security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) Samirbous 2023-01-25 17:44:32 +00:00
  • 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) Samirbous 2023-01-25 17:11:38 +00:00
  • bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) Samirbous 2023-01-25 13:23:20 +00:00
  • 8427c8cd22 Create credential_access_suspicious_lsass_access_generic.toml (#2487) Samirbous 2023-01-25 09:43:35 +00:00
  • 3b2d1af051 new guided onboarding rule (#2492) Terrance DeJesus 2023-01-24 11:26:28 -05:00
  • f804c29f6d [New Rule] PowerShell Script with Encryption/Decryption Capabilities (#2489) Jonhnathan 2023-01-24 12:26:11 -03:00
  • 644a094503 Group Policy Object Discovery through gpresult.exe (#2483) Ruben Groenewoud 2023-01-24 12:10:57 +01:00
  • fc30b5881f [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities (#2465) Jonhnathan 2023-01-24 07:58:48 -03:00
  • 92ae27600f [New Rule] PowerShell Mailbox Collection Script (#2461) Jonhnathan 2023-01-24 07:54:55 -03:00
  • 0aa87d7f4a [Rule Tuning] Unusual Process For a Linux Host (#2445) Jonhnathan 2023-01-23 21:03:29 -03:00
  • 77c8665f11 [Rule Tuning] Add endgame support for Linux Rules (#2436) Jonhnathan 2023-01-23 20:53:15 -03:00
  • 7cde7901e3 [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions (#2478) Jonhnathan 2023-01-23 20:35:43 -03:00
  • 729ecf8b58 [New Rule] PowerShell Invoke-NinjaCopy script (#2488) Jonhnathan 2023-01-23 20:00:57 -03:00
  • e3ff45e20c [New Rule] System Time Discovery (#2475) Ruben Groenewoud 2023-01-18 13:01:57 +01:00
  • e5d81e77f7 [New Rule] Add Google Workspace Alert Center Promotional Rule (#2471) Terrance DeJesus 2023-01-17 12:09:13 -05:00
  • d81bc25d09 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2468) github-actions[bot] 2023-01-13 15:20:23 -05:00
  • b61da98f97 [Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 (#2467) Terrance DeJesus 2023-01-13 13:29:28 -05:00
  • 0e535e5931 [Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462) Jonhnathan 2023-01-12 07:10:59 -08:00
  • cb88ad715c [New Rule] Exchange Mailbox via PowerShell (#2459) Samirbous 2023-01-11 16:45:20 +00:00
  • 8afda66487 [Rule Tuning] Suspicious WerFault Child Process (#2437) Samirbous 2023-01-11 16:41:57 +00:00
  • 9121a25b02 Update collection_email_powershell_exchange_mailbox.toml (#2457) Samirbous 2023-01-11 16:29:01 +00:00
  • 6acc0f9b11 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2455) github-actions[bot] 2023-01-10 09:50:41 -05:00
  • 4124a82496 [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules (#2449) Jonhnathan 2023-01-10 04:37:07 -08:00
  • 7725e32126 [Security Content] Fix Osquery Markdown Plugin Escaped queries (#2447) Jonhnathan 2023-01-09 09:45:31 -08:00
  • 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) Jonhnathan 2023-01-09 08:28:10 -08:00
  • b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) Terrance DeJesus 2023-01-09 10:44:54 -05:00
  • d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) Jonhnathan 2023-01-09 06:56:39 -08:00
  • 896a25bc0f Refactor file path name (#2452) shashank-elastic 2023-01-05 22:10:55 +05:30
  • bdffab5722 adding initial solution (#2448) Terrance DeJesus 2023-01-04 12:28:34 -05:00
  • 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) Terrance DeJesus 2023-01-04 09:30:07 -05:00
  • 46eccea704 [New Rule] Suspicious Module Loaded by LSASS (#2441) Samirbous 2023-01-04 07:56:07 +00:00
  • 3dbb87e46c Update credential_access_kerberoasting_unusual_process.toml (#2444) Samirbous 2023-01-04 07:50:04 +00:00
  • 73ebdb64c3 Update privilege_escalation_persistence_phantom_dll.toml (#2443) Samirbous 2023-01-04 07:46:59 +00:00
  • 953e8d98ae [Bug] Adjust Kibana Path for File System Rules (#2397) Terrance DeJesus 2023-01-03 14:54:24 -05:00
