sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

32e3c02c4e remove deprecated rule brokensound77 2021-02-17 12:19:36 -09:00
6ce418877f Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 brokensound77 2021-02-17 12:18:06 -09:00
61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) Justin Ibarra 2021-02-16 10:52:48 -09:00
66be82808c lock versions for rule changes in v7.11.0 (#947) Justin Ibarra 2021-02-16 09:13:38 -09:00
4e6ff388fc [Rule Tuning] Feedback from 7.12 Kibana PR (#942) Justin Ibarra 2021-02-11 13:32:58 -09:00
69f82a77eb bump package version to 7.13 Justin Ibarra 2021-02-10 22:37:55 -09:00
190b4ea67e [Rule Tuning] User Added to Privileged Group in Active Directory (#941) Brent Murphy 2021-02-10 16:41:49 -05:00
250bb4cc27 Add Rule to Detect User creation via Eventlog (#794) Simon 2021-02-10 21:48:33 +01:00
f1788ec6de [New Rule] User Added to Privileged Group in Active Directory (#827) Simon 2021-02-10 20:53:15 +01:00
d57394816f [FR] Index rules from repo to elasticsearch (#932) Justin Ibarra 2021-02-10 10:37:26 -09:00
6e77f5176d [New Rule] auditd login anomalies (#33) Andrew Stucki 2021-02-10 14:24:55 -05:00
17032194d8 [Rule Tuning] Suspicious WerFault Child Process (#915) Austin Songer 2021-02-10 13:17:57 -06:00
2b7b1a6ab0 [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939) Samirbous 2021-02-10 20:11:45 +01:00
cbe1b66b87 [Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929) Nic 2021-02-10 11:53:04 -06:00
497ddcbb58 [New Rule] Suspicious Python Script Execution via the CommandLine (#852) Samirbous 2021-02-10 18:37:03 +01:00
f13e9ce0d0 [New Rule] Shell Profile Modification (#878) Samirbous 2021-02-10 17:44:15 +01:00
9421ccfad7 [New Rule] Unusual File Creation - Alternate Data Stream (#902) Brent Murphy 2021-02-10 09:28:25 -05:00
f08312ec7f [New Rule] Disabling User Account Control via Registry (#892) Brent Murphy 2021-02-10 09:11:45 -05:00
c5d6cbc2e4 [New Rule] Potential LSA Authentication Package Abuse (#903) Brent Murphy 2021-02-10 09:00:58 -05:00
142a26a010 [New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886) Samirbous 2021-02-10 14:08:37 +01:00
58f0bf5998 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#781) Samirbous 2021-02-10 10:45:50 +01:00
7fc5ba1646 [New Rule] Persistence via Cron Tasks (#867) Samirbous 2021-02-10 10:28:22 +01:00
51498f6022 [New Rule] Attempt to Mount an SMB Share via Command-line (#914) Samirbous 2021-02-09 22:08:30 +01:00
a50a65a4d7 [Rule Tuning] Execution with Explicit Credentials via Scripting (#910) Samirbous 2021-02-09 22:06:23 +01:00
7d4bd35bf0 [New Rule] Potential Privileges Escalation via Root Crontab File Modi… (#919) Samirbous 2021-02-09 22:04:14 +01:00
ddddaf37dc [New Rule] Sudo Heap-based Buffer Overflow Vulnerability Attempt (CVE-2021-3156) (#933) Andrew Pease 2021-02-09 15:02:04 -06:00
769ced1001 [New Rule] Privilege Elevation via Sudoers File Modification (#917) Samirbous 2021-02-09 21:58:31 +01:00
424a182383 [New Rule] Dumping Accounts Hashes using Built-In Commands (#908) Samirbous 2021-02-09 21:49:51 +01:00
68f834270d [New Rule] Potential Persistence via Atom Init Script Modification (#906) Samirbous 2021-02-09 21:47:08 +01:00
5ae9347663 [New Rule] Suspicious Calendar File Modification (#880) Samirbous 2021-02-09 21:44:45 +01:00
7c336a0a91 [New Rule] DefenderControl Activity (#769) Andrew Pease 2021-02-09 10:12:54 -06:00
aa2dcd58e7 [New Rule] Persistence via DirectoryService Plugin Modification (#858) Samirbous 2021-02-09 10:59:35 +01:00
cfd42babd1 [New Rule] Enumeration of Users or Groups using Built-In Commands (#848) Samirbous 2021-02-09 10:50:39 +01:00
