sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

f37235581c Add min_stack and indexes back (#1648) Jonhnathan 2021-12-07 10:00:58 -03:00
c21337fe4f Add min_stack and indexes back (#1648) Jonhnathan 2021-12-07 10:00:58 -03:00
396cee32f1 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) Jonhnathan 2021-12-07 09:09:03 -03:00
6bc87199f0 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) Jonhnathan 2021-12-07 09:09:03 -03:00
7b0383ffe2 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) Jonhnathan 2021-12-07 09:09:03 -03:00
e37fc97c57 Limit index to logs-endpoint.events (#1647) Jonhnathan 2021-12-06 13:45:12 -03:00
6a91e9f91b Limit index to logs-endpoint.events (#1647) Jonhnathan 2021-12-06 13:45:12 -03:00
f6a2437cf8 Limit index to logs-endpoint.events (#1647) Jonhnathan 2021-12-06 13:45:12 -03:00
2ecbc87fed Adding Beaconing docs (#1621) Apoorva Joshi 2021-12-01 08:44:42 -08:00
3d1bea4b65 Adding Beaconing docs (#1621) Apoorva Joshi 2021-12-01 08:44:42 -08:00
237dcd2e19 Adding Beaconing docs (#1621) Apoorva Joshi 2021-12-01 08:44:42 -08:00
d1fe62d903 [New Rule] Suspicious Process Creation CallTrace (#1588) Samirbous 2021-11-30 21:35:43 +01:00
89b75b9792 [New Rule] Suspicious Process Creation CallTrace (#1588) Samirbous 2021-11-30 21:35:43 +01:00
d43e3d8e4e [New Rule] Suspicious Process Creation CallTrace (#1588) Samirbous 2021-11-30 21:35:43 +01:00
d1e73cb0c3 Updating host risk score and experimental detections docs (#1639) Apoorva Joshi 2021-11-30 11:24:37 -08:00
9fefe5bfe6 Updating host risk score and experimental detections docs (#1639) Apoorva Joshi 2021-11-30 11:24:37 -08:00
d061bf8e7c Updating host risk score and experimental detections docs (#1639) Apoorva Joshi 2021-11-30 11:24:37 -08:00
d098c58d27 [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) Khristinin Nikita 2021-11-30 19:25:42 +01:00
33030f09fa [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) Khristinin Nikita 2021-11-30 19:25:42 +01:00
c619844b0d [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) ML-experimental-detections-20211130-7 Khristinin Nikita 2021-11-30 19:25:42 +01:00
423145dae7 [New Rule] Azure Kubernetes Rolebindings Created (#1576) Austin Songer 2021-11-29 06:16:00 -06:00
67f77a3fcb [New Rule] Azure Kubernetes Rolebindings Created (#1576) Austin Songer 2021-11-29 06:16:00 -06:00
521f0987ae [New Rule] Azure Kubernetes Rolebindings Created (#1576) ML-Beaconing-20211130-1 Austin Songer 2021-11-29 06:16:00 -06:00
c49501c4cc [New Rule] Clearing Windows Console History (#1623) Austin Songer 2021-11-25 10:25:21 -06:00
526c4e2678 [New Rule] Clearing Windows Console History (#1623) Austin Songer 2021-11-25 10:25:21 -06:00
13fc69b70a [New Rule] Clearing Windows Console History (#1623) Austin Songer 2021-11-25 10:25:21 -06:00
5572d8669e [New Rule] Windows Firewall Disabled (#1565) Austin Songer 2021-11-24 15:34:12 -06:00
89c49a34b5 [New Rule] Windows Firewall Disabled (#1565) Austin Songer 2021-11-24 15:34:12 -06:00
2ac19440c2 [New Rule] Windows Firewall Disabled (#1565) Austin Songer 2021-11-24 15:34:12 -06:00
7f59fbb235 [Rule Tuning] Component Object Model Hijacking (#1491) LaZyDK 2021-11-24 12:57:43 +01:00
ac69faedbf [Rule Tuning] Component Object Model Hijacking (#1491) LaZyDK 2021-11-24 12:57:43 +01:00
dd3e924e4a [Rule Tuning] Component Object Model Hijacking (#1491) LaZyDK 2021-11-24 12:57:43 +01:00
3e5ed57546 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) Samirbous 2021-11-18 10:27:42 +01:00
