security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • e71398e2ad [Bug] Fix Kibana client login to work with 7.10 (#404) Justin Ibarra 2020-10-27 07:25:48 +01:00
  • 442b31bd2f Update packages.yml Justin Ibarra 2020-10-26 12:07:34 -08:00
  • 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) seth-goodwin 2020-10-26 13:50:45 -05:00
  • 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) Brent Murphy 2020-10-22 09:07:04 -04:00
  • 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) Justin Ibarra 2020-10-21 22:35:18 +02:00
  • fd2d36573d Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) Justin Ibarra 2020-10-21 01:22:02 +02:00
  • d3226c72c9 Add test for tactic in rule filename (#398) Justin Ibarra 2020-10-21 00:48:33 +02:00
  • 60b3d47efd Add kibana-upload --space option (#251) Stijn Holzhauer 2020-10-08 20:21:54 +02:00
  • 758e4a2c5b Add unit tests for rule tags (#359) Justin Ibarra 2020-10-08 05:29:19 +02:00
  • bd680a2bd4 Re-organize commands under more specific click groups (#356) Justin Ibarra 2020-10-07 22:15:33 +02:00
  • f34c96f4dc [Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355) Kevin Logan 2020-10-05 13:55:15 -04:00
  • 0b745c5492 [New Rule] Zoom Meeting with no Passcode (#292) Andrew Pease 2020-10-01 00:44:45 -05:00
  • bf202b6b6c [New Rule] Initial converted EQL rules (#304) Justin Ibarra 2020-10-01 00:40:55 -05:00
  • 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) Justin Ibarra 2020-09-30 19:16:04 -05:00
  • d094c76534 [New Rule] Suspicious Zoom ChildProcess (#245) Samirbous 2020-10-01 01:46:33 +02:00
  • 5ba848552a [New Rule] Post Exploitation Public IP Reconnaissance (#270) Andrew Pease 2020-09-30 18:36:22 -05:00
  • e753162fe2 [New Rule] Detecting Unsecure Elasticsearch Nodes (#109) Andrew Pease 2020-09-30 18:34:38 -05:00
  • 1a260536d4 [New Rule] RAR and PowerShell Downloaded from the Internet (#30) Andrew Pease 2020-09-30 18:32:44 -05:00
  • faeac00465 [New Rule] Possible FIN7 Command and Control Behavior (#28) Andrew Pease 2020-09-30 18:26:13 -05:00
  • d68e4ac7f0 [New Rule] Hosts File Modified (#25) Andrew Pease 2020-09-30 18:24:07 -05:00
  • 1620559f1f [New Rule] Halfbaked C2 Beacon (#23) Andrew Pease 2020-09-30 18:21:33 -05:00
  • 8caf897a73 [New Rule] Cobalt Strike Beacon (#21) Andrew Pease 2020-09-30 17:58:24 -05:00
  • 7c1e9c1ed5 Update package summary extras produced during package generation (#341) Justin Ibarra 2020-09-30 17:43:45 -05:00
  • 83fb9bdf93 [Rule Tuning] Update event.code to category (#349) Brent Murphy 2020-09-30 18:34:58 -04:00
  • cbf465ba01 [New Rule] Kerberos dump using kcc command (#139) Samirbous 2020-09-30 23:03:44 +02:00
  • a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) Justin Ibarra 2020-09-30 12:41:33 -05:00
  • aecf355582 Refresh beats schema for validation to 7.9.2 (#347) Justin Ibarra 2020-09-30 12:35:13 -05:00
  • fa12340ff0 [Bug fix] Add missing parenthesis for -kibana-url shravaka 2020-09-30 17:32:43 +02:00
  • f15d179a50 [New Rule]- Credential Access - Domain DPAPI Backup key (#125) Samirbous 2020-09-29 21:14:07 +02:00
  • c6519a2474 [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146) Samirbous 2020-09-29 21:11:43 +02:00
  • cccd91bc1a [New Rule] - Persistence via Update Orchestrator Service Hijack (#152) Samirbous 2020-09-29 18:53:05 +02:00
  • 3ec2d92b42 [New Rule] - Potential Secure File Deletion using SDelete utility (#162) Samirbous 2020-09-29 18:46:29 +02:00
  • 206d666e7e [New Rule] Microsoft IIS Connection Strings Decryption (#165) Samirbous 2020-09-29 11:45:41 +02:00
  • a679207413 [New Rule] - Defense Evasion IIS HttpLogging Disabled (#142) Samirbous 2020-09-29 11:39:04 +02:00