ffaf689778 [New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… (#809) Samirbous 2021-02-09 10:47:05 +01:00
b8116a5b77 Add GitHub PR rule loader (#670) Justin Ibarra 2021-02-08 21:35:44 -09:00
56dc4745b5 Add export-rules command (#639) Justin Ibarra 2021-02-08 20:43:16 -09:00
e507898dbd [New Rule] Attempt to Disable Gatekeeper (#841) David French 2021-02-08 20:25:04 -07:00
519078c87c [New Rule] Authorization Plugin Modification (#856) Samirbous 2021-02-08 23:14:25 +01:00
2092c70f11 [New Rule] Finder Sync Plugin Enabled (#735) Samirbous 2021-02-08 23:08:49 +01:00
4d68377d1b [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819) Samirbous 2021-02-08 23:04:02 +01:00
fb32679921 [New Rule] Access to SystemKey via Hexdump (#815) Samirbous 2021-02-08 23:02:02 +01:00
2e6b353f5e [New Rule] Potential Reverse Shell Activity via Terminal (#821) Samirbous 2021-02-08 22:57:55 +01:00
6e2d8830e1 [New Rule] Attempt to Install Root Certificate (#850) Samirbous 2021-02-08 22:49:35 +01:00
a08adbf10c [New Rule] Suspicious Launchd Hidden Child Process (#823) Samirbous 2021-02-08 22:43:21 +01:00
55272cc49e [New Rule] EggShell Backdoor Execution (#845) Samirbous 2021-02-08 22:37:15 +01:00
53db78fccc [New Rule] Lateral Movement via Kerberos using Bifrost Console (#843) Samirbous 2021-02-08 22:34:54 +01:00
429a975d14 [New Rule] Keychain Password Retrieval via Commandline (#811) Samirbous 2021-02-08 22:31:16 +01:00
18a4e468ce [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807) Samirbous 2021-02-08 22:22:16 +01:00
64366218c7 adjust risk score (#938) Brent Murphy 2021-02-08 13:15:42 -05:00
6ca381763d [New Rule] Execution with Administrator Privileges via Apple Scripting (#777) Samirbous 2021-02-08 17:39:22 +01:00
ef01430ab0 [Rule Tuning] Compression of Keychain Credentials Directories (#787) Samirbous 2021-02-08 17:31:04 +01:00
79b0a940c5 [New Rule] Attempt to Create a Hidden Local Account (#799) Samirbous 2021-02-08 17:24:56 +01:00
55998ff02a [New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801) Samirbous 2021-02-08 17:22:01 +01:00
b9a6452001 [New Rule] Attempt to Enable the Root Account (#792) Samirbous 2021-02-08 17:10:43 +01:00
b73564b541 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783) Samirbous 2021-02-08 16:54:39 +01:00
055c8ec4f7 [New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765) Samirbous 2021-02-08 16:48:53 +01:00
8b8cbcf8dd [Rule Tuning] Prompt for Credentials with OSASCRIPT (#759) Samirbous 2021-02-08 16:42:23 +01:00
4cb28adece [New Rule] Sublime Plugin or Application Script Modification (#761) Samirbous 2021-02-08 16:34:44 +01:00
82fe227030 [New Rule] Sensitive Files Compression (#756) Samirbous 2021-02-08 16:31:00 +01:00
99a4aaff58 [New Rule] Modification of the Dynamic Linker Preload Shared Object (#921) Samirbous 2021-02-08 16:11:37 +01:00
02ee8195ab [New Rule] Creation or Modification of Root Certificate (#927) Brent Murphy 2021-02-08 10:01:59 -05:00
0b568e5740 [New Rule] Suspicious JAR Child Process (#887) Brent Murphy 2021-02-08 09:48:48 -05:00
6a61caa84f [New Rule] Suspicious Browser Child Process (#767) Samirbous 2021-02-08 15:06:18 +01:00
732770e855 [New Rule] Potential OpenSSH Backdoor Logging Activity (#749) Samirbous 2021-02-05 21:27:15 +01:00
3fde3930f7 [New Rule] Modification of Standard Authentication Module or Configuration (#745) Samirbous 2021-02-05 21:23:58 +01:00
e2c860693c Repaired merge from PR 876 - RTA docs (#935) Justin Ibarra 2021-02-04 08:34:54 -09:00
4900c9a018 [New Rule] Potential Office Sandbox Evasion via ZIP File (#834) Samirbous 2021-02-04 16:47:58 +01:00
