patrick
4b43db2aac
Add new Sigma Rule for C2 DNS Tunneling
2019-04-13 20:27:36 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives
...
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875
added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7
2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 08:07:30 -04:00
patrick
ca4b710c01
Added Sigma Use Case detecting Privilege Escalation Preparation in Linux
2019-04-07 15:36:19 +02:00
Karneades
97376c00de
Fix condition
2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition
2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition
2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule
2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule
2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule
2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master
...
Create win_atsvc_task.yml
2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml
2019-04-04 18:22:50 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml
...
Fixed my botched YAML syntax...
2019-04-04 08:35:37 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml
2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml
2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml
2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml
2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml
2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml
2019-04-03 21:40:59 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml
...
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.
"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
2019-04-03 20:31:31 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature
...
Add new signature for linux clear command history
2019-04-03 19:45:06 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1
...
Remove backslashes in CommandLine for sticky key rule
2019-04-03 19:44:02 +02:00
yt0ng
e0459cec1c
renamed file
2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c
WMI spawning PowerShell seen in various attacks
2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0
adjusted link
2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c
Auto stash before rebase of "Neo23x0/master"
2019-04-03 16:25:18 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule
...
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
2019-04-03 16:16:18 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml
2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml
2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml
2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml
2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml
2019-04-03 14:41:11 +02:00
sbousseaden
3d69727332
Create sysmon_rdp_settings_hijack.yml
2019-04-03 14:16:25 +02:00
sbousseaden
016261cacf
Update sysmon_lsass_memdump.yml
2019-04-03 14:06:49 +02:00
sbousseaden
a85c668f6f
Update sysmon_lsass_memdump.yml
2019-04-03 14:00:51 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml
2019-04-03 13:58:20 +02:00
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml
2019-04-03 13:51:59 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml
2019-04-03 13:22:42 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml
2019-04-03 13:19:59 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml
2019-04-03 13:08:12 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3
...
Update lnx_shell_susp_rev_shells.yml
2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838
Rule: extending rule with /dev/udp
2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml
...
added
- 'bash -i >& /dev/udp/'
- 'sh -I >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5
Rule: adding xterm -display string to rule
2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e
Rule: Suspicious reverse shell command lines
2019-04-02 17:03:57 +02:00
Thomas Patzke
8e854b06f6
Specified source to prevent EventID collisions
...
Issue #263
2019-04-01 23:45:55 +02:00
Florian Roth
d06a5431eb
Changes
2019-04-01 14:03:54 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium
2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7
Allow Incoming Connections by Port or Application on Windows Firewall
2019-04-01 08:16:56 +02:00
patrick
0242c40360
Add new signature for linux clear command history
2019-03-24 10:10:14 +01:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml
...
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `
Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.
example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37
Rule: extended LockerGoga description
2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b
Rule: LockerGoga
2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589
fix: rule field fix in proc_creation rule
2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37
Added CAR tags
2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0
Incorporated MITRE CAR mapping from #55
2019-03-16 00:03:27 +01:00
Thomas Patzke
5e3a25537e
Merge pull request #283 from LiamSennitt/master
...
Added and fixed tags on APT rules
2019-03-15 23:00:25 +01:00
yugoslavskiy
33db032a16
added missed service
2019-03-14 00:44:26 +01:00
Liam Sennitt
bb026e4692
fixed tag typo on rules
2019-03-13 10:25:41 +00:00
Liam Sennitt
0aaac1a48e
add tags to crime fireball rule
2019-03-13 10:10:12 +00:00
Liam Sennitt
1e29c9c1ce
add tags to apt zxshell rule
2019-03-13 10:09:05 +00:00
Liam Sennitt
1f47dc1cdc
add tags to apt turla commands rule
2019-03-13 10:06:34 +00:00
Liam Sennitt
96492834c5
add tags to apt sofacy rule
2019-03-13 09:53:02 +00:00
Liam Sennitt
aca36c88cc
add tags to apt slingshot rule
2019-03-13 09:50:39 +00:00
Liam Sennitt
aac632bb41
add tags on apt equationgroup dll_u load rule
2019-03-13 09:48:27 +00:00
Liam Sennitt
5ffc027f22
fix tags in apt carbonpaper turla rule
2019-03-13 09:43:18 +00:00
Liam Sennitt
25b680bfec
fix and add tags to apt bear activity gtr19 rule
2019-03-13 09:40:28 +00:00
Liam Sennitt
3b193fb691
add tags to apt babyshark rule
2019-03-13 09:32:10 +00:00
Liam Sennitt
aee0d1dd67
fix tags on apt29 tor rule
2019-03-13 09:25:28 +00:00
Liam Sennitt
5dc229b590
add tags to apt29 thinktanks rule
2019-03-13 09:22:41 +00:00
Florian Roth
95b47972f0
fix: transformed rule to new proc_creation format
2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master
...
