valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,977 Commits 20 Branches 25 Tags 21 MiB
00a757959e
Commit Graph

1155 Commits

Author SHA1 Message Date
mgreen27
1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib
3bcfc53905 Corrected Typo 2019-06-10 09:54:37 +03:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
James Ahearn
eae7e3ab10 Web Source Code Enumeration via .git 2019-06-08 22:40:28 -04:00
Thomas Patzke
407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156 
added rule .bash_profile and .bashrc T1156
 2019-05-30 22:43:33 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
Patryk
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml 
Deleted tab character (\t)
 2019-05-20 13:22:36 +02:00
Patryk
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml 
Detects usage of mimikatz through WinRM protocol
 2019-05-20 12:25:58 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
petermmm
b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm
2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Codehardt
1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Codehardt
6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke
46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
Thomas Patzke
595f22552d Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep 2019-05-10 00:05:06 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Thomas Patzke
31946426a5 Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1 2019-05-09 23:54:18 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Karneades
b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Florian Roth
a85acdfd02
Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth
0713360443
Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
Thomas Patzke
49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke
80f45349ed
Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth
aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth
5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software 2019-04-19 09:51:32 +02:00
Karneades
d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path 2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications 2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications 2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications 2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth
daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth
612a7642d2
Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth
65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth
1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth
cb0a87e21e
Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
Florian Roth
08ec8597a5
Merge pull request #317 from megan201296/patch-20 
Create apt_oceanlotus_registry.yml
 2019-04-14 23:09:42 +02:00
megan201296
74fce5f511
Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
 2019-04-14 12:01:52 -05:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
patrick
51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick
4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
patrick
ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades
97376c00de
Fix condition 2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition 2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition 2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
yt0ng
e0459cec1c
renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden
3d69727332
Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden
016261cacf
Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden
a85c668f6f
Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke
8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Florian Roth
d06a5431eb
Changes 2019-04-01 14:03:54 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick
0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Thomas Patzke
5e3a25537e
Merge pull request #283 from LiamSennitt/master 
Added and fixed tags on APT rules
 2019-03-15 23:00:25 +01:00
yugoslavskiy
33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Liam Sennitt
bb026e4692 fixed tag typo on rules 2019-03-13 10:25:41 +00:00
Liam Sennitt
0aaac1a48e add tags to crime fireball rule 2019-03-13 10:10:12 +00:00
Liam Sennitt
1e29c9c1ce add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00
Liam Sennitt
1f47dc1cdc add tags to apt turla commands rule 2019-03-13 10:06:34 +00:00
Liam Sennitt
96492834c5 add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00
Liam Sennitt
aca36c88cc add tags to apt slingshot rule 2019-03-13 09:50:39 +00:00
Liam Sennitt
aac632bb41 add tags on apt equationgroup dll_u load rule 2019-03-13 09:48:27 +00:00
Liam Sennitt
5ffc027f22 fix tags in apt carbonpaper turla rule 2019-03-13 09:43:18 +00:00
Liam Sennitt
25b680bfec fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00
Liam Sennitt
3b193fb691 add tags to apt babyshark rule 2019-03-13 09:32:10 +00:00
Liam Sennitt
aee0d1dd67 fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00
Liam Sennitt
5dc229b590 add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00
Florian Roth
95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Florian Roth
bd38cff042
Merge pull request #272 from LiamSennitt/master 
fix tagging in turla png dropper service rule
 2019-03-11 23:48:18 +01:00
Yugoslavskiy Daniil
5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil
c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Tareq AlKhatib
783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib
075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Florian Roth
fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth
49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
Thomas Patzke
3c1948f089
Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil
475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296
c2a16591af
Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
Florian Roth
a82ea0a022
Merge pull request #276 from krakow2600/master 
ATC windows rules review
 2019-03-06 17:16:32 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil
8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil
5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk
6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk
07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00