  • 53484de986 [New Rule] - Creation of a new GPO Scheduled Task or Service (#126) Samirbous 2020-09-29 10:54:24 +02:00
  • 269925ae2e [New Rule] - MacOS Keychains compression (#136) Samirbous 2020-09-29 10:23:43 +02:00
  • 60adbbbb70 [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148) Samirbous 2020-09-29 10:17:36 +02:00
  • fc3dcdf133 [New Rule] Unusual CommandShell Parent Process (#202) Samirbous 2020-09-28 23:15:26 +02:00
  • a7dee682cc Add Tags to Unusual Sudo Activity Rule (#340) Craig Chamberlain 2020-09-28 16:07:41 -04:00
  • 8a5e0dd441 [New Rule] AWS Management Console Attempted Root Login Brute Force (#88) Brent Murphy 2020-09-28 13:37:22 -04:00
  • 0affb48b07 [New Rule] Unusual User Calling the Metadata Service [Linux] (#327) Craig Chamberlain 2020-09-28 12:13:06 -04:00
  • 746c175669 [New Rule] Unusual User Calling the Metadata Service [Windows] (#328) Craig Chamberlain 2020-09-28 12:09:14 -04:00
  • 7857787328 [New Rule] Azure Global Administrator Role Addition to PIM User (#336) Brent Murphy 2020-09-28 10:45:59 -04:00
  • 3c0d982d8f [Rule Tuning] Mknod Process Activity (#276) Justin Ibarra 2020-09-24 16:27:16 -05:00
  • 652b2c5e44 [New Rule] GCP Logging Sink Deletion (#306) Brent Murphy 2020-09-24 17:19:27 -04:00
  • 4473f6d8f3 [New Rule] Unusual Sudo Activity (#263) Craig Chamberlain 2020-09-24 14:55:33 -04:00
  • 17e3d83b29 [New Rule] GCP Pub/Sub Subscription Deletion (#334) Brent Murphy 2020-09-24 13:21:28 -04:00
  • 367d870654 [New Rule] GCP Logging Bucket Deletion (#308) Brent Murphy 2020-09-24 13:14:18 -04:00
  • 21d19863e2 [New Rule] GCP Pub/Sub Topic Deletion (#307) Brent Murphy 2020-09-24 13:09:50 -04:00
  • 95877f7879 [Rule Tuning] Update event.category for Azure rules (#335) Brent Murphy 2020-09-24 12:45:25 -04:00
  • e34a969cd3 Create collection_gcp_pub_sub_subscription_creation.toml (#332) Brent Murphy 2020-09-24 12:08:49 -04:00
  • bd2ec8a194 [New Rule] GCP Virtual Private Cloud Route Created (#326) David French 2020-09-24 09:47:21 -06:00
  • df19db4f67 [New Rule] GCP Virtual Private Cloud Network Deleted (#325) David French 2020-09-24 09:44:48 -06:00
  • de85f483a4 [New Rule] GCP Virtual Private Cloud Route Deleted (#324) David French 2020-09-24 09:31:48 -06:00
  • de6f326c72 [New Rule] GCP Storage Bucket Configuration Modified (#322) David French 2020-09-24 09:29:53 -06:00
  • 01c904f2dd [New Rule] GCP Firewall Rule Created (#312) David French 2020-09-24 09:27:41 -06:00
  • 6e61be64b2 Create impact_gcp_service_account_disabled.toml (#320) David French 2020-09-24 09:23:10 -06:00
  • 586cf69ec6 [New Rule] GCP Service Account Deleted (#319) David French 2020-09-24 09:21:29 -06:00
  • 142ad038c2 [New Rule] GCP Service Account Created (#318) David French 2020-09-24 09:19:14 -06:00
  • be4b5bb1c1 [New Rule] GCP Storage Bucket Deleted (#315) David French 2020-09-24 09:17:52 -06:00
  • 2b4044081e [New Rule] GCP Key Created for Service Account (#314) David French 2020-09-24 09:16:18 -06:00
  • bda33a559b [New Rule] GCP Storage Bucket Permissions Modified (#313) David French 2020-09-24 09:14:13 -06:00
  • e6326afd5d Create collection_gcp_pub_sub_topic_creation.toml (#331) Brent Murphy 2020-09-24 11:12:59 -04:00
  • 93f57b22f7 [New Rule] GCP Firewall Rule Modified (#311) David French 2020-09-24 09:06:19 -06:00
  • 369d4f4a85 [New Rule] GCP Firewall Rule Deleted (#310) David French 2020-09-24 09:03:55 -06:00
  • 968a3b4406 Create impact_gcp_iam_role_deltion.toml (#329) Brent Murphy 2020-09-24 10:51:10 -04:00
  • 275433596d Create exfiltration_gcp_logging_sink_modification.toml (#317) Brent Murphy 2020-09-24 10:32:10 -04:00
