security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d45b693e208bc8cbdedfea5c4a79efb5c7337ef9
sigma-rules/rules_building_block
T
History
Jonhnathan 374ac8ad1c [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 7004c99ef5)
2023-08-29 12:16:12 +00:00
..
.gitkeep
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 09:00:30 -04:00
collection_archive_data_zip_imageload.toml
[New Rule] Unusual Process For MSSQL Service Accounts (#3040)
2023-08-29 12:16:12 +00:00
collection_files_staged_in_recycle_bin_root.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
collection_linux_suspicious_clipboard_activity.toml
[New BBR] Suspicious Clipboard Activity (#2970)
2023-08-03 15:41:23 +02:00
collection_posh_compression.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 08:26:51 +00:00
collection_posh_webcam_video_capture.toml
[New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935)
2023-08-09 15:17:15 -03:00
command_and_control_non_standard_http_port.toml
[FR] Add support for BBR rules to the rule loader (#2968)
2023-07-27 11:27:04 -05:00
defense_evasion_cmstp_execution.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_creation_of_hidden_files_directories.toml
BBR Rules Addition (#3027)
2023-08-25 13:45:51 +00:00
defense_evasion_disable_nla.toml
[New Rule] Network-Level Authentication (NLA) Disabled (#3039)
2023-08-28 11:11:26 +00:00
defense_evasion_dll_hijack.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 16:06:41 +00:00
defense_evasion_file_permission_modification.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 16:06:41 +00:00
defense_evasion_generic_deletion.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 08:26:51 +00:00
defense_evasion_indirect_command_exec_pcalua_forfiles.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_installutil_command_activity.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_masquerading_browsers.toml
[New Rule] Potential Masquerading as Browser Process (#2995)
2023-08-28 16:34:26 +00:00
defense_evasion_masquerading_communication_apps.toml
[Rule Tuning] Potential Masquerading as Communication Apps (#2997)
2023-08-16 09:34:21 -03:00
defense_evasion_masquerading_windows_dll.toml
[New Rule] Potential Masquerading as Windows System32 DLL (#3021)
2023-08-28 11:37:53 +00:00
defense_evasion_masquerading_windows_system32_exe.toml
[New Rule] Potential Masquerading as Windows System32 Executable (#3022)
2023-08-21 18:20:06 +00:00
defense_evasion_powershell_clear_logs_script.toml
[New Rule] Building Block Rules - Part 1 (#2912)
2023-07-18 20:01:43 -03:00
defense_evasion_processes_with_trailing_spaces.toml
BBR Rules Addition (#3027)
2023-08-25 13:45:51 +00:00
discovery_generic_account_groups.toml
[New Rule] Building Block Rules - Part 3 (#2924)
2023-07-31 10:28:25 -03:00
discovery_generic_process_discovery.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 08:26:51 +00:00
discovery_generic_registry_query.toml
[New Rule] Building Block Rules - Part 3 (#2924)
2023-07-31 10:28:25 -03:00
discovery_hosts_file_access.toml
New Cross Platform BBR Rules (#2920)
2023-07-19 21:27:23 +05:30
discovery_internet_capabilities.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 16:06:41 +00:00
discovery_kernel_module_enumeration_via_proc.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 12:09:16 +00:00
discovery_linux_modprobe_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 12:09:16 +00:00
discovery_linux_sysctl_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 12:09:16 +00:00
discovery_linux_system_information_discovery.toml
New Linux BBR Rules (#2917)
2023-07-19 20:12:59 +05:30
discovery_linux_system_owner_user_discovery.toml
New Linux BBR Rules (#2917)
2023-07-19 20:12:59 +05:30
discovery_net_share_discovery_winlog.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00
discovery_of_accounts_or_groups_via_builtin_tools.toml
New Cross Platform BBR Rules (#2920)
2023-07-19 21:27:23 +05:30
discovery_of_domain_groups.toml
BBR Rules Addition (#3027)
2023-08-25 13:45:51 +00:00
discovery_posh_generic.toml
[Rule Tuning] Windows BBR Rules (#3018)
2023-08-25 08:26:51 +00:00
discovery_posh_password_policy.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 16:06:41 +00:00
discovery_process_discovery_via_builtin_tools.toml
New Cross Platform BBR Rules (#2920)
2023-07-19 21:27:23 +05:30
discovery_suspicious_proc_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 12:09:16 +00:00
discovery_system_network_connections.toml
New Cross Platform BBR Rules (#2920)
2023-07-19 21:27:23 +05:30
discovery_win_network_connections.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00
discovery_windows_system_information_discovery.toml
[FR] Add support for BBR rules to the rule loader (#2968)
2023-07-27 11:27:04 -05:00
execution_settingcontent_ms_file_creation.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
execution_unsigned_service_executable.toml
[New Rule] Building Block Rules - Part 3 (#2924)
2023-07-31 10:28:25 -03:00
initial_access_cross_site_scripting.toml
Potential Cross Site Scripting ( XSS ) (#2922)
2023-07-20 19:12:00 +05:30
initial_access_unusual_process_sql_accounts.toml
[New Rule] Unusual Process For MSSQL Service Accounts (#3040)
2023-08-29 12:16:12 +00:00
lateral_movement_posh_winrm_activity.toml
[New Rule] Building Block Rules - Part 2 (#2923)
2023-08-17 16:06:41 +00:00
persistence_creation_of_kernel_module.toml
BBR Rules Addition (#3027)
2023-08-25 13:45:51 +00:00
persistence_suspicious_file_opened_through_editor.toml
[New BBR] Potential Suspicious File Edit (#2960)
2023-07-26 15:22:56 +02:00
persistence_transport_agent_exchange.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00
privilege_escalation_expired_driver_loaded.toml
[New Rule] [BBR] Expired or Revoked Driver Loaded (#2880)
2023-06-27 09:18:35 -03:00
privilege_escalation_trap_execution.toml
BBR Rules Addition (#3027)
2023-08-25 13:45:51 +00:00
privilege_escalation_unquoted_service_path.toml
[New Rule] Building Block Rules - Part 4 (#2926)
2023-07-31 11:03:57 -03:00