  • 0acbe1d832 [New Rule] Multiple Alerts Involving a User (#2401) Jonhnathan 2023-01-03 07:25:40 -08:00
  • be884a1cf3 [Rule Tuning] Screensaver Plist File Modified by Unexpected Process (#2413) Mika Ayenson 2022-12-22 10:27:10 -05:00
  • 7cf14dd515 [Rule Tuning] Parent Process PID Spoofing (#2432) Samirbous 2022-12-22 14:23:13 +00:00
  • ae4f671bae [New Rule] First Time Seen Driver Loaded (#2434) Samirbous 2022-12-22 14:10:33 +00:00
  • baa6b77040 [Rule Tuning] Change Guided Onboarding Rule to Experimental (#2439) Terrance DeJesus 2022-12-21 13:36:24 -05:00
  • 9c1bd50a63 [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF (#2438) Jonhnathan 2022-12-21 06:30:04 -08:00
  • 2516a4013a [Rule Tuning] PrivEsc via Print Spool Service (#2431) Samirbous 2022-12-21 11:51:26 +00:00
  • e9169b4cfa [Bug] Add Non-ECS Checks to New Terms Rule Validation (#2435) Terrance DeJesus 2022-12-19 12:44:42 -05:00
  • 80548b97f4 [Rule Tuning] Access to a Sensitive LDAP Attribute (#2430) Samirbous 2022-12-18 20:36:17 +00:00
  • 9f6a54e645 [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2423) Jonhnathan 2022-12-16 11:05:18 -08:00
  • ae4e59ec7d [FR] Update ATT&CK Package to v12.1 (#2422) Terrance DeJesus 2022-12-16 12:04:20 -05:00
  • 06053fa0c6 initial commit and updates (#2424) Terrance DeJesus 2022-12-13 10:52:45 -05:00
  • 5bf69b7967 Update package and install process (#1948) Mika Ayenson 2022-12-08 15:49:49 -05:00
  • 7e459dd585 [FR] Add support for New Terms Fields and Window Start History (#2360) Terrance DeJesus 2022-12-05 14:07:33 -05:00
  • c6f5d47cdf Update guided_onborading_sample_rule.toml (#2408) Isai 2022-11-28 11:47:37 -05:00
  • f8bcfe6800 Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2407) github-actions[bot] 2022-11-28 09:15:53 -05:00
  • b0085f4304 [Rule Tuning] Temporarily Scheduled Task Creation (#2411) Jonhnathan 2022-11-28 04:50:08 -08:00
  • 57b8f630de initial commit with changes for 8.7 branch creation (#2406) Terrance DeJesus 2022-11-21 12:55:01 -05:00
  • 1637f2dc79 [Rule Tuning] Shadow File Read via Command Line Utilities (#2403) Isai 2022-11-21 11:25:39 -05:00
  • a7caa4baf3 [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399) Jonhnathan 2022-11-18 12:38:27 -08:00
  • ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) Jonhnathan 2022-11-18 07:32:27 -08:00
  • 6055d0db60 [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides (#2387) Jonhnathan 2022-11-17 13:38:34 -08:00
  • 8766a23ad6 Rule Tuning as part of 8.6 (#2398) shashank-elastic 2022-11-17 22:55:39 +05:30
  • 6555bba965 [New Rule] Persistence via PowerShell profile (#2357) Jonhnathan 2022-11-16 03:42:49 -08:00
  • 5a762eaf85 [Rule Tuning] NullSessionPipe Registry Modification (#2350) Jonhnathan 2022-11-16 02:15:18 -08:00
  • b1ddfb11d4 [New Rule] Windows Services - winlog (#2280) Samirbous 2022-11-16 10:08:02 +00:00
  • cbbac02b56 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2359) Samirbous 2022-11-15 20:01:22 +00:00
  • b0156181e7 [New Rules] T1134 Access Token Manipulation (#2373) Samirbous 2022-11-15 19:50:47 +00:00
  • 6233c01c34 Update privilege_escalation_suspicious_dnshostname_update.toml (#2394) Samirbous 2022-11-15 19:26:41 +00:00
  • 0bf7dd15a5 [New Rules] CredAccess via LDAP Attributes (#2391) Samirbous 2022-11-15 15:55:01 +00:00
  • 2289fd6496 [New Rule] Masquerading Space After Filename (#2368) Isai 2022-11-15 09:54:46 -05:00
  • 48839ad6fe Rule to Identify Non-Standard Port connection(s) (#2365) shashank-elastic 2022-11-15 20:13:12 +05:30
  • 64dd305867 adding new rule File Transfer or Listener Established via Netcat (#2395) Terrance DeJesus 2022-11-15 09:37:35 -05:00
  • cc03899a2c [New Rule] Reverse Shell Created via Named Pipe (#2396) Terrance DeJesus 2022-11-15 09:27:44 -05:00
