalation via SUID/SGID (#3793) Ruben Groenewoud 2024-06-27 16:50:09 +02:00
de7e0c7e38 [New Rule] User or Group Creation/Modification (#3804) Ruben Groenewoud 2024-06-27 16:35:25 +02:00
0ca16a1516 [New Rule] User or Group Creation/Modification (#3804) Ruben Groenewoud 2024-06-27 16:35:25 +02:00
2c798a1d18 [Rule Tuning] SUID/SGID Bit Set (#3802) Ruben Groenewoud 2024-06-27 16:27:00 +02:00
8d063e1a47 [Rule Tuning] SUID/SGID Bit Set (#3802) Ruben Groenewoud 2024-06-27 16:27:00 +02:00
4daed66479 [New] Microsoft Management Console File from Unusual Path (#3834) Samirbous 2024-06-27 11:32:45 +01:00
17a07020f3 [New] Microsoft Management Console File from Unusual Path (#3834) Samirbous 2024-06-27 11:32:45 +01:00
0e6ec1f961 [New Rule] AD Group Modification by SYSTEM (#3833) Jonhnathan 2024-06-26 18:56:01 -03:00
deb08fd28d [New Rule] AD Group Modification by SYSTEM (#3833) Jonhnathan 2024-06-26 18:56:01 -03:00
8bab0df7bf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) Jonhnathan 2024-06-26 11:06:27 -03:00
54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) Jonhnathan 2024-06-26 11:06:27 -03:00
a8a6562872 [New Rules] Yum Plugin Creation / Discovery (#3820) Ruben Groenewoud 2024-06-25 16:14:28 +02:00
6746a421c4 [New Rules] Yum Plugin Creation / Discovery (#3820) Ruben Groenewoud 2024-06-25 16:14:28 +02:00
45e6b901a2 [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) Terrance DeJesus 2024-06-25 09:35:36 -04:00
632e169f7a [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) Terrance DeJesus 2024-06-25 09:35:36 -04:00
30f5784613 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) integration-v8.11.19 github-actions[bot] 2024-06-25 17:58:37 +05:30
6f43d1f535 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) github-actions[bot] 2024-06-25 17:58:37 +05:30
a995f27c13 Tune rule to exclude forwarded events. (#3790) James Valente 2024-06-25 07:22:07 -04:00
0726ce41bf Tune rule to exclude forwarded events. (#3790) James Valente 2024-06-25 07:22:07 -04:00
2708a89f20 [New Rule] AWS IAM User Created Access Keys for Another User (#3788) Isai 2024-06-25 00:11:48 -04:00
da8f3e4880 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) Terrance DeJesus 2024-06-21 13:11:23 -04:00
a1015c32e5 Revert "Test case to check updated_date (#3764)" Mika Ayenson 2024-06-21 11:09:05 -05:00
a131e021ed Revert "Test case to check updated_date (#3764)" Mika Ayenson 2024-06-21 11:05:57 -05:00
73a50036b7 Test case to check updated_date (#3764) shashank-elastic 2024-06-21 18:43:32 +05:30
7621a54fcc Test case to check updated_date (#3764) shashank-elastic 2024-06-21 18:43:32 +05:30
c83a5a614b Incorrect Integration Index Check (#3794) shashank-elastic 2024-06-21 18:29:39 +05:30
675cad2ed4 Incorrect Integration Index Check (#3794) shashank-elastic 2024-06-21 18:29:39 +05:30
11aab028dc [Rule Tuning] Okta User Sessions Started from Different Geolocations (#3799) Terrance DeJesus 2024-06-20 16:52:26 -04:00
24358ceb79 [Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800) Krishna Chaitanya Reddy Burri 2024-06-21 00:47:06 +05:30
e9d7ddfa35 [Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800) Krishna Chaitanya Reddy Burri 2024-06-21 00:47:06 +05:30
0ab0ea4d10 [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) Jonhnathan 2024-06-20 10:41:53 -03:00
c20318d0d0 [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) Jonhnathan 2024-06-20 10:41:53 -03:00
0e6ebd6e7a [New Rule] NTDS Dump via Wbadmin (#3758) Jonhnathan 2024-06-20 09:55:07 -03:00
236444200b [New Rule] NTDS Dump via Wbadmin (#3758) Jonhnathan 2024-06-20 09:55:07 -03:00
b8c63b0999 [New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748) Jonhnathan 2024-06-20 09:34:27 -03:00
3fd9bae611 [New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748) Jonhnathan 2024-06-20 09:34:27 -03:00
b0c0fa4e35 Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#3734) Jonhnathan 2024-06-20 09:23:06 -03:00
6a0ac563a0 Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#3734) Jonhnathan 2024-06-20 09:23:06 -03:00
cbc7fb5224 Adding setup templates to the ML rules (#3798) Kirti Sodhi 2024-06-19 10:04:41 -04:00

... 14 15 16 17 18 ...