adding rule win-susp-mshta-execution.yml
2019-03-11 23:50:56 +01:00
Florian Roth
bd38cff042
Merge pull request #272 from LiamSennitt/master
...
fix tagging in turla png dropper service rule
2019-03-11 23:48:18 +01:00
Yugoslavskiy Daniil
5d54e9c8a1
nbstat.exe -> nbtstat.exe
2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil
c22265c655
updated detection logic
2019-03-11 16:58:57 +01:00
Tareq AlKhatib
783d8c4268
Reverting back to regular Sysmon 1 to fix CI test
2019-03-09 21:31:56 +03:00
Tareq AlKhatib
075df83118
Converted to use the new process_creation data source
2019-03-09 20:57:59 +03:00
Florian Roth
fe9e50167f
Rule: renamed bitsadmin rule
2019-03-08 16:25:16 +01:00
Florian Roth
49532438eb
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
Thomas Patzke
3c1948f089
Merge pull request #277 from megan201296/patch-18
...
Remove invalid link
2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil
475113b1c1
fixed incorrect date format
2019-03-07 22:52:11 +01:00
megan201296
c2a16591af
Remove invalid link
...
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
2019-03-07 14:22:29 -06:00
Florian Roth
a82ea0a022
Merge pull request #276 from krakow2600/master
...
ATC windows rules review
2019-03-06 17:16:32 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules
2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
cb7243de5d
fixed wrong tags
2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil
8bec627ff1
fixed multiple tags issue
2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil
5154460726
changed service to product
2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil
05cc7e455d
atc review
2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master
...
Fix rules
2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35
Merge branch 'master' of https://github.com/krakow2600/sigma
2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745
rules update
2019-03-06 00:43:42 +01:00
mrblacyk
6232362f04
Missing tags
2019-03-06 00:16:40 +01:00
mrblacyk
07807837ee
Missing tags
2019-03-06 00:02:37 +01:00
mikhail
be108d95cc
Merge branch 'master' of https://github.com/AverageS/sigma
2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf
Fix 4 rules
2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
Tareq AlKhatib
879017818f
More conversions to the new process_creation logsource
2019-03-05 09:46:53 +03:00
Tareq AlKhatib
b2952b9f78
Fixing failed CI build - take 2
2019-03-04 16:51:39 +03:00
Tareq AlKhatib
c8be6e649b
Fixing failed CI build
2019-03-04 16:44:30 +03:00
Tareq AlKhatib
45458121c6
Updated to use the new process_creation logsource
2019-03-04 16:13:27 +03:00
Florian Roth
ae1541242c
New custom suspicious TLD in rule ".pw"
2019-03-03 10:58:12 +01:00
Tareq AlKhatib
58c61430a2
updated to use process_creation
2019-03-02 21:05:15 +03:00
Florian Roth
7b3d67ae66
fix: bugfix in new proc creation rule
2019-03-02 11:28:13 +01:00
Liam Sennitt
bef5f03015
fix tagging in turla png dropper service rule
2019-03-02 09:01:00 +00:00
Florian Roth
1a583c158d
fixed typo as in pull request by @m0jtaba
2019-03-02 08:16:25 +01:00
Florian Roth
2188001f98
Extended filter list provided by @Ov3rflow
2019-03-02 08:13:29 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4
...
Update win_susp_failed_logon_reasons.yml
2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often
...
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
2019-03-02 07:20:59 +01:00
Thomas Patzke
56a1ed1eac
Merge branch 'project-1'
2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138
Increased indentation to 4
...
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00
Florian Roth
1aac9baaed
Merge pull request #270 from LiamSennitt/master
...
fix bug in chafer activity rule #269
2019-03-01 17:13:04 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml
...
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
2019-03-01 18:18:39 +03:00
Florian Roth
af6a1ff26a
Extended rule, modified timestamp
2019-03-01 13:36:54 +01:00
Florian Roth
f560e83886
Added modified date
2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type
2019-03-01 12:06:54 +01:00
Liam Sennitt
2345cbf7bd
fix bug in chafer activity rule #269
2019-03-01 10:23:02 +00:00
Thomas Patzke
6bdb4ab78a
Merge cleanup
2019-02-27 22:05:27 +01:00
darkquasar
155e273a1c
adding rule win-susp-mshta-execution.yml
2019-02-27 15:55:39 +11:00
Florian Roth
8ce4b1530d
Rule: added SAM export
2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
Thomas Patzke
58a32f35d9
Merge pull request #246 from james0d0a/master
...