a8931a927c [New Rule] Safari Settings Modification using Defaults Command (#861) Samirbous 2021-02-04 16:38:56 +01:00
6e59996fd0 [New Rule] Access to Browsers Credential Files (#789) Samirbous 2021-02-04 16:34:49 +01:00
bec5211814 [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod (#875) Samirbous 2021-02-04 16:29:53 +01:00
236c630c90 [Rule Tuning] Update rules using case sensitive wildcard function (#904) Brent Murphy 2021-02-04 10:23:32 -05:00
37ccdad0ee [New Rule] Virtual Private Network Connection Attempt (#912) Samirbous 2021-02-03 18:18:09 +01:00
8878104f54 [New Rule] Potential Persistence via Periodic Tasks (#898) Samirbous 2021-02-03 18:15:25 +01:00
d733971e99 [New Rule] SoftwareUpdate Preferences Modification (#869) Samirbous 2021-02-03 18:12:37 +01:00
4a5085ee54 [Rule Tuning] Sudoers File Modification (#873) Samirbous 2021-02-03 17:57:40 +01:00
b1a8292462 [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830) Samirbous 2021-02-03 17:54:15 +01:00
ffe8e5bfc5 [Rule Tuning] Update file.name to dll.name for Library events (#893) Brent Murphy 2021-02-03 11:09:29 -05:00
fdf9384e4d [Rule Tuning] Execution from Unusual Directory - Command Line (#837) Brent Murphy 2021-02-03 10:54:19 -05:00
fd05341e70 [New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901) Brent Murphy 2021-02-01 16:24:49 -05:00
326bebdebe [New Rule] Execution via Electron Child Process Node.js Module (#817) Samirbous 2021-01-29 19:06:49 +01:00
ad514eaeab [New Rule] Attempt to Add an Account to the Admin Group (#803) Samirbous 2021-01-29 19:03:17 +01:00
cd3f72cf15 [New Rule] Creation of a Hidden Launch Agent or Daemon (#797) Samirbous 2021-01-29 19:01:15 +01:00
a5ded6513c [New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805) Samirbous 2021-01-29 18:58:14 +01:00
acff6a3a5d [New Rule] 2 Rules for Persistence via Emond (#832) Samirbous 2021-01-29 09:16:27 +01:00
a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) Justin Ibarra 2021-01-28 20:53:57 -09:00
70ca87138f [New Rule] Execution of COM object via Xwizard (#896) Brent Murphy 2021-01-28 16:58:19 -05:00
06d352d59e Merge pull request #924 from brokensound77/mergeback/7.11-to-main Justin Ibarra 2021-01-28 11:46:37 -09:00
ec4c9e77a2 Update revoked technique brokensound77 2021-01-28 11:03:17 -09:00
bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main brokensound77 2021-01-28 10:41:39 -09:00
288dbd7a84 lock versions file for 7.11 brokensound77 2021-01-28 10:36:46 -09:00
1d77932434 [New Rule] Suspicious MacOS MS Office Child Process (#779) Samirbous 2021-01-28 19:55:31 +01:00
c18c5a493a [New Rule] Dumping of Keychain Content via Security Command (#785) Samirbous 2021-01-28 19:50:41 +01:00
3fc4aaec0f [New Rule] Modification of OpenSSH Binaries (#747) Samirbous 2021-01-28 19:46:30 +01:00
d0ceb8cc4e [New Rule] SIP Provider Modification (#891) Brent Murphy 2021-01-28 09:18:19 -05:00
485c6214fa [New Rule] Environment Variable Modification using Launchctl (#865) Samirbous 2021-01-26 21:41:30 +01:00
6029783721 [New Rule] Security Software Discovery using Grep (#743) Samirbous 2021-01-26 19:57:26 +01:00
b4cb953aa4 [New Rule] Script Execution via Automator Workflows (#763) Samirbous 2021-01-26 09:07:39 +01:00
5d9c031c8b [New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775) Samirbous 2021-01-26 08:50:28 +01:00
ebf365693e [Rule Tuning] Deletion of Bash Command Line History (#752) Samirbous 2021-01-26 08:48:06 +01:00
440a7fbdee [New Rule] SSH Authorized Keys File Modification (#754) Samirbous 2021-01-26 08:45:38 +01:00

... 45 46 47 48 49 ...