security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 35b1a69ff5 Prep for Creation of 8.4 Branch (#2001) Terrance DeJesus 2022-06-02 14:59:18 -04:00
  • b12d1cb978 [Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012) shashank-elastic 2022-06-02 10:36:23 +05:30
  • f02325fe2f [Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012) shashank-elastic 2022-06-02 10:36:23 +05:30
  • 821e04aaf8 Linux binary(s) ftp shell evasion threat (#2007) shashank-elastic 2022-06-01 22:07:52 +05:30
  • 98a85ddcee Linux binary(s) ftp shell evasion threat (#2007) shashank-elastic 2022-06-01 22:07:52 +05:30
  • 29cf0c8f77 [New Rule] Suspicious Microsoft Diagnostics Wizard Execution (#2005) Samirbous 2022-06-01 17:02:47 +02:00
  • d6e96a83d5 [New Rule] Suspicious Microsoft Diagnostics Wizard Execution (#2005) Samirbous 2022-06-01 17:02:47 +02:00
  • 1484c20795 [Security Content] 8.3 Add Investigation Guides - 3 (#1990) Jonhnathan 2022-05-31 12:57:02 -03:00
  • 27f5c2e695 [Security Content] 8.3 Add Investigation Guides - 3 (#1990) Jonhnathan 2022-05-31 12:57:02 -03:00
  • d575fd4b3c [Security Content] 8.3 - Add Investigation Guides 2 (#1989) Jonhnathan 2022-05-31 12:54:42 -03:00
  • e5d3c6329c [Security Content] 8.3 - Add Investigation Guides 2 (#1989) Jonhnathan 2022-05-31 12:54:42 -03:00
  • 10c2d9de3d [Rule Tuning] Suspicious MS Office Child Process (#2003) Samirbous 2022-05-31 14:20:51 +02:00
  • bfea11c99f [Rule Tuning] Suspicious MS Office Child Process (#2003) Samirbous 2022-05-31 14:20:51 +02:00
  • 1d69a2bbae [Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993) Jonhnathan 2022-05-25 17:02:21 -03:00
  • 1f8813d02f [Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993) Jonhnathan 2022-05-25 17:02:21 -03:00
  • 6199bd4524 Refresh ECS/beats schemas up to 8.2 (#1995) Justin Ibarra 2022-05-25 11:51:43 -08:00
  • 0428e161a8 Refresh ECS/beats schemas up to 8.2 (#1995) Justin Ibarra 2022-05-25 11:51:43 -08:00
  • 3988b2ed5e Skip previous validation on pre/post load/dump (#1942) Mika Ayenson 2022-05-25 13:34:03 -04:00
  • e1266a6fd3 Skip previous validation on pre/post load/dump (#1942) Mika Ayenson 2022-05-25 13:34:03 -04:00
  • cdc5c7244a [New Rule] Elastic Agent Stopped (#1991) Terrance DeJesus 2022-05-25 13:16:21 -04:00
  • 75f8928d1f [Rule tuning] Linux binary(s) shell evasion threat shashank-elastic 2022-05-25 19:21:08 +05:30
  • fd7a6d63b0 [Rule tuning] Linux binary(s) shell evasion threat shashank-elastic 2022-05-25 19:21:08 +05:30
  • 44046642e7 [Rule tuning] Linux binary(s) shell evasion threat (#1957) shashank-elastic 2022-05-25 08:32:53 +05:30
  • 51b2d9da4b [Rule tuning] Linux binary(s) shell evasion threat (#1957) shashank-elastic 2022-05-25 08:32:53 +05:30
  • c5e3312727 [Rule tuning] Whitespace Padding in Process Command Line (#1967) Justin Ibarra 2022-05-23 11:33:48 -08:00
  • 72c186b30b [Rule tuning] Whitespace Padding in Process Command Line (#1967) Justin Ibarra 2022-05-23 11:33:48 -08:00
  • 0796082300 [Rule tuning] Unusual Process Execution - Temp (#1968) Justin Ibarra 2022-05-23 07:04:35 -08:00
  • 1840a638c8 [Rule tuning] Unusual Process Execution - Temp (#1968) Justin Ibarra 2022-05-23 07:04:35 -08:00
  • e57cf31867 Modifying rules assoc w/ deprecation of v2 ML jobs (#1846) Bobby Filar 2022-05-20 15:02:27 -05:00
  • 9a739b7e4c Modifying rules assoc w/ deprecation of v2 ML jobs (#1846) Bobby Filar 2022-05-20 15:02:27 -05:00
  • a2dbfff31b [Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974) Mika Ayenson 2022-05-20 11:10:56 -04:00
  • 77966473d1 [Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974) Mika Ayenson 2022-05-20 11:10:56 -04:00
  • 18277206f8 [Security Content] 8.3 - Add Investigation Guides (#1937) Jonhnathan 2022-05-19 13:23:35 -03:00
  • a1bdf2b564 [Security Content] 8.3 - Add Investigation Guides (#1937) Jonhnathan 2022-05-19 13:23:35 -03:00