  • eef4f54dba Create initial_access_gcp_iam_custom_role_creation.toml (#316) Brent Murphy 2020-09-24 10:19:40 -04:00
  • 56fc99f152 [New Rule] GCP IAM Service Account Key Deletion (#309) Brent Murphy 2020-09-24 10:15:15 -04:00
  • e39d857a11 [New Rule] Unusual Linux System Network Configuration Discovery (#265) Craig Chamberlain 2020-09-24 09:07:34 -04:00
  • 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) Justin Ibarra 2020-09-24 01:03:29 -05:00
  • 6ad3344af3 Collect unique query fields per rule (#296) Justin Ibarra 2020-09-23 17:36:34 -05:00
  • 1e43896cf1 [New Rule] Unusual Process Calling the Metadata Service [Windows] (#323) Craig Chamberlain 2020-09-23 15:50:43 -04:00
  • dd65dad9dc [New Rule] Unusual Process Calling the Metadata Service [Linux] (#321) Craig Chamberlain 2020-09-23 15:29:48 -04:00
  • 87e1c92011 [New Rule] Unusual System Virtual Process Child Program (#181) Samirbous 2020-09-22 22:45:50 +02:00
  • 431dcc17a4 [New Rule] Remote File Download via Desktopimgdownldr Utility (#249) Samirbous 2020-09-22 22:41:26 +02:00
  • 9d884b6452 [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) Samirbous 2020-09-22 22:39:35 +02:00
  • baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) Craig Chamberlain 2020-09-22 16:27:17 -04:00
  • f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) Craig Chamberlain 2020-09-22 16:25:59 -04:00
  • 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) Craig Chamberlain 2020-09-22 16:24:32 -04:00
  • 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) Craig Chamberlain 2020-09-22 16:22:41 -04:00
  • 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) Craig Chamberlain 2020-09-22 16:18:51 -04:00
  • 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) Craig Chamberlain 2020-09-22 16:15:36 -04:00
  • cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237) David French 2020-09-22 09:28:32 -06:00
  • 11145ffb7f [New Rule] Possible Consent Grant Attack via Azure-Registered Application (#236) David French 2020-09-22 08:30:34 -06:00
  • e2a0172d7d [New Rule] Remote File Download via MpCmdRun (#247) Samirbous 2020-09-22 14:44:48 +02:00
  • f750b89201 [New Rule] Remote File Copy via TeamViewer (#241) Samirbous 2020-09-22 14:43:32 +02:00
  • c2e95a35dc [New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234) Samirbous 2020-09-22 14:39:04 +02:00
  • 4948582d7c [New Rule] Mimikatz Memssp Logs File Detected (#228) Samirbous 2020-09-22 14:37:40 +02:00
  • 69b2f9f645 [New Rule] Code Injection - Suspicious Conhost Child Process (#226) Samirbous 2020-09-22 14:35:56 +02:00
  • d43f814c19 [New Rule] Suspicious Elastic Endpoint Parent Process (#214) Samirbous 2020-09-22 14:34:11 +02:00
  • 42247efc3b [New Rule] Suspicious WerFault Child Process (#212) Samirbous 2020-09-22 14:32:04 +02:00
  • 96992b3ae6 [New Rule] Potential Process Masquerading as WerFault (#210) Samirbous 2020-09-22 14:30:34 +02:00
  • 52b6657d09 [New Rule] Suspicious .Net Compiler Parent Process (#208) Samirbous 2020-09-22 14:28:41 +02:00
  • ae13adf0a9 [New Rule] Suspicious managed code hosting process (#204) Samirbous 2020-09-22 14:27:03 +02:00
  • 3890a90135 [Rule Tuning] Unusual Parent-Child Relationship (#185) Samirbous 2020-09-22 14:25:27 +02:00
  • 601a5a1e5b [New Rule] - Executable File Created by a System Critical Process (#183) Samirbous 2020-09-22 14:23:37 +02:00
  • 3e67e8fada [New Rule] Remote SSH Login Enabled (#172) Samirbous 2020-09-22 14:21:20 +02:00
  • 2ce8c2833f [New Rule] Microsoft IIS Service Account Password Dumped (#167) Samirbous 2020-09-22 13:58:57 +02:00
  • ff097719af [New Rule] UAC Bypass via DiskCleanup Task Hijack (#160) Samirbous 2020-09-22 13:57:37 +02:00