security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d758fdacd03704e2fe214bba79937b9207cd00d
sigma-rules/rules/cross-platform
T
History
Terrance DeJesus 7d758fdacd [New Rule] Potential Malicious File Downloaded from Google Drive (#2862) 
* new rule for malicious files downloaded from Google Drive

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* removed unecessary tags

* removed extra space

* updated false positives

* fix unit testing failure

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* removed note field

* added cmd.exe

* updated updated_dated

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* removed LoLBins to capture unknown binaries involved

* removed code signature requirements

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
2023-06-22 14:10:14 -04:00
..
command_and_control_google_drive_malicious_file_download.toml
[New Rule] Potential Malicious File Downloaded from Google Drive (#2862)
2023-06-22 14:10:14 -04:00
command_and_control_non_standard_ssh_port.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
credential_access_cookies_chromium_browsers_debugging.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
defense_evasion_agent_spoofing_mismatched_id.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_agent_spoofing_multiple_hosts.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_deleting_websvr_access_logs.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
defense_evasion_deletion_of_bash_command_line_history.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
defense_evasion_elastic_agent_service_terminated.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
defense_evasion_masquerading_space_after_filename.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
defense_evasion_timestomp_touch.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
discovery_security_software_grep.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
execution_python_script_in_cmdline.toml
Rule Tuning Update MITRE Details (#2526)
2023-02-10 23:05:28 +05:30
execution_revershell_via_shell_cmd.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00
execution_suspicious_jar_child_process.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00
execution_suspicious_java_netcon_childproc.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
guided_onboarding_sample_rule.toml
new guided onboarding rule (#2492)
2023-01-24 11:26:28 -05:00
impact_hosts_file_modified.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00
initial_access_zoom_meeting_with_no_passcode.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
multiple_alerts_different_tactics_host.toml
[Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462)
2023-01-12 12:10:59 -03:00
multiple_alerts_involving_user.toml
[Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462)
2023-01-12 12:10:59 -03:00
persistence_credential_access_modify_auth_module_or_config.toml
[rule tuning] modified std auth module or config (#2737)
2023-05-03 09:32:33 +02:00
persistence_shell_profile_modification.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
persistence_ssh_authorized_keys_modification.toml
[Tuning] added T1021.006 and T1563.001 (#2497)
2023-01-27 19:51:22 +00:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
privilege_escalation_sudoers_file_mod.toml
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)
2023-01-04 09:30:07 -05:00
threat_intel_filebeat8x.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00
threat_intel_fleet_integrations.toml
[Security Content] Investigation Guides Line breaks refactor (#2454)
2023-01-09 13:28:10 -03:00