security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
65441b8e671c63d10c6e5235b3abccef1e36c4f5
sigma-rules/rules_building_block
T
History
Jonhnathan c2d1586270 [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2024-04-16 09:28:17 -03:00
..
.gitkeep
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 09:00:30 -04:00
collection_archive_data_zip_imageload.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
collection_common_compressed_archived_file.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
collection_files_staged_in_recycle_bin_root.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
collection_linux_suspicious_clipboard_activity.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
collection_outlook_email_archive.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
collection_posh_compression.toml
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505)
2024-04-01 17:44:50 -03:00
command_and_control_bitsadmin_activity.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
command_and_control_certutil_network_connection.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
command_and_control_linux_ssh_x11_forwarding.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
command_and_control_non_standard_http_port.toml
[Tuning] Linux BBR Tuning - Part 1 (#3469)
2024-03-07 17:19:12 +01:00
credential_access_mdmp_file_creation.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
credential_access_mdmp_file_unusual_extension.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
credential_access_win_private_key_access.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_cmd_copy_binary_contents.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_cmstp_execution.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_communication_apps_suspicious_child_process.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
defense_evasion_creation_of_hidden_files_directories.toml
[Tuning] Linux BBR Tuning - Part 1 (#3469)
2024-03-07 17:19:12 +01:00
defense_evasion_dll_hijack.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 11:36:53 -03:00
defense_evasion_download_susp_extension.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
defense_evasion_execution_via_visualstudio_prebuildevent.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_file_permission_modification.toml
[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)
2024-04-08 10:38:41 -03:00
defense_evasion_generic_deletion.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_indirect_command_exec_pcalua_forfiles.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_injection_from_msoffice.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_installutil_command_activity.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_invalid_codesign_imageload.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_masquerading_browsers.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
defense_evasion_masquerading_unusual_exe_file_extension.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_masquerading_vlc_dll.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_masquerading_windows_dll.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
defense_evasion_masquerading_windows_system32_exe.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
defense_evasion_msdt_suspicious_diagcab.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_msiexec_installsource_archive_file.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 13:49:49 -03:00
defense_evasion_powershell_clear_logs_script.toml
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505)
2024-04-01 17:44:50 -03:00
defense_evasion_processes_with_trailing_spaces.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
defense_evasion_service_disabled_registry.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_service_path_registry.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_services_exe_path.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_suspicious_msiexec_execution.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_unsigned_bits_client.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
defense_evasion_unusual_process_extension.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
defense_evasion_unusual_process_path_wbem.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
defense_evasion_write_dac_access.toml
[Rule Tuning] WRITEDAC Access on Active Directory Object (#3583)
2024-04-08 08:43:25 -03:00
discovery_capnetraw_capability.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_files_dir_systeminfo_via_cmd.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_generic_account_groups.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_generic_process_discovery.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_generic_registry_query.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
discovery_hosts_file_access.toml
[Tuning] Linux BBR Tuning - Part 2 (#3470)
2024-03-07 12:35:33 +01:00
discovery_internet_capabilities.toml
[Rule Tuning] Windows BBR Tuning - 3 (#3382)
2024-02-14 15:00:43 -03:00
discovery_kernel_module_enumeration_via_proc.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
discovery_linux_modprobe_enumeration.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
discovery_linux_sysctl_enumeration.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
discovery_linux_system_information_discovery.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_linux_system_owner_user_discovery.toml
[Tuning] Linux BBR Tuning - Part 2 (#3470)
2024-03-07 12:35:33 +01:00
discovery_net_share_discovery_winlog.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
discovery_net_view.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
discovery_of_accounts_or_groups_via_builtin_tools.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_of_domain_groups.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_posh_generic.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
discovery_posh_password_policy.toml
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501)
2024-03-13 10:27:44 -03:00
discovery_post_exploitation_external_ip_lookup.toml
[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)
2024-04-08 09:34:26 -03:00
discovery_potential_memory_seeking_activity.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_process_discovery_via_builtin_tools.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_remote_system_discovery_commands_windows.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
discovery_security_software_wmic.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_signal_unusual_user_host.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_suspicious_memory_grep_activity.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_suspicious_proc_enumeration.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
discovery_system_network_connections.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_system_service_discovery.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_system_time_discovery.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_win_network_connections.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
discovery_windows_system_information_discovery.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
execution_github_new_event_action_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
execution_github_new_repo_interaction_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
execution_github_new_repo_interaction_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
execution_github_repo_created.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
execution_github_repo_interaction_from_new_ip.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
execution_linux_segfault.toml
[New BBR] Segfault Detected (#3240)
2023-11-02 09:40:50 +01:00
execution_settingcontent_ms_file_creation.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
execution_unix_socket_communication.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
execution_unsigned_service_executable.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
execution_wmi_wbemtest.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
impact_github_member_removed_from_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
impact_github_pat_access_revoked.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
impact_github_user_blocked_from_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
initial_access_cross_site_scripting.toml
Potential Cross Site Scripting ( XSS ) (#2922)
2023-07-20 19:12:00 +05:30
initial_access_github_new_ip_address_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
initial_access_github_new_ip_address_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
initial_access_github_new_user_agent_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
initial_access_github_new_user_agent_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
lateral_movement_at.toml
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)
2024-04-08 08:57:33 -03:00
lateral_movement_posh_winrm_activity.toml
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505)
2024-04-01 17:44:50 -03:00
lateral_movement_rdp_conn_unusual_process.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
lateral_movement_unusual_process_sql_accounts.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
lateral_movement_wmic_remote.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
persistence_cap_sys_admin_added_to_new_binary.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
persistence_creation_of_kernel_module.toml
[Tuning] Linux BBR Tuning - Part 2 (#3470)
2024-03-07 12:35:33 +01:00
persistence_github_new_pat_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
persistence_github_new_user_added_to_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 12:48:31 -05:00
persistence_startup_folder_lnk.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
persistence_transport_agent_exchange.toml
[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
2024-04-08 09:47:48 -03:00
privilege_escalation_trap_execution.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00