security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev-v1.5.18
sigma-rules/rules_building_block
T
History
Ruben Groenewoud f14a527055 [New Rule] Web Server Potential SQL Injection Request (#5342) 
* [New Rule] Web Server Potential SQL Injection Request

* ++

* Update persistence_web_server_potential_sql_injection.toml

* Convert to BBR

* Update persistence_web_server_potential_sql_injection.toml

* Update persistence_web_server_potential_sql_injection.toml

* adding missing tags

* Add right tag

* Add network_traffic manifest and schema

* Refine SQL injection rule and log sources

Removed network traffic log sources and adjusted query conditions for SQL injection detection.

* Get latest schemas/mappings

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-12-02 10:46:48 +01:00
..
.gitkeep
[FR] Add support for building block rules (BBR) (#2822)
2023-06-20 09:00:30 -04:00
collection_archive_data_zip_imageload.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
collection_common_compressed_archived_file.toml
[Rule Tuning] Windows Misc BBR Tuning (#4368)
2025-01-13 12:03:40 -03:00
collection_files_staged_in_recycle_bin_root.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_outlook_email_archive.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_posh_compression.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_bitsadmin_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_certutil_network_connection.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_non_standard_http_port.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_iis_apppoolsa_pwd_appcmd.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_mdmp_file_creation.toml
[Rule Tuning] Windows Misc BBR Tuning (#4368)
2025-01-13 12:03:40 -03:00
credential_access_mdmp_file_unusual_extension.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_win_private_key_access.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_aws_rds_snapshot_created.toml
[New BBR] AWS RDS DB Snapshot Created (#3828)
2024-06-27 23:59:33 -04:00
defense_evasion_cmd_copy_binary_contents.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_cmstp_execution.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_dll_hijack.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_download_susp_extension.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_execution_via_visualstudio_prebuildevent.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_file_permission_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_generic_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_indirect_command_exec_pcalua_forfiles.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_injection_from_msoffice.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_installutil_command_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_invalid_codesign_imageload.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_masquerading_browsers.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_masquerading_unusual_exe_file_extension.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_masquerading_vlc_dll.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_masquerading_windows_dll.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
defense_evasion_masquerading_windows_system32_exe.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_msdt_suspicious_diagcab.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_msiexec_installsource_archive_file.toml
[Rule Tuning] Windows Registry Rules Tuning - 2 (#3958)
2024-08-06 17:15:08 +05:30
defense_evasion_outlook_suspicious_child.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_posh_obfuscation_proportion_special_chars.toml
[Rule Tuning] ES|QL PowerShell Rules (#4984)
2025-08-18 08:44:18 -07:00
defense_evasion_powershell_clear_logs_script.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_processes_with_trailing_spaces.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_service_disabled_registry.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_service_path_registry.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_services_exe_path.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_msiexec_execution.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_unsigned_bits_client.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_unusual_process_extension.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_unusual_process_path_wbem.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_write_dac_access.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_capnetraw_capability.toml
Prep for Release 8.17 (#4256)
2024-11-07 23:53:04 +05:30
discovery_files_dir_systeminfo_via_cmd.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_generic_account_groups.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_generic_process_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_generic_registry_query.toml
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324)
2024-12-19 13:03:50 -05:00
discovery_getconf_execution.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_hosts_file_access.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_internet_capabilities.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_kernel_module_enumeration_via_proc.toml
[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171)
2024-10-18 16:45:23 +02:00
discovery_kubectl_configuration_discovery.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_kubectl_workload_and_cluster_discovery.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_linux_modprobe_enumeration.toml
[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171)
2024-10-18 16:45:23 +02:00
discovery_linux_sysctl_enumeration.toml
[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171)
2024-10-18 16:45:23 +02:00
discovery_linux_system_information_discovery.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_linux_system_owner_user_discovery.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_net_share_discovery_winlog.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_net_view.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_of_accounts_or_groups_via_builtin_tools.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_of_domain_groups.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
discovery_posh_generic.toml
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867)
2025-07-07 10:56:13 -03:00
discovery_posh_password_policy.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
discovery_post_exploitation_external_ip_lookup.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_potential_memory_seeking_activity.toml
[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171)
2024-10-18 16:45:23 +02:00
discovery_process_discovery_via_builtin_tools.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_remote_system_discovery_commands_windows.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_security_software_wmic.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_signal_unusual_user_host.toml
Testcase to check if Rule Type: BBR tag is present for all BBR rules (#4048)
2024-09-02 21:29:31 +05:30
discovery_suspicious_proc_enumeration.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_system_network_connections.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_system_service_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_system_time_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_win_network_connections.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_windows_system_information_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
entra_id_identity_protection_risk_detections.toml
[New Rule] Microsoft Entra ID Protection - Risk Detections (#4725)
2025-05-19 13:51:26 -04:00
execution_aws_lambda_function_updated.toml
Testcase to check if Rule Type: BBR tag is present for all BBR rules (#4048)
2024-09-02 21:29:31 +05:30
execution_github_new_event_action_for_pat.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_github_new_repo_interaction_for_pat.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_github_new_repo_interaction_for_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_github_repo_created.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_github_repo_interaction_from_new_ip.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_linux_segfault.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_settingcontent_ms_file_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_unsigned_service_executable.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_wmi_wbemtest.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_azure_recovery_services_deletion.toml
[New Rule] Azure Recovery Services Deletion (#5214)
2025-10-17 10:11:10 -04:00
impact_github_member_removed_from_organization.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
impact_github_pat_access_revoked.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
impact_github_user_blocked_from_organization.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
initial_access_aws_signin_token_created.toml
[Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login (#5197)
2025-10-16 12:47:30 -04:00
initial_access_github_new_ip_address_for_pat.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
initial_access_github_new_ip_address_for_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
initial_access_github_new_user_agent_for_pat.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
initial_access_github_new_user_agent_for_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
initial_access_potential_rce_via_toolshell.toml
[New Rule] Toolshell Exploit Chain Detections (#4928)
2025-08-29 15:17:52 -04:00
initial_access_potential_toolshell_exploit_attempt.toml
[New Rule] Toolshell Exploit Chain Detections (#4928)
2025-08-29 15:17:52 -04:00
lateral_movement_at.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_posh_winrm_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_rdp_conn_unusual_process.toml
Testcase to check if Rule Type: BBR tag is present for all BBR rules (#4048)
2024-09-02 21:29:31 +05:30
lateral_movement_unusual_process_sql_accounts.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_wmic_remote.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_aws_iam_login_profile_added_to_user.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_cap_sys_admin_added_to_new_binary.toml
Prep for Release 8.17 (#4256)
2024-11-07 23:53:04 +05:30
persistence_creation_of_kernel_module.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_github_new_pat_for_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_github_new_user_added_to_organization.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_iam_instance_request_to_iam_service.toml
[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261)
2024-11-08 23:11:18 -05:00
persistence_startup_folder_lnk.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_transport_agent_exchange.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_web_server_potential_sql_injection.toml
[New Rule] Web Server Potential SQL Injection Request (#5342)
2025-12-02 10:46:48 +01:00
persistence_web_server_sus_file_creation.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
privilege_escalation_sts_getsessiontoken_abuse.toml
[Rule Tuning] AWS GetSessionToken Abuse (#5274)
2025-11-14 04:14:13 -05:00
privilege_escalation_trap_execution.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30