security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa29e4b2b15efcba8707733ccc575b6cde2a8dde
sigma-rules/rules_building_block
T
History
Ruben Groenewoud fa29e4b2b1 [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d41855a2ac)
2024-02-06 13:52:48 +00:00
..
.gitkeep
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 09:00:30 -04:00
collection_archive_data_zip_imageload.toml
[New Rule] Unusual Process For MSSQL Service Accounts (#3040)
2023-08-29 12:16:12 +00:00
collection_common_compressed_archived_file.toml
[Rule Tuning] Windows BBR Tuning - 1 (#3380)
2024-02-05 15:52:27 +00:00
collection_files_staged_in_recycle_bin_root.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
collection_linux_suspicious_clipboard_activity.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 19:19:45 +00:00
collection_outlook_email_archive.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 21:14:06 +00:00
collection_posh_compression.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
command_and_control_bitsadmin_activity.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 21:14:06 +00:00
command_and_control_certutil_network_connection.toml
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080)
2023-12-08 18:59:26 +00:00
command_and_control_linux_port_knocking_reverse_connection.toml
[New BBR] Reverse Connection through Port Knocking (#3219)
2024-01-24 15:35:25 +00:00
command_and_control_linux_proxychains_activity.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
command_and_control_linux_ssh_x11_forwarding.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
command_and_control_non_standard_http_port.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
credential_access_gdb_memory_dump.toml
[New Rules] GDB Secret Dumping (#3060)
2023-08-31 15:47:30 +00:00
credential_access_mdmp_file_creation.toml
[Rule Tuning] Windows BBR Tuning - 1 (#3380)
2024-02-05 15:52:27 +00:00
credential_access_mdmp_file_unusual_extension.toml
[New Rule] [BBR] Memory Dump File Rules (#3122)
2023-10-17 12:41:28 +00:00
credential_access_win_private_key_access.toml
[Rule Tuning] Windows BBR Tuning - 1 (#3380)
2024-02-05 15:52:27 +00:00
defense_evasion_cmd_copy_binary_contents.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_cmstp_execution.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 14:42:54 +00:00
defense_evasion_communication_apps_suspicious_child_process.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_creation_of_hidden_files_directories.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
defense_evasion_disable_nla.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_dll_hijack.toml
[Rule Tuning] Potential Masquerading as System32 DLL (#3184)
2023-10-17 11:35:05 +00:00
defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 14:42:54 +00:00
defense_evasion_download_susp_extension.toml
[New Rule] [BBR] File with Suspicious Extension Downloaded (#3139)
2023-09-27 15:43:02 +00:00
defense_evasion_execution_via_visualstudio_prebuildevent.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 16:55:50 +00:00
defense_evasion_file_permission_modification.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
defense_evasion_generic_deletion.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
defense_evasion_indirect_command_exec_pcalua_forfiles.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_injection_from_msoffice.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 14:42:54 +00:00
defense_evasion_installutil_command_activity.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
defense_evasion_invalid_codesign_imageload.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143)
2023-10-17 17:22:19 +00:00
defense_evasion_masquerading_browsers.toml
[Rule Tuning] Potential Masquerading as Browser Process (#3180)
2023-10-17 11:59:16 +00:00
defense_evasion_masquerading_business_apps_installer.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_masquerading_unusual_exe_file_extension.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 14:42:54 +00:00
defense_evasion_masquerading_vlc_dll.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_masquerading_windows_dll.toml
[Rule Tuning] Potential Masquerading as System32 DLL (#3184)
2023-10-17 11:35:05 +00:00
defense_evasion_masquerading_windows_system32_exe.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_msdt_suspicious_diagcab.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 16:55:50 +00:00
defense_evasion_msiexec_installsource_archive_file.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 16:55:50 +00:00
defense_evasion_powershell_clear_logs_script.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
defense_evasion_processes_with_trailing_spaces.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
defense_evasion_service_disabled_registry.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
defense_evasion_service_path_registry.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
defense_evasion_services_exe_path.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[Tuning] Small Linux DR Tuning (#3287)
2023-12-07 11:49:43 +00:00
defense_evasion_suspicious_msiexec_execution.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 16:55:50 +00:00
defense_evasion_unsigned_bits_client.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138)
2023-10-17 16:55:50 +00:00
defense_evasion_unusual_process_extension.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
defense_evasion_unusual_process_path_wbem.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-13 00:34:12 +00:00
defense_evasion_write_dac_access.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
discovery_files_dir_systeminfo_via_cmd.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_generic_account_groups.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_generic_process_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_generic_registry_query.toml
[Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330)
2023-12-15 02:59:59 +00:00
discovery_hosts_file_access.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_internet_capabilities.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_kernel_module_enumeration_via_proc.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_linux_modprobe_enumeration.toml
[Rule Tuning] Linux BBR Tuning (#3347)
2023-12-19 19:23:04 +00:00
discovery_linux_sysctl_enumeration.toml
[Rule Tuning] Linux BBR Tuning (#3347)
2023-12-19 19:23:04 +00:00
discovery_linux_system_information_discovery.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_linux_system_owner_user_discovery.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_net_share_discovery_winlog.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
