security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9f61ce4923786c3dd7db9e63e512cb8a685f84f7
sigma-rules/rules_building_block
T
History
Ruben Groenewoud c2822e175c [Tuning] Windows Execution Rule Tuning for UEBA (#3107) 
* Update defense_evasion_execution_msbuild_started_by_script.toml

* Mostly updated Execution tags, also new_terms conv

* removed index

* Removed index

* WMIPrvSE tuning

* Additional tuning

* Tuning & changes

* Additional tuning

* Applied unit test optimization

* Addressed feedback

* Update rules/windows/execution_command_shell_started_by_svchost.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* caseless unit testing fix

* fixed caseless executable unit test

* unit testing fix

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

* Added user ids to new terms

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/execution_unsigned_service_executable.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update execution_unsigned_service_executable.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
2023-10-11 10:15:29 +02:00
..
.gitkeep
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 09:00:30 -04:00
collection_archive_data_zip_imageload.toml
[New Rule] Unusual Process For MSSQL Service Accounts (#3040)
2023-08-29 09:10:25 -03:00
collection_files_staged_in_recycle_bin_root.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 08:49:22 -03:00
collection_linux_suspicious_clipboard_activity.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
collection_outlook_email_archive.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 18:07:47 -03:00
collection_posh_compression.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 05:21:16 -03:00
collection_posh_webcam_video_capture.toml
[New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935)
2023-08-09 15:17:15 -03:00
command_and_control_bitsadmin_activity.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 18:07:47 -03:00
command_and_control_linux_proxychains_activity.toml
[New Rules] Linux Tunneling and Port Forwarding (#3028)
2023-08-30 22:12:19 +02:00
command_and_control_linux_ssh_x11_forwarding.toml
[New Rules] Linux Tunneling and Port Forwarding (#3028)
2023-08-30 22:12:19 +02:00
command_and_control_non_standard_http_port.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
credential_access_gdb_memory_dump.toml
[New Rules] GDB Secret Dumping (#3060)
2023-08-31 17:41:22 +02:00
credential_access_kirbi_file.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-12 21:28:01 -03:00
credential_access_win_private_key_access.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 18:07:47 -03:00
defense_evasion_cmd_copy_binary_contents.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
defense_evasion_cmstp_execution.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 08:49:22 -03:00
defense_evasion_communication_apps_suspicious_child_process.toml
[New Rule] Suspicious Communication App Child Process (#2998)
2023-08-31 07:33:16 -03:00
defense_evasion_creation_of_hidden_files_directories.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_disable_nla.toml
[New Rule] Network-Level Authentication (NLA) Disabled (#3039)
2023-08-28 08:05:21 -03:00
defense_evasion_dll_hijack.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_download_susp_extension.toml
[New Rule] [BBR] File with Suspicious Extension Downloaded (#3139)
2023-09-27 12:37:11 -03:00
defense_evasion_file_permission_modification.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_generic_deletion.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_indirect_command_exec_pcalua_forfiles.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 08:49:22 -03:00
defense_evasion_installutil_command_activity.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 08:49:22 -03:00
defense_evasion_masquerading_browsers.toml
[New Rule] Potential Masquerading as Browser Process (#2995)
2023-08-28 13:28:26 -03:00
defense_evasion_masquerading_business_apps_installer.toml
[New Rule] Potential Masquerading as Business App Installer (#3068)
2023-09-05 17:58:34 -03:00
defense_evasion_masquerading_communication_apps.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_masquerading_vlc_dll.toml
[New Rule] Potential Masquerading as VLC DLL (#3006)
2023-08-30 17:45:45 -03:00
defense_evasion_masquerading_windows_dll.toml
[New Rule] Potential Masquerading as Windows System32 DLL (#3021)
2023-08-28 08:31:20 -03:00
defense_evasion_masquerading_windows_system32_exe.toml
[New Rule] Potential Masquerading as Windows System32 Executable (#3022)
2023-08-21 15:14:22 -03:00
defense_evasion_powershell_clear_logs_script.toml
[New Rule] Building Block Rules - Part 1 (#2912)
2023-07-18 20:01:43 -03:00
defense_evasion_processes_with_trailing_spaces.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
defense_evasion_service_disabled_registry.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
defense_evasion_service_path_registry.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
defense_evasion_services_exe_path.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[New BBR] Sus. Process Started via tmux or screen (#3071)
2023-09-30 12:57:18 +02:00
defense_evasion_unusual_process_extension.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
defense_evasion_unusual_process_path_wbem.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-12 21:28:01 -03:00
defense_evasion_write_dac_access.toml
[New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015)
2023-08-31 12:59:02 -03:00
discovery_files_dir_systeminfo_via_cmd.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_generic_account_groups.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_generic_process_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_generic_registry_query.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_hosts_file_access.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_internet_capabilities.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_kernel_module_enumeration_via_proc.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_linux_modprobe_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_linux_sysctl_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_linux_system_information_discovery.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_linux_system_owner_user_discovery.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_net_share_discovery_winlog.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00
discovery_net_view.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_of_accounts_or_groups_via_builtin_tools.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_of_domain_groups.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_posh_generic.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 05:21:16 -03:00
discovery_posh_password_policy.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 13:00:50 -03:00
discovery_post_exploitation_external_ip_lookup.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_process_discovery_via_builtin_tools.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_remote_system_discovery_commands_windows.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_security_software_wmic.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_signal_unusual_user_host.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_suspicious_proc_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_suspicious_which_command_execution.toml
[New BBR] Suspicious which Enumeration (#3059)
2023-08-31 13:55:56 +02:00
discovery_system_network_connections.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
discovery_system_service_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_system_time_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_win_network_connections.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
discovery_windows_system_information_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 09:43:26 +02:00
execution_downloaded_shortcut_files.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
execution_downloaded_url_file.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-12 21:28:01 -03:00
execution_mofcomp.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
execution_settingcontent_ms_file_creation.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 08:49:22 -03:00
execution_unsigned_service_executable.toml
[Tuning] Windows Execution Rule Tuning for UEBA (#3107)
2023-10-11 10:15:29 +02:00
execution_wmi_wbemtest.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-12 21:28:01 -03:00
initial_access_cross_site_scripting.toml
Potential Cross Site Scripting ( XSS ) (#2922)
2023-07-20 19:12:00 +05:30
initial_access_unusual_process_sql_accounts.toml
[New Rule] Unusual Process For MSSQL Service Accounts (#3040)
2023-08-29 09:10:25 -03:00
lateral_movement_at.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 18:07:47 -03:00
lateral_movement_posh_winrm_activity.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 13:00:50 -03:00
lateral_movement_rdp_conn_unusual_process.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
lateral_movement_wmic_remote.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-12 21:28:01 -03:00
persistence_browser_extension_install.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 18:07:47 -03:00
persistence_creation_of_kernel_module.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
persistence_msoffice_startup_registry.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-12 21:49:22 -03:00
persistence_netsh_helper_dll.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
persistence_startup_folder_lnk.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
persistence_suspicious_file_opened_through_editor.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
persistence_transport_agent_exchange.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00
persistence_werfault_reflectdebugger.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 18:36:34 -03:00
privilege_escalation_expired_driver_loaded.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_trap_execution.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00
privilege_escalation_unquoted_service_path.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 14:22:01 -04:00