security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) Samirbous 2020-12-08 11:57:52 +01:00
  • f756619478 [New Rule] Persistence via Folder Action Script (#685) Samirbous 2020-12-08 11:51:52 +01:00
  • b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) Samirbous 2020-12-08 11:45:39 +01:00
  • 3f8a7573f7 [New Rule] Remotely Started Services (#542) Samirbous 2020-12-08 11:31:03 +01:00
  • 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) Samirbous 2020-12-08 11:28:37 +01:00
  • b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) Samirbous 2020-12-07 20:16:17 +01:00
  • 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) Samirbous 2020-12-07 20:08:12 +01:00
  • af85c27142 [New Rule] Peripheral Device Discovery (#446) Samirbous 2020-12-04 20:55:19 +01:00
  • 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) Samirbous 2020-12-04 20:49:54 +01:00
  • 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) Brent Murphy 2020-12-04 12:40:09 -05:00
  • 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) Samirbous 2020-12-04 17:37:31 +01:00
  • da949b0051 [New Rule] Potential SSH Bruteforce Detected (#538) Samirbous 2020-12-04 17:18:03 +01:00
  • 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) Samirbous 2020-12-04 17:14:54 +01:00
  • 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) Samirbous 2020-12-04 17:05:30 +01:00
  • c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) Samirbous 2020-12-04 16:48:01 +01:00
  • 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) Samirbous 2020-12-03 23:10:51 +01:00
  • 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) Samirbous 2020-12-03 22:59:46 +01:00
  • 11041e0012 [New Rule] UAC Bypass via privileged IFileOperation (#416) Samirbous 2020-12-03 20:43:57 +01:00
  • 54b926a7bf [Rule Tuning] Process Potentially Masquerading as WerFault (#653) Samirbous 2020-12-03 20:26:37 +01:00
  • 4b6ad77338 [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) Justin Ibarra 2020-12-03 11:00:24 +01:00
  • 3ac232085b [New Rule] Remote Desktop Enabled in Windows Firewall (#368) Samirbous 2020-12-02 21:27:18 +01:00
  • 30cded7a2d [New Rule] Lateral Movement via Startup Folder (#663) Samirbous 2020-12-02 21:22:43 +01:00
  • 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) Samirbous 2020-12-02 21:20:13 +01:00
  • e03f775789 [New Rule] Lateral Executable Transfer Over SMB (#517) Samirbous 2020-12-02 21:03:31 +01:00
  • e6645a8be9 [Rule Tuning] Clearing or Disabling Windows Event Logs (#393) Samirbous 2020-12-02 20:35:35 +01:00
  • db2d17ccb2 [New Rule] Credential Acquisition via Registry Hive Dumping (#607) Samirbous 2020-12-02 20:31:22 +01:00
  • f23881f1b8 [New Rule] Microsoft 365 Exchange DLP Policy Removed (#600) Brent Murphy 2020-12-02 14:18:11 -05:00
  • 427012ed32 [New Rule] Microsoft 365 Exchange Management Group Role Assignment (#599) Brent Murphy 2020-12-02 14:11:33 -05:00
  • ec4cd98ce8 [Rule Tuning] Rebrand Office 365 to Microsoft 365 (#669) Brent Murphy 2020-12-02 14:04:48 -05:00
  • 366e5002e1 [FR] Add experimental ML DGA CLI support (#361) Justin Ibarra 2020-12-02 08:25:33 +01:00
  • 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) Justin Ibarra 2020-12-01 23:24:20 +01:00
  • ee82ada716 [Rule Tuning] Update IP Address Ranges in Multiple Rules (#576) David French 2020-12-01 12:38:47 -08:00
  • dc9c63d043 [New Rule] Unusual Svchost ChildProc - ChildLess Services (#370) Samirbous 2020-12-01 20:30:03 +01:00
  • 61fe8a59ff [New Rule] WebServer Access Logs Deleted (#457) Samirbous 2020-12-01 10:48:55 +01:00
