sigma-rules/rules/_deprecated at 024d45bd56ca4957c3b54f37ea8e06d1aa79e082 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092 )

* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2023-10-23 16:28:58 +02:00

..

apm_null_user_agent.toml

[Rule Deprecation] Web Application Suspicious Activity: No User Agent (#2295 )

2022-09-19 10:56:03 -07:00

command_and_control_connection_attempt_by_non_ssh_root_session.toml

[Rule Tuning] Some Tunings of several 8.9 rules (#2985 )

2023-08-03 15:25:33 +02:00

command_and_control_dns_directly_to_the_internet.toml

[Deprecation rule] DNS Activity to the Internet (#2221 )

2022-08-02 20:59:35 -05:00

command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_linux_iodine_activity.toml

[Rule Tuning] Linux Rules (#3092 )

2023-10-23 16:28:58 +02:00

command_and_control_port_8000_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_proxy_port_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_smtp_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_sql_server_port_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_ssh_secure_shell_from_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

command_and_control_ssh_secure_shell_to_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

command_and_control_tor_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

credential_access_potential_linux_ssh_bruteforce_root.toml

DR Linux Rule Tuning 8.9 (#2859 )

2023-07-10 20:02:42 +05:30

credential_access_tcpdump_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

defense_evasion_base64_encoding_or_decoding_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_code_injection_conhost.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

defense_evasion_execution_via_trusted_developer_utilities.toml

[Deprecation] Trusted Developer Application Usage (#1118 )

2021-04-15 22:15:38 +02:00

defense_evasion_hex_encoding_or_decoding_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_ld_preload_env_variable_process_injection.toml

[Rule Tuning] Linux Rules (#3092 )

2023-10-23 16:28:58 +02:00

defense_evasion_mshta_making_network_connections.toml

Add test for improper rule demotion (released production -> development) (#1555 )

2021-10-19 21:47:36 -08:00

defense_evasion_whitespace_padding_in_command_line.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

discovery_file_dir_discovery.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

discovery_process_discovery_via_tasklist_command.toml

[Deprecation] Process Discovery via Tasklist (#1116 )

2021-04-15 22:18:56 +02:00

discovery_query_registry_via_reg.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

discovery_whoami_commmand.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

execution_apt_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_awk_binary_shell.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_busybox_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_c89_c99_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_command_shell_started_by_powershell.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

execution_cpulimit_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_crash_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_env_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_expect_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_find_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_flock_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_gcc_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_linux_process_started_in_temp_directory.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

execution_mysql_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_reverse_shell_via_named_pipe.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_ssh_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_vi_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_via_net_com_assemblies.toml

[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028 )

2021-03-19 10:05:09 +01:00

exfiltration_rds_snapshot_export.toml

[Bug] Tighten definitions validation patterns (#1396 )

2021-10-26 10:26:20 -05:00

initial_access_login_failures.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_location.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_sessions.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_time.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_rdp_remote_desktop_protocol_to_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

linux_mknod_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

linux_nmap_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

linux_socat_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_cron_jobs_creation_and_runtime.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml

deprecate 'Google Workspace User Group Access Modified to Allow External Access' (#2576 )

2023-03-02 11:29:14 -05:00

persistence_kernel_module_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_shell_activity_by_web_server.toml

[Rule Tuning] Potential Shell via Web Server (#2585 )

2023-05-05 09:47:49 +02:00

privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

[Deprecation] GCP Kubernetes Rolebindings Created or Patched (#2340 )

2022-11-09 12:51:52 -05:00

privilege_escalation_krbrelayup_suspicious_logon.toml

[Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209 )

2022-08-01 18:28:26 +02:00

privilege_escalation_linux_strace_activity.toml

Rule tuning as part of Linux Detection Rules Review (#2170 )

2022-07-29 21:55:49 +05:30

privilege_escalation_printspooler_malicious_driver_file_changes.toml

Deprecate PrintNightmare Rules (#1852 )

2022-03-17 19:39:36 -03:00

privilege_escalation_printspooler_malicious_registry_modification.toml

Deprecate PrintNightmare Rules (#1852 )

2022-03-17 19:39:36 -03:00

privilege_escalation_setgid_bit_set_via_chmod.toml

Add tests to ensure rules are properly deprecated (#1050 )

2021-03-16 21:31:33 -08:00

threat_intel_filebeat7x.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

threat_intel_filebeat8x.toml

[Deprecation] Threat Intel Indicator Match - General Rules (#2901 )

2023-07-18 20:12:53 -03:00

threat_intel_fleet_integrations.toml

[Deprecation] Threat Intel Indicator Match - General Rules (#2901 )

2023-07-18 20:12:53 -03:00