security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
60adbbbb70bd51f07e0ba70b602a514e00eab575
sigma-rules/rules
T
History
Samirbous 60adbbbb70 [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148) 
* [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* added ref and changed verb and replaced file.name with file.extension

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted and fixed tacttic to privesc

* Linted

* ref

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Lint rule

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2020-09-29 10:17:36 +02:00
..
apm
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
aws
[New Rule] AWS Management Console Attempted Root Login Brute Force (#88)
2020-09-28 13:37:22 -04:00
azure
[New Rule] Azure Global Administrator Role Addition to PIM User (#336)
2020-09-28 10:45:59 -04:00
gcp
[New Rule] GCP Logging Sink Deletion (#306)
2020-09-24 17:19:27 -04:00
linux
[Rule Tuning] Mknod Process Activity (#276)
2020-09-24 13:27:16 -08:00
macos
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
ml
Add Tags to Unusual Sudo Activity Rule (#340)
2020-09-28 16:07:41 -04:00
network
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
okta
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
promotions
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
windows
[New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148)
2020-09-29 10:17:36 +02:00
README.md
[New Rule] Elastic Endpoint and External Alerts (#42)
2020-07-09 15:24:36 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
aws/ Rules written for the Amazon Web Services (AWS) module of filebeat
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
okta/ Rules written for the Okta module of filebeat
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System
Reference in New Issue View Git Blame Copy Permalink