  • 0fe12d2528 [New Rule] Suspicious Explorer Child Process (#430) Samirbous 2020-12-01 00:00:40 +01:00
  • 710f4bda10 Add file.extension to SxS .local rule Ross Wolf 2020-11-30 15:26:28 -07:00
  • 2465a70dac [New Rule] Execution via local SxS Shared Module (#424) Samirbous 2020-11-30 23:24:44 +01:00
  • 7138b01001 [New Rule] Potential Command and Control via IEXPLORE (#645) Samirbous 2020-11-30 21:13:30 +01:00
  • 14ef24e9dd [New Rule] Command shell activity started via rundll32 (#391) Samirbous 2020-11-30 21:02:57 +01:00
  • 52183d78a2 [New Rule] Persistence via Microsoft Outlook VBA (#611) Samirbous 2020-11-30 20:57:36 +01:00
  • ba0cc7a055 [New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422) Samirbous 2020-11-30 20:26:07 +01:00
  • d0ba03230a [Rule Tuning] Unusual File Modification by dns.exe (#472) Justin Ibarra 2020-11-30 18:22:27 +01:00
  • 310f480027 [New Rule] O365 Exchange Safe Attachment Rule Disabled (#593) Brent Murphy 2020-11-30 12:06:42 -05:00
  • ba52c3d426 [New Rule] O365 Exchange Transport Rule Modification (#592) Brent Murphy 2020-11-30 11:57:48 -05:00
  • 3751095897 [New Rule] O365 Exchange Malware Filter Rule Modification (#590) Brent Murphy 2020-11-30 11:46:58 -05:00
  • a5960851c0 [New Rule] O365 Exchange Malware Filter Policy Deletion (#589) Brent Murphy 2020-11-30 11:39:25 -05:00
  • bd6be63d88 [New Rule] O365 Exchange Anti-Phish Rule Modification (#586) Brent Murphy 2020-11-30 11:25:20 -05:00
  • 76ec49f764 [New Rule] O365 Exchange Anti-Phish Policy Deletion (#585) Brent Murphy 2020-11-30 11:19:17 -05:00
  • 6b280fe7ed [New Rule] O365 Exchange Transport Rule Creation (#579) Brent Murphy 2020-11-30 11:09:30 -05:00
  • b21d32acf4 [New Rule] O365 Exchange Safe Link Policy Disabled (#577) Brent Murphy 2020-11-30 10:52:33 -05:00
  • 33e731416d Add badges to README.md (#596) David French 2020-11-30 06:14:08 -08:00
  • 8f8e310377 Bump EQL dependency to 0.9.6 (#625) Ross Wolf 2020-11-24 12:37:31 -07:00
  • 625b0ec771 [New-Rule] Suspicious WMI Image Load from MS Office (#551) dstepanic17 2020-11-20 06:34:02 -08:00
  • 517ee0dc03 image-load-sched-task-ms-office (#566) dstepanic17 2020-11-20 05:28:16 -08:00
  • 1ebdcc8248 [New Rule] Suspicious RDP ActiveX Client Loaded (#588) Samirbous 2020-11-20 10:43:12 +01:00
  • 9d2a74ea1b [New Rule] Connection to Commonly Abused Web Services (#476) Samirbous 2020-11-18 23:38:09 +01:00
  • 161ea402fe [New Rule] Kerberos Traffic from Unusual Process (#448) Samirbous 2020-11-18 22:07:49 +01:00
  • 3e7be55a24 [New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376) Samirbous 2020-11-18 20:36:59 +01:00
  • 75ed0f8f92 [New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383) Samirbous 2020-11-18 20:34:10 +01:00
  • 14270a5614 [New Rule] Persistence via MS Office Addins (#381) Samirbous 2020-11-18 20:27:01 +01:00
  • 8f6eba8986 Tune metadata in Okta rules to align with the style of other rules (#491) David French 2020-11-18 09:59:11 -07:00
  • a05f160159 [New Rule] Application Added to Google Workspace Domain (#564) David French 2020-11-18 09:23:15 -07:00
  • dd8c276e42 Create google_workspace_mfa_enforcement_disabled.toml (#563) David French 2020-11-18 09:20:31 -07:00
  • 4425bbf436 Create domain_added_to_google_workspace_trusted_domains.toml (#562) David French 2020-11-18 09:17:48 -07:00
  • 56bc91cc70 Create google_workspace_admin_role_deletion.toml (#561) David French 2020-11-18 09:15:53 -07:00
  • 10d4e5d8c9 [New Rule] Google Workspace Role Modified (#556) David French 2020-11-18 09:13:44 -07:00
  • acf8102607 Create persistence_google_workspace_custom_admin_role_created.toml (#555) David French 2020-11-18 09:10:50 -07:00