  • 128053a93e [Rule tuning] check for anything found in the emondClient directory (#1977) Mika Ayenson 2022-05-18 12:33:23 -04:00
  • 92640f517a [Rule tuning] check for anything found in the emondClient directory (#1977) Mika Ayenson 2022-05-18 12:33:23 -04:00
  • 7c90f1d4c4 [Security Content] Refactor Existing Investigation Guides (#1959) Jonhnathan 2022-05-18 12:59:39 -03:00
  • 817b97f428 [Security Content] Refactor Existing Investigation Guides (#1959) Jonhnathan 2022-05-18 12:59:39 -03:00
  • 4817bf26c8 [Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983) Colson Wilhoit 2022-05-17 17:41:05 -05:00
  • d12f45c6ba [Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983) Colson Wilhoit 2022-05-17 17:41:05 -05:00
  • a440d87f67 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) Terrance DeJesus 2022-05-16 17:22:33 -04:00
  • c89f423961 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) Terrance DeJesus 2022-05-16 17:22:33 -04:00
  • f223e63030 Update command_and_control_common_webservices.toml (#1970) Jonhnathan 2022-05-16 14:04:26 -03:00
  • 27e6632ecd Update command_and_control_common_webservices.toml (#1970) Jonhnathan 2022-05-16 14:04:26 -03:00
  • c7d1ea428c [New Rule] Abnormal Process ID File Creation (#1964) Terrance DeJesus 2022-05-12 10:38:27 -04:00
  • 1704924f7b [New Rule] Abnormal Process ID File Creation (#1964) Terrance DeJesus 2022-05-12 10:38:27 -04:00
  • ca7a148f5a [New rule] Remote Computer Account DnsHostName Update (#1962) Samirbous 2022-05-11 19:40:34 +02:00
  • 19ff825a91 [New rule] Remote Computer Account DnsHostName Update (#1962) Samirbous 2022-05-11 19:40:34 +02:00
  • b5f473a444 [New Rule] Executable Launched from Shared Memory Directory (#1961) Terrance DeJesus 2022-05-11 12:18:55 -04:00
  • 5f447a63a2 [New Rule] Executable Launched from Shared Memory Directory (#1961) Terrance DeJesus 2022-05-11 12:18:55 -04:00
  • 6e9faf3c2a [Rule tuning] SSH Authorized Keys File Modification (#1955) Justin Ibarra 2022-05-09 07:50:27 -08:00
  • c031bb501d [Rule tuning] SSH Authorized Keys File Modification (#1955) Justin Ibarra 2022-05-09 07:50:27 -08:00
  • 36413ad8b2 [New Rule] Potential Local NTLM Relay via HTTP (#1947) Samirbous 2022-05-06 21:07:27 +02:00
  • 03836d45fa [New Rule] Potential Local NTLM Relay via HTTP (#1947) Samirbous 2022-05-06 21:07:27 +02:00
  • 5769a21867 [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) Terrance DeJesus 2022-05-06 13:21:12 -04:00
  • e9f5585a9f [Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945) Terrance DeJesus 2022-05-06 13:21:12 -04:00
  • 4b92b42b45 Manually reconciled versions from forked rule package generation bug (#1950) Justin Ibarra 2022-05-04 10:04:10 -08:00
  • 8168551c59 Manually reconciled versions from forked rule package generation bug (#1950) Justin Ibarra 2022-05-04 10:04:10 -08:00
  • d7713cea73 Add delta command to determine changes to endpoint rules between tags (#1943) Justin Ibarra 2022-05-03 12:30:11 -08:00
  • 22679e16d2 Add delta command to determine changes to endpoint rules between tags (#1943) Justin Ibarra 2022-05-03 12:30:11 -08:00
  • 2ccbdcb773 Move etc under detection_rules (#1885) Mika Ayenson 2022-05-02 10:11:21 -04:00
  • cc8af968e3 Move etc under detection_rules (#1885) Mika Ayenson 2022-05-02 10:11:21 -04:00
  • 6219fc06b9 Move etc under detection_rules (#1885) Mika Ayenson 2022-05-02 10:11:21 -04:00
  • 6a6d49a362 [New Rule] Service Creation via Local Kerberos Authentication (#1941) Samirbous 2022-04-29 14:36:28 +02:00
  • 3f047b987e [New Rule] Service Creation via Local Kerberos Authentication (#1941) Samirbous 2022-04-29 14:36:28 +02:00
  • 6a5a59ad00 [New Rule] AWS Redshift Cluster Creation (#1921) Pete Hampton 2022-04-28 19:43:26 +01:00
  • 34655374c1 [New Rule] AWS Redshift Cluster Creation (#1921) Pete Hampton 2022-04-28 19:43:26 +01:00