e3adb3e089 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) Samirbous 2021-11-18 10:27:42 +01:00
97bb3d5bc4 [New Rule] Account Password Reset Remotely (#1571) Samirbous 2021-11-18 10:25:50 +01:00
d1636258e4 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) Samirbous 2021-11-18 10:27:42 +01:00
24ef481853 [New Rule] Account Password Reset Remotely (#1571) Samirbous 2021-11-18 10:25:50 +01:00
53a17e6b06 [New Rule] Account Password Reset Remotely (#1571) Samirbous 2021-11-18 10:25:50 +01:00
ffcca8239e [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) Austin Songer 2021-11-17 16:38:12 -06:00
03db89e733 [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) Austin Songer 2021-11-17 16:38:12 -06:00
3f3328a630 [New Rule] PowerShell Keylogging Script (#1561) Jonhnathan 2021-11-17 19:36:40 -03:00
3dd32608a0 [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) Austin Songer 2021-11-17 16:38:12 -06:00
c434a5dbb5 [New Rule] PowerShell Keylogging Script (#1561) Jonhnathan 2021-11-17 19:36:40 -03:00
4b6794df32 [New Rule] PowerShell Keylogging Script (#1561) Jonhnathan 2021-11-17 19:36:40 -03:00
c6068391a1 [Rule Tuning] Suspicious CertUtil Commands (#1564) Austin Songer 2021-11-17 14:41:07 -06:00
cb85a35e7a [Rule Tuning] Suspicious CertUtil Commands (#1564) Austin Songer 2021-11-17 14:41:07 -06:00
ab521f7c4f [Rule Tuning] Suspicious CertUtil Commands (#1564) Austin Songer 2021-11-17 14:41:07 -06:00
0e20e08eef [New Rule] Potential Process Injection via PowerShell (#1552) Jonhnathan 2021-11-17 07:33:13 -03:00
791c8f9864 [New Rule] Potential Process Injection via PowerShell (#1552) Jonhnathan 2021-11-17 07:33:13 -03:00
9c54e21820 [New Rule] Potential Process Injection via PowerShell (#1552) Jonhnathan 2021-11-17 07:33:13 -03:00
33f13e25be [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) Samirbous 2021-11-17 08:45:38 +01:00
2f3519d882 [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) Samirbous 2021-11-17 08:45:38 +01:00
e99478db00 [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) Samirbous 2021-11-17 08:45:38 +01:00
2e067562f1 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) Samirbous 2021-11-17 08:36:26 +01:00
7d806b4d3c [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) Samirbous 2021-11-17 08:36:26 +01:00
c18c08a976 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) Samirbous 2021-11-17 08:36:26 +01:00
a06dc65acd Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) github-actions[bot] 2021-11-16 00:31:27 -09:00
c1e4bbc2e3 Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) github-actions[bot] 2021-11-16 00:31:27 -09:00
f0f3b83eab Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) github-actions[bot] 2021-11-16 00:31:27 -09:00
a50bd1ae15 [bug] Current stack version in deprecation lock missing parens (#1618) Justin Ibarra 2021-11-16 00:18:27 -09:00
8036eff47e [bug] Current stack version in deprecation lock missing parens (#1618) Justin Ibarra 2021-11-16 00:18:27 -09:00
bd9e33e761 [bug] Current stack version in deprecation lock missing parens (#1618) Justin Ibarra 2021-11-16 00:18:27 -09:00
e9736b21c9 Fix kibana-pr command (#1616) Justin Ibarra 2021-11-15 23:55:05 -09:00
eeb087c0fa Fix kibana-pr command (#1616) Justin Ibarra 2021-11-15 23:55:05 -09:00
76503e8bcd Fix kibana-pr command (#1616) Justin Ibarra 2021-11-15 23:55:05 -09:00
e2723af3c2 Update registry release from beta to ga Justin Ibarra 2021-11-15 21:48:46 -09:00
f306ff195a Update registry release from beta to ga Justin Ibarra 2021-11-15 21:48:07 -09:00
