security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da9bfd0abccc1de2010f02eac9930dee3042d1bc
sigma-rules/rules/cross-platform
T
History
Samirbous 29393f2ca4 [New] New USB Storage Device Mounted (#5299) 
* Revise USB device mounting detection rule

Updated detection rule for USB device mounting to use device serial number instead of friendly name. Enhanced investigation steps and response actions for better clarity.

* Update initial_access_exfiltration_new_usb_device_mounted.toml

* Update rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml

* Update initial_access_exfiltration_new_usb_device_mounted.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2025-11-11 09:28:54 +00:00
..
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_non_standard_ssh_port.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_trufflehog_execution.toml
Monthly Schema Updates (#5187)
2025-10-06 21:39:14 +05:30
defense_evasion_agent_spoofing_mismatched_id.toml
Ignore agentless executions in agent_id_status events. (#5295)
2025-11-10 22:18:51 +05:30
defense_evasion_agent_spoofing_multiple_hosts.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elastic_agent_service_terminated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_encoding_rot13_python_script.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_masquerading_space_after_filename.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_timestomp_touch.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_whitespace_padding_command_line.toml
[New] Command Line Obfuscation via Whitespace Padding (#4860)
2025-08-18 15:26:52 +01:00
discovery_security_software_grep.toml
[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)
2024-10-18 16:38:14 +02:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_hosts_file_modified.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4946)
2025-07-31 09:57:02 -04:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_involving_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_credential_access_modify_auth_module_or_config.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_shell_profile_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_ssh_authorized_keys_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Sudoers File Modification (#4904)
2025-07-16 10:17:51 +02:00