  • 3d9013a4c0 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939) Jonhnathan 2022-04-27 09:09:25 -03:00
  • f050b0ce0c [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939) Jonhnathan 2022-04-27 09:09:25 -03:00
  • 1d74816afc Detection of suspicious crontab creation or modification (#1938) shashank-elastic 2022-04-27 12:08:32 +05:30
  • 88f71233c9 Detection of suspicious crontab creation or modification (#1938) shashank-elastic 2022-04-27 12:08:32 +05:30
  • fbd217ae53 Validate version lock and deprecation files on load and save (#1884) Justin Ibarra 2022-04-26 22:17:20 -08:00
  • c803160e4f Validate version lock and deprecation files on load and save (#1884) Justin Ibarra 2022-04-26 22:17:20 -08:00
  • b025d3a764 [New Rule] Potential Privileged Escalation via KrbRelayUp (#1940) Samirbous 2022-04-27 01:39:54 +02:00
  • a0672c7d2a [New Rule] Potential Privileged Escalation via KrbRelayUp (#1940) Samirbous 2022-04-27 01:39:54 +02:00
  • e3c8981b63 Review & Fix Invalid References (#1936) Jonhnathan 2022-04-26 17:57:15 -03:00
  • 20d2e92cfe Review & Fix Invalid References (#1936) Jonhnathan 2022-04-26 17:57:15 -03:00
  • 781043991a [Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model Hijacking (#1932) Terrance DeJesus 2022-04-26 11:43:33 -04:00
  • 5bf321a505 [Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model Hijacking (#1932) Terrance DeJesus 2022-04-26 11:43:33 -04:00
  • 043ff67b42 [eql2kql] fix wildcard bug (#1507) AbdelMoumene-Hadfi 2022-04-22 03:44:39 +00:00
  • 15faf34a2f [eql2kql] fix wildcard bug (#1507) AbdelMoumene-Hadfi 2022-04-22 03:44:39 +00:00
  • 68c74b2514 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1929) integration-v1.0.2 github-actions[bot] 2022-04-14 13:29:52 -08:00
  • e7ebb45ae0 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1929) integration-v0.16.2 github-actions[bot] 2022-04-14 13:29:52 -08:00
  • 187c7a461d Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1929) github-actions[bot] 2022-04-14 13:29:52 -08:00
  • 69addb9bdc [Rule Tuning] Remove logs-windows.* index (#1928) Jonhnathan 2022-04-14 09:25:44 -03:00
  • d3aa90f6a8 [Rule Tuning] Remove logs-windows.* index (#1928) Jonhnathan 2022-04-14 09:25:44 -03:00
  • 0943ffba5f [Rule Tuning] Remove logs-windows.* index (#1928) Jonhnathan 2022-04-14 09:25:44 -03:00
  • 8d8d86d85d MInor changes from Investigation Guides Review (#1927) Jonhnathan 2022-04-13 21:53:29 -03:00
  • 2889bf7d4e MInor changes from Investigation Guides Review (#1927) Jonhnathan 2022-04-13 21:53:29 -03:00
  • 258418785f MInor changes from Investigation Guides Review (#1927) Jonhnathan 2022-04-13 21:53:29 -03:00
  • 10bc32b9aa remove min_stack_version so old versions get config note (#1926) Mika Ayenson 2022-04-13 15:56:38 -04:00
  • a18c62ff7d remove min_stack_version so old versions get config note (#1926) Mika Ayenson 2022-04-13 15:56:38 -04:00
  • 626342c693 Revert "Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922)" (#1925) Justin Ibarra 2022-04-12 23:05:54 -08:00
  • 3adff3c865 Revert "Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922)" (#1925) Justin Ibarra 2022-04-12 23:05:54 -08:00
  • 53673c0c49 Revert "Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922)" (#1925) Justin Ibarra 2022-04-12 23:05:54 -08:00
  • 1ec05f057f Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922) github-actions[bot] 2022-04-12 22:30:05 -08:00
  • 3b4db7e47a Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922) github-actions[bot] 2022-04-12 22:30:05 -08:00
  • 8789c15ae6 Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1,8.2 (#1922) github-actions[bot] 2022-04-12 22:30:05 -08:00
  • 49504e8b0c [Security Content] Current Investigation Guides Review (#1896) Jonhnathan 2022-04-12 22:05:13 -03:00
  • c3ab31632f [Security Content] Current Investigation Guides Review (#1896) Jonhnathan 2022-04-12 22:05:13 -03:00