mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
update fix
This commit is contained in:
frack113
parent
06840be3e7
commit
f1a84536c3
@ -2,9 +2,9 @@ title: DNS Events Related To Mining Pools
|
||||
id: bf74135c-18e8-4a72-a926-0e4f47888c19
|
||||
description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools.
|
||||
references:
|
||||
- Azure Sentinel
|
||||
date: 2021/08/15
|
||||
author: Saw Winn Naung
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
|
||||
date: 2021/08/19
|
||||
author: Saw Winn Naung , Azure-Sentinel
|
||||
level: medium
|
||||
logsource:
|
||||
service: dns
|
||||
@ -15,30 +15,79 @@ tags:
|
||||
detection:
|
||||
selection:
|
||||
query:
|
||||
- 'monerohash.com'
|
||||
- 'do-dear.com'
|
||||
- 'xmrminerpro.com'
|
||||
- 'secumine.net'
|
||||
- 'xmrpool.com'
|
||||
- 'minexmr.org'
|
||||
- 'hashanywhere.com'
|
||||
- 'xmrget.com'
|
||||
- 'mininglottery.eu'
|
||||
- 'minergate.com'
|
||||
- 'moriaxmr.com'
|
||||
- 'multipooler.com'
|
||||
- 'moneropools.com'
|
||||
- 'xmrpool.eu'
|
||||
- 'coolmining.club'
|
||||
- 'supportxmr.com'
|
||||
- 'minexmr.com'
|
||||
- 'coinfoundry.org'
|
||||
- 'cryptoknight.cc'
|
||||
- 'fairhash.org'
|
||||
- 'baikalmine.com'
|
||||
- 'tubepool.xyz'
|
||||
- 'fairpool.xyz'
|
||||
- 'asiapool.io'
|
||||
- "monerohash.com"
|
||||
- "do-dear.com"
|
||||
- "xmrminerpro.com"
|
||||
- "secumine.net"
|
||||
- "xmrpool.com"
|
||||
- "minexmr.org"
|
||||
- "hashanywhere.com"
|
||||
- "xmrget.com"
|
||||
- "mininglottery.eu"
|
||||
- "minergate.com"
|
||||
- "moriaxmr.com"
|
||||
- "multipooler.com"
|
||||
- "moneropools.com"
|
||||
- "xmrpool.eu"
|
||||
- "coolmining.club"
|
||||
- "supportxmr.com"
|
||||
- "minexmr.com"
|
||||
- "hashvault.pro"
|
||||
- "xmrpool.net"
|
||||
- "crypto-pool.fr"
|
||||
- "xmr.pt"
|
||||
- "miner.rocks"
|
||||
- "walpool.com"
|
||||
- "herominers.com"
|
||||
- "gntl.co.uk"
|
||||
- "semipool.com"
|
||||
- "coinfoundry.org"
|
||||
- "cryptoknight.cc"
|
||||
- "fairhash.org"
|
||||
- "baikalmine.com"
|
||||
- "tubepool.xyz"
|
||||
- "fairpool.xyz"
|
||||
- "asiapool.io"
|
||||
- "coinpoolit.webhop.me"
|
||||
- "nanopool.org"
|
||||
- "moneropool.com"
|
||||
- "miner.center"
|
||||
- "prohash.net"
|
||||
- "poolto.be"
|
||||
- "cryptoescrow.eu"
|
||||
- "monerominers.net"
|
||||
- "cryptonotepool.org"
|
||||
- "extrmepool.org"
|
||||
- "webcoin.me"
|
||||
- "kippo.eu"
|
||||
- "hashinvest.ws"
|
||||
- "monero.farm"
|
||||
- "supportxmr.com"
|
||||
- "xmrpool.eu"
|
||||
- "linux-repository-updates.com"
|
||||
- "1gh.com"
|
||||
- "dwarfpool.com"
|
||||
- "hash-to-coins.com"
|
||||
- "hashvault.pro"
|
||||
- "pool-proxy.com"
|
||||
- "hashfor.cash"
|
||||
- "fairpool.cloud"
|
||||
- "litecoinpool.org"
|
||||
- "mineshaft.ml"
|
||||
- "abcxyz.stream"
|
||||
- "moneropool.ru"
|
||||
- "cryptonotepool.org.uk"
|
||||
- "extremepool.org"
|
||||
- "extremehash.com"
|
||||
- "hashinvest.net"
|
||||
- "unipool.pro"
|
||||
- "crypto-pools.org"
|
||||
- "monero.net"
|
||||
- "backup-pool.com"
|
||||
- "mooo.com"
|
||||
- "freeyy.me"
|
||||
- "cryptonight.net"
|
||||
- "shscrypto.net"
|
||||
condition: selection
|
||||
fields:
|
||||
- clientip
|
||||
|
||||
@ -2,9 +2,9 @@ title: DNS TOR Proxies
|
||||
id: a8322756-015c-42e7-afb1-436e85ed3ff5
|
||||
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
|
||||
references:
|
||||
- Azure Sentinel
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
|
||||
date: 2021/08/15
|
||||
author: Saw Winn Naung
|
||||
author: Saw Winn Naung , Azure-Sentinel
|
||||
level: medium
|
||||
logsource:
|
||||
service: dns
|
||||
@ -14,9 +14,38 @@ tags:
|
||||
detection:
|
||||
selection:
|
||||
query:
|
||||
- 'tor2web.*'
|
||||
- 'onion.*'
|
||||
- '*tor-gateways*'
|
||||
- "tor2web.org"
|
||||
- "tor2web.com"
|
||||
- "torlink.co"
|
||||
- "onion.to"
|
||||
- "onion.ink"
|
||||
- "onion.cab"
|
||||
- "onion.nu"
|
||||
- "onion.link"
|
||||
- "onion.it"
|
||||
- "onion.city"
|
||||
- "onion.direct"
|
||||
- "onion.top"
|
||||
- "onion.casa"
|
||||
- "onion.plus"
|
||||
- "onion.rip"
|
||||
- "onion.dog"
|
||||
- "tor2web.fi"
|
||||
- "tor2web.blutmagie.de"
|
||||
- "onion.sh"
|
||||
- "onion.lu"
|
||||
- "onion.pet"
|
||||
- "t2w.pw"
|
||||
- "tor2web.ae.org"
|
||||
- "tor2web.io"
|
||||
- "tor2web.xyz"
|
||||
- "onion.lt"
|
||||
- "s1.tor-gateways.de"
|
||||
- "s2.tor-gateways.de"
|
||||
- "s3.tor-gateways.de"
|
||||
- "s4.tor-gateways.de"
|
||||
- "s5.tor-gateways.de"
|
||||
- "hiddenservice.net"
|
||||
condition: selection
|
||||
fields:
|
||||
- clientip
|
||||
|
||||
@ -3,15 +3,15 @@ id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8
|
||||
description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.'
|
||||
author: sawwinnnaung
|
||||
references:
|
||||
- Azure Sentinel
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml
|
||||
date: 2021/08/15
|
||||
level: medium
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1064
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
NewProcessName|contains:
|
||||
|
||||
@ -3,7 +3,7 @@ id: a122ac13-daf8-4175-83a2-72c387be339d
|
||||
status: experimental
|
||||
description: Checks for event id 1102 which indicates the security event log was cleared.
|
||||
references:
|
||||
- Azure Sentinel
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
|
||||
date: 2021/08/15
|
||||
author: Saw Winn Naung
|
||||
level: medium
|
||||
|
||||
Loading…
Reference in New Issue
Block a user