0cce812552 Update registry data to reflect "ga" for release (#1482) Justin Ibarra 2021-11-15 21:44:21 -09:00
271d460d7f [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) Jonhnathan 2021-11-16 03:19:38 -03:00
77ffac81e2 [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) Jonhnathan 2021-11-16 03:19:38 -03:00
858d1cf12c [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) Jonhnathan 2021-11-16 03:19:38 -03:00
4a0f780d0b Bump min_stack_version in version.lock for specific rules (#1614) Justin Ibarra 2021-11-15 14:38:19 -09:00
d1a4441c73 Bump min_stack_version in version.lock for specific rules (#1614) Justin Ibarra 2021-11-15 14:38:19 -09:00
d78f6354df Bump min_stack_version in version.lock for specific rules (#1614) Justin Ibarra 2021-11-15 14:38:19 -09:00
ef4fc086ee Remove 7.15+ rules from 7.14 branch (#1613) Justin Ibarra 2021-11-15 14:35:28 -09:00
1e2ede92a1 Test to trigger workflows (#1612) Justin Ibarra 2021-11-15 10:02:31 -09:00
c42f86eb15 Test to trigger workflows (#1612) Justin Ibarra 2021-11-15 10:02:31 -09:00
59ba8e1540 Test to trigger workflows (#1612) Justin Ibarra 2021-11-15 10:02:31 -09:00
d0ec0f0297 Prepare for creation of 7.16 release branch (#1611) Justin Ibarra 2021-11-15 09:39:34 -09:00
1edd4303af Prepare for creation of 7.16 release branch (#1611) Justin Ibarra 2021-11-15 09:39:34 -09:00
95d7e9b6f5 Prepare for creation of 7.16 release branch (#1611) Justin Ibarra 2021-11-15 09:39:34 -09:00
389a7bf292 Move version lock code to object for portability (#1553) Justin Ibarra 2021-11-15 08:46:12 -09:00
0efae3a52e Move version lock code to object for portability (#1553) Justin Ibarra 2021-11-15 08:46:12 -09:00
cb1a765524 [New Rule] Suspicious Process Access via Direct System Call (#1536) Samirbous 2021-11-15 10:18:26 +01:00
81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) Samirbous 2021-11-15 10:18:26 +01:00
06340b69b0 Add index as a required field to rule_prompt (#1595) Justin Ibarra 2021-11-14 17:05:42 -09:00
5e6a58ebab Add index as a required field to rule_prompt (#1595) Justin Ibarra 2021-11-14 17:05:42 -09:00
25bfddb291 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) Jonhnathan 2021-11-14 23:01:13 -03:00
017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) Jonhnathan 2021-11-14 23:01:13 -03:00
f656c7bc25 Fix Windows path causing emoji to be rendered in Kibana (#1585) Adrian Serrano 2021-11-03 17:01:25 +01:00
aa219710a1 Fix Windows path causing emoji to be rendered in Kibana (#1585) Adrian Serrano 2021-11-03 17:01:25 +01:00
715188695b Create host-risk-score.md (#1599) Ece Özalp 2021-11-03 11:05:59 +03:00
e29a1ca25c Create host-risk-score.md (#1599) Ece Özalp 2021-11-03 11:05:59 +03:00
2c197b57fb Change interval and lookback time for IM rule (#1596) Khristinin Nikita 2021-11-01 09:27:38 +01:00
f47b0f61cc Change interval and lookback time for IM rule (#1596) Khristinin Nikita 2021-11-01 09:27:38 +01:00
365c2a73f2 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) Justin Ibarra 2021-10-28 22:56:34 -05:00
ff16832003 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) Justin Ibarra 2021-10-28 22:56:34 -05:00
ac4e49bcda Update the marshmallow dependencies in requirements.txt (#1475) Ross Wolf 2021-10-28 21:50:49 -06:00
d03e7972a6 Update the marshmallow dependencies in requirements.txt (#1475) Ross Wolf 2021-10-28 21:50:49 -06:00
a58666393e Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) Justin Ibarra 2021-10-28 11:24:28 -05:00

... 39 40 41 42 43 ...