valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,977 Commits 20 Branches 25 Tags 21 MiB
00a757959e
Commit Graph

1155 Commits

Author SHA1 Message Date
Thomas Patzke
595f22552d Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep 2019-05-10 00:05:06 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Thomas Patzke
31946426a5 Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1 2019-05-09 23:54:18 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Karneades
b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Florian Roth
a85acdfd02
Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth
0713360443
Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
Thomas Patzke
49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke
80f45349ed
Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth
aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth
5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software 2019-04-19 09:51:32 +02:00
Karneades
d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path 2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications 2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications 2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications 2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth
daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth
612a7642d2
Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth
65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth
1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth
cb0a87e21e
Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
Florian Roth
08ec8597a5
Merge pull request #317 from megan201296/patch-20 
Create apt_oceanlotus_registry.yml
 2019-04-14 23:09:42 +02:00
megan201296
74fce5f511
Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
 2019-04-14 12:01:52 -05:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
patrick
51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick
4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
patrick
ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades
97376c00de
Fix condition 2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition 2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition 2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
yt0ng
e0459cec1c
renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden
3d69727332
Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden
016261cacf
Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden
a85c668f6f
Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke
8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Florian Roth
d06a5431eb
Changes 2019-04-01 14:03:54 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick
0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Thomas Patzke
5e3a25537e
Merge pull request #283 from LiamSennitt/master 
Added and fixed tags on APT rules
 2019-03-15 23:00:25 +01:00
yugoslavskiy
33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Liam Sennitt
bb026e4692 fixed tag typo on rules 2019-03-13 10:25:41 +00:00
Liam Sennitt
0aaac1a48e add tags to crime fireball rule 2019-03-13 10:10:12 +00:00
Liam Sennitt
1e29c9c1ce add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00
Liam Sennitt
1f47dc1cdc add tags to apt turla commands rule 2019-03-13 10:06:34 +00:00
Liam Sennitt
96492834c5 add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00
Liam Sennitt
aca36c88cc add tags to apt slingshot rule 2019-03-13 09:50:39 +00:00
Liam Sennitt
aac632bb41 add tags on apt equationgroup dll_u load rule 2019-03-13 09:48:27 +00:00
Liam Sennitt
5ffc027f22 fix tags in apt carbonpaper turla rule 2019-03-13 09:43:18 +00:00
Liam Sennitt
25b680bfec fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00
Liam Sennitt
3b193fb691 add tags to apt babyshark rule 2019-03-13 09:32:10 +00:00
Liam Sennitt
aee0d1dd67 fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00
Liam Sennitt
5dc229b590 add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00
Florian Roth
95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Florian Roth
bd38cff042
Merge pull request #272 from LiamSennitt/master 
fix tagging in turla png dropper service rule
 2019-03-11 23:48:18 +01:00
Yugoslavskiy Daniil
5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil
c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Tareq AlKhatib
783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib
075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Florian Roth
fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth
49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
Thomas Patzke
3c1948f089
Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil
475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296
c2a16591af
Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
Florian Roth
a82ea0a022
Merge pull request #276 from krakow2600/master 
ATC windows rules review
 2019-03-06 17:16:32 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil
8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil
5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk
6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk
07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Tareq AlKhatib
879017818f More conversions to the new process_creation logsource 2019-03-05 09:46:53 +03:00
Tareq AlKhatib
b2952b9f78 Fixing failed CI build - take 2 2019-03-04 16:51:39 +03:00
Tareq AlKhatib
c8be6e649b Fixing failed CI build 2019-03-04 16:44:30 +03:00
Tareq AlKhatib
45458121c6 Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00
Florian Roth
ae1541242c New custom suspicious TLD in rule ".pw" 2019-03-03 10:58:12 +01:00
Tareq AlKhatib
58c61430a2 updated to use process_creation 2019-03-02 21:05:15 +03:00
Florian Roth
7b3d67ae66 fix: bugfix in new proc creation rule 2019-03-02 11:28:13 +01:00
Liam Sennitt
bef5f03015 fix tagging in turla png dropper service rule 2019-03-02 09:01:00 +00:00
Florian Roth
1a583c158d fixed typo as in pull request by @m0jtaba 2019-03-02 08:16:25 +01:00
Florian Roth
2188001f98 Extended filter list provided by @Ov3rflow 2019-03-02 08:13:29 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Florian Roth
1aac9baaed
Merge pull request #270 from LiamSennitt/master 
fix bug in chafer activity rule #269
 2019-03-01 17:13:04 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth
af6a1ff26a
Extended rule, modified timestamp 2019-03-01 13:36:54 +01:00
Florian Roth
f560e83886
Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Liam Sennitt
2345cbf7bd fix bug in chafer activity rule #269 2019-03-01 10:23:02 +00:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar
155e273a1c
adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth
8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke
58a32f35d9
Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Florian Roth
f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Florian Roth
e7f5cbc22a Rule: BabyShark activity 2019-02-24 14:04:44 +01:00
Florian Roth
a60b53a7df fix: bugfix in BEAR activity rule 2019-02-24 14:04:44 +01:00
Tareq AlKhatib
7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Tareq AlKhatib
a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Vasiliy Burov
f0c89239d3
Added some unusual paths. 2019-02-23 17:45:08 +03:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master 
adding MPreter as McAfee classifies it
 2019-02-23 07:34:04 +01:00
Thomas Patzke
c17f9d172f
Merge pull request #248 from megan201296/patch-17 
Create win_mal_ursnif.yml
 2019-02-22 21:30:49 +01:00
Thomas Patzke
02239fa288
Changed registry root key 
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
 2019-02-22 21:30:30 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it 
McAfee classifies some Meterpreter events with the "Mpreter" keyword
 2019-02-22 15:22:10 +11:00
Florian Roth
d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth
343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth
c8701ac6e9
Merge pull request #252 from keepwatch/patch-1 
Fixing yara condition
 2019-02-21 10:17:09 +01:00
Florian Roth
8ae37f5d64 BEAR activity - CrowdStrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:54:01 +01:00
Florian Roth
3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth
5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth
aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth
c474bfcae5 Judgement Panda - Crowdstrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:20:52 +01:00
Keep Watcher
07dec06222
Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib
2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
megan201296
34f9d17b26
Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth
8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth
c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
james dickenson
b16bb4bf9b Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml 2019-02-11 21:10:49 -08:00
Florian Roth
be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth
74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke
01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke
d9aceeb7eb
Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth
d2743351e7
Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley
c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Florian Roth
adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
keepwatch
e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown
2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown
a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown
4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1
150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1
21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron
35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch
bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth
5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth
8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth
5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth
abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00