  • 72fee8d16f Create persistence_google_workspace_admin_role_assigned_to_user.toml (#554) David French 2020-11-18 09:07:39 -07:00
  • 78b8d5c761 new-rule-mfa-disabled-for-google-workspace-organization (#553) David French 2020-11-18 09:05:07 -07:00
  • 6aca322cfd [New Rule] Google Workspace Password Policy Modified (#552) David French 2020-11-18 09:02:59 -07:00
  • f11e9f8302 [New Rule] Administrator Role Assigned to Okta User (#489) David French 2020-11-18 08:59:23 -07:00
  • eb487f9433 [New Rule] Timestomping using Touch Command (#463) ML-experimental-detections-20201118-1 ML-DGA-20201118-1 Samirbous 2020-11-17 23:29:47 +01:00
  • ad4a2ef0eb Add test commands to search and survey rule hits (#485) Justin Ibarra 2020-11-17 23:08:00 +01:00
  • abea5d0779 [New Rule] Prompt for Credentials with OSASCRIPT (#540) Samirbous 2020-11-17 22:25:40 +01:00
  • 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) Samirbous 2020-11-17 21:27:37 +01:00
  • 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) Samirbous 2020-11-17 21:25:48 +01:00
  • 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) Samirbous 2020-11-17 21:23:28 +01:00
  • ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) Samirbous 2020-11-17 21:21:15 +01:00
  • 3af915ff49 [New Rule] Suspicious Cmd Execution via WMI (#389) Samirbous 2020-11-17 21:19:30 +01:00
  • 9d3395f9e3 Create okta_attempt_to_delete_okta_application.toml (#497) David French 2020-11-17 08:53:59 -07:00
  • 58e54f40e3 Create okta_attempt_to_deactivate_okta_application.toml (#496) David French 2020-11-17 08:51:51 -07:00
  • 768069a8bc [New Rule] Attempt to Modify an Okta Application (#495) David French 2020-11-17 08:49:02 -07:00
  • 88b8bca929 Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml (#530) David French 2020-11-17 08:44:37 -07:00
  • 0573def41c Merge pull request #528 from brokensound77/mergeback/7.10-to-main Justin Ibarra 2020-11-12 20:49:04 +01:00
  • 00f8f83a25 Merge branch 'main' into mergeback/7.10-to-main Justin Ibarra 2020-11-12 20:28:42 +01:00
  • b91203233d Link to the Elastic contributor program (#520) Ross Wolf 2020-11-12 07:02:18 -07:00
  • 75d37e9271 Merge remote-tracking branch 'upstream/main' into mergeback/7.10-to-main brokensound77 2020-11-12 00:59:31 -09:00
  • 123d523cf0 lock version changes for 7.10 brokensound77 2020-11-12 00:52:44 -09:00
  • 8ca32f1423 Fix ClientError (NoneType) suffix Ross Wolf 2020-11-09 11:08:36 -07:00
  • f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) Justin Ibarra 2020-11-03 19:51:53 +01:00
  • da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) Justin Ibarra 2020-11-03 00:12:20 +01:00
  • 9838d3d2f7 [Rule Tuning] Remove duplicate rules after EQL conversion (#436) Brent Murphy 2020-10-30 15:49:28 -04:00
  • 3b597bdb72 fix auth args in get_es_client ML-experimental-detections-20201028-1 ML-DGA-20201111-3 ML-DGA-20201111-2 ML-DGA-20201111-1 Justin Ibarra 2020-10-30 09:19:50 -08:00
  • 3827d01a65 fix bugs in es client retrieval Justin Ibarra 2020-10-29 21:20:49 -08:00
  • a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) Justin Ibarra 2020-10-29 20:06:24 +01:00
  • fda1e7ef94 Bump zoom rule to production (#427) Justin Ibarra 2020-10-29 20:02:29 +01:00
  • 0d3c35886c Remove connection type from endpoint network rules (#426) Justin Ibarra 2020-10-28 21:35:34 +01:00
  • 7da343e89f Fix kibana upload command (#425) Ross Wolf 2020-10-28 10:16:36 -06:00
  • a0a8d63baf Merge branch '7.10' into main Ross Wolf 2020-10-28 09:40:15 -06:00
  • 580db2c13e Add timeline_id to detection rules (#95) Derek Ditch 2020-10-27 13:34:16 -05:00