  • 7adb199afa [Deprecation] GCP Kubernetes Rolebindings Created or Patched (#2340) Isai 2022-11-09 12:51:52 -05:00
  • 29cf37eeec Adding deprecation notes to experimental ML docs (#2393) Apoorva Joshi 2022-11-09 09:42:34 -08:00
  • 4997f95300 [Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388) Terrance DeJesus 2022-11-07 15:17:49 -05:00
  • fd1260c109 [Rule Tuning] Tune "Telnet Port Activity" Rule for Accepted Connections Only (#2374) Terrance DeJesus 2022-11-07 14:00:25 -05:00
  • 25458123dd Update lateral_movement_mount_hidden_or_webdav_share_net.toml (#2385) Isai 2022-11-07 12:14:06 -05:00
  • 4cfe24835a update endgame validation to the latest schema available (8.4.0) (#2375) Mika Ayenson 2022-11-01 17:27:47 -04:00
  • c1dd3c57ad Adds commands to manage ATT&CK mappings (#2343) Justin Ibarra 2022-11-01 11:14:40 -08:00
  • 85e8c0abad [Rule Tuning] Update User.ID or Registry.Path to include Azure Users SID (#2378) Samirbous 2022-11-01 17:45:39 +00:00
  • e89bc230ab [Tuning] Diverse Windows Rules Tuning (#2383) Samirbous 2022-11-01 16:48:25 +00:00
  • 24b5e8a8b0 [Bug] Convert config to pathlib.Path (#2377) Mika Ayenson 2022-11-01 10:43:32 -04:00
  • 97c90aaf3c [Rule Tuning] Adversary Behavior - Detected - Elastic Endgame (#2382) Jonhnathan 2022-11-01 11:29:29 -03:00
  • 4615b462be [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion (#2318) Xavier G Pich 2022-10-20 19:29:08 +02:00
  • 183b1ffdd3 [Rule Tuning] Add endgame support for Windows Rules (#2285) Jonhnathan 2022-10-19 08:27:44 -07:00
  • dcedacd583 add support for additional endgame field types (#2372) Mika Ayenson 2022-10-19 11:11:09 -04:00
  • aa8239652d [FR] Add endgame schema validation to detection-rule query (#2257) Mika Ayenson 2022-10-19 09:54:47 -04:00
  • aad546e65b [Rule Tuning] Kubernetes Rules- Add MITRE technique "Deploy Container" (#2341) Isai 2022-10-18 09:29:59 -04:00
  • 8478d959f4 [Rule Tuning] System Log File Deletion (#2362) Isai 2022-10-18 09:11:27 -04:00
  • 642992b1df [Guided Onboarding] Sample Rule for SIEM onboarding (#2324) Jonhnathan 2022-10-18 05:46:41 -07:00
  • 7b596c7729 [FR] Support forked rules with 100 version buffer space (#1946) Mika Ayenson 2022-10-14 14:45:28 -04:00
  • e761beb0a0 Rule Tuning on Potential Application Shimming via Sdbinst (#2355) shashank-elastic 2022-10-14 13:25:02 +05:30
  • bd46e892f1 add "Windows Azure Linux Agent"'s pid file to list (#2328) ALEXANDER MA COTE 2022-10-13 15:53:35 -04:00
  • 699ee451f6 bump eql to v9.15 (#2353) Mika Ayenson 2022-10-11 16:08:47 -04:00
  • 9861958833 [Security Content] Add missing "has_guide" tag (#2349) Jonhnathan 2022-10-11 06:30:19 -07:00
  • b08be04ffe Update click version (#2347) Justin Ibarra 2022-10-10 19:37:05 -08:00
  • 518d146cb0 [Rule Tuning] Exclude Elastic Agent from "Potential Process Herpaderping Attempt" (#2342) Terrance DeJesus 2022-10-05 13:45:36 -04:00
  • 78d6093176 [New Rule] Kubernetes Container Created with Excessive Linux Capabilites (#2313) Isai 2022-10-04 17:28:03 -04:00
  • 701c8a0e22 Rule Changes (#2337) Isai 2022-10-04 16:56:45 -04:00
  • 71b271c61b Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5 (#2332) integration-v7.16.5 github-actions[bot] 2022-09-29 11:19:46 -04:00
  • 05b715f116 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5 (#2332) github-actions[bot] 2022-09-29 11:19:46 -04:00
  • bb19d46975 [Bug] Version Comparison Bug in Related Integrations Field at Build Time (#2331) Terrance DeJesus 2022-09-29 09:58:08 -04:00
  • 4abd3b8354 [Bug] Version Comparison Bug in Related Integrations Field at Build Time (#2331) Terrance DeJesus 2022-09-29 09:58:08 -04:00
  • 6d35e443f8 [FR] Re-factor Build Integrations Manifest (#2274) Terrance DeJesus 2022-09-28 09:33:49 -04:00