discovery_net_view.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_of_accounts_or_groups_via_builtin_tools.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_of_domain_groups.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_posh_generic.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_posh_password_policy.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_post_exploitation_external_ip_lookup.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_potential_memory_seeking_activity.toml
[New Rules] DDExec Analysis (#3408)
2024-02-06 13:52:48 +00:00
discovery_process_discovery_via_builtin_tools.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_remote_system_discovery_commands_windows.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_security_software_wmic.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_signal_unusual_user_host.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_suspicious_memory_grep_activity.toml
[New Rules] DDExec Analysis (#3408)
2024-02-06 13:52:48 +00:00
discovery_suspicious_proc_enumeration.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
discovery_suspicious_which_command_execution.toml
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)
2023-12-18 08:41:02 +00:00
discovery_system_network_connections.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
discovery_system_service_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_system_time_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_win_network_connections.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
discovery_windows_system_information_discovery.toml
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)
2023-10-11 07:49:08 +00:00
execution_delayed_via_ping_lolbas_unsigned.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131)
2023-10-17 14:42:54 +00:00
execution_downloaded_shortcut_files.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-13 00:54:52 +00:00
execution_downloaded_url_file.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-13 00:34:12 +00:00
execution_github_new_event_action_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
execution_github_new_repo_interaction_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
execution_github_new_repo_interaction_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
execution_github_repo_created.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
execution_github_repo_interaction_from_new_ip.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
execution_linux_segfault.toml
[New BBR] Segfault Detected (#3240)
2023-11-02 08:46:22 +00:00
execution_mofcomp.toml
[New Rule] New BBR Rules - Part 2 (#3029)
2023-09-13 00:54:52 +00:00
execution_settingcontent_ms_file_creation.toml
[New Rule] New BBR Rules - Part 4 (#3035)
2023-08-29 11:55:07 +00:00
execution_unix_socket_communication.toml
[New BBR] Unix Socket Communication (#3072)
2023-10-23 15:24:36 +00:00
execution_unsigned_service_executable.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
execution_wmi_wbemtest.toml
[New Rule] New BBR Rules - Part 3 (#3034)
2023-09-13 00:34:12 +00:00
impact_github_member_removed_from_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
impact_github_pat_access_revoked.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
impact_github_user_blocked_from_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
initial_access_cross_site_scripting.toml
Potential Cross Site Scripting ( XSS ) (#2922)
2023-07-20 19:12:00 +05:30
initial_access_execution_from_removable_media.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143)
2023-10-17 17:22:19 +00:00
initial_access_execution_remote_via_msiexec.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143)
2023-10-17 17:22:19 +00:00
initial_access_github_new_ip_address_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
initial_access_github_new_ip_address_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
initial_access_github_new_user_agent_for_pat.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
initial_access_github_new_user_agent_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
initial_access_xsl_script_execution_via_com.toml
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143)
2023-10-17 17:22:19 +00:00
lateral_movement_at.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
lateral_movement_posh_winrm_activity.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
lateral_movement_rdp_conn_unusual_process.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
lateral_movement_unusual_process_sql_accounts.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
lateral_movement_wmic_remote.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
persistence_browser_extension_install.toml
[New Rule] New BBR Rules - Part 1 (#3026)
2023-09-05 21:14:06 +00:00
persistence_creation_of_kernel_module.toml
[Rule Tuning] Linux BBR Tuning (#3347)
2023-12-19 19:23:04 +00:00
persistence_github_new_pat_for_user.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
persistence_github_new_user_added_to_organization.toml
[New Rules] UEBA GItHub BBRs and Rules (#3174)
2024-01-22 17:53:12 +00:00
persistence_kernel_driver_load.toml
[New BBR] Kernel Driver Load (#3236)
2023-11-02 08:38:32 +00:00
persistence_msoffice_startup_registry.toml
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165)
2023-10-15 21:18:03 +00:00
persistence_netsh_helper_dll.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
persistence_startup_folder_lnk.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
persistence_suspicious_file_opened_through_editor.toml
[Rule Tuning] Linux Rules (#3092)
2023-10-23 14:34:55 +00:00
persistence_tainted_kernel_module_load.toml
[Rule Tuning] Tainted Kernel Module Load (#3234)
2023-10-30 08:55:15 +00:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[New Rule] Out-Of-Tree Kernel Module Load (#3233)
2023-12-07 21:57:56 +00:00
persistence_transport_agent_exchange.toml
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157)
2023-10-30 11:28:47 +00:00
persistence_udev_rule_creation.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 19:19:45 +00:00
persistence_werfault_reflectdebugger.toml
[New Rule] New BBR Rules - Part 5 (#3052)
2023-09-05 21:42:38 +00:00
privilege_escalation_trap_execution.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00
privilege_escalation_unquoted_service_path.toml
[Security Content] Include "Data Source: Elastic Defend" tag (#3002)
2023-09-05 18:28:40 +00:00