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
2019-02-24 16:53:49 +01:00
Florian Roth
f278a00174
Rule: certutil encode
2019-02-24 14:10:40 +01:00
Florian Roth
e7f5cbc22a
Rule: BabyShark activity
2019-02-24 14:04:44 +01:00
Florian Roth
a60b53a7df
fix: bugfix in BEAR activity rule
2019-02-24 14:04:44 +01:00
Tareq AlKhatib
7d3d819ea5
Added a detection path through process spawn
2019-02-24 10:29:58 +03:00
Tareq AlKhatib
a022333382
Added private IP filter to reduce FPs
2019-02-23 21:15:03 +03:00
Vasiliy Burov
f0c89239d3
Added some unusual paths.
2019-02-23 17:45:08 +03:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master
...
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
Thomas Patzke
c17f9d172f
Merge pull request #248 from megan201296/patch-17
...
Create win_mal_ursnif.yml
2019-02-22 21:30:49 +01:00
Thomas Patzke
02239fa288
Changed registry root key
...
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete ) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters
2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml
2019-02-22 22:46:57 +03:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it
...
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
Florian Roth
d3b623e92a
Rule: suspicious pipes extended
...
https://github.com/Neo23x0/sigma/issues/253
2019-02-21 13:26:48 +01:00
Florian Roth
343a40ced7
Rule: extended exec location rule to support 4688 events
2019-02-21 13:26:48 +01:00
Florian Roth
c8701ac6e9
Merge pull request #252 from keepwatch/patch-1
...
Fixing yara condition
2019-02-21 10:17:09 +01:00
Florian Roth
8ae37f5d64
BEAR activity - CrowdStrike GTR 2019
...
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:54:01 +01:00
Florian Roth
3a994d0d63
fix: bugfix in Judgement Panda rule
2019-02-21 09:50:49 +01:00
Florian Roth
5935eaa572
fix: added MITRE ATT&CK tags to APT rule
2019-02-21 09:27:59 +01:00
Florian Roth
aca470961a
fix: bugfix in Judgement Panda rule
2019-02-21 09:20:52 +01:00
Florian Roth
c474bfcae5
Judgement Panda - Crowdstrike GTR 2019
...
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:20:52 +01:00
Keep Watcher
07dec06222
Fixing yara condition
2019-02-20 10:57:24 -05:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters
...
Duplicate Detections
2019-02-18 21:58:39 +01:00
Tareq AlKhatib
2e3a2b9ba6
Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental'
2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24
Rule: RDP over Reverse SSH Tunnel
2019-02-16 19:36:13 +01:00
megan201296
34f9d17b26
Create win_mal_ursnif.yml
2019-02-13 15:22:57 -06:00
Tareq AlKhatib
cd3cdc9451
Removed unnecessary '1 of them' in condition
2019-02-13 21:26:02 +03:00
Florian Roth
8d819cfeea
Rule: fixed bug in Renamed PowerShell rule
2019-02-13 13:23:02 +01:00
Florian Roth
c2eda887fa
Rule: Suspicious Windows NT 9 UA
2019-02-12 10:33:33 +01:00
james dickenson
b16bb4bf9b
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
2019-02-11 21:10:49 -08:00
Florian Roth
be26ada875
Rule: Suspicious csc.exe parents
2019-02-11 13:50:51 +01:00
Florian Roth
74e3c79f40
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:38 +01:00
Thomas Patzke
01570f88db
YAML fixes
2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a
Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2
2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186
Merge branch 'yt0ng-development'
2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9
Fixed condition keyword
2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882
Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development
2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master
...
new rule and updated false positive note
2019-02-09 23:57:39 +01:00
Thomas Patzke
d9aceeb7eb
Merge pull request #228 from keepwatch/ssp-regkey-detection
...
SSP added to LSA configuration
2019-02-09 23:44:55 +01:00
Florian Roth
aab703a4b4
Suspicious calc.exe usage
2019-02-09 14:03:23 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master
...
2nd method to call downloadString or downloadFile in Powershell
2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters
...
Duplicate filters
2019-02-09 09:23:57 +01:00
Florian Roth
d2743351e7
Minor fix: indentation
2019-02-09 09:19:40 +01:00
Kyle Polley
c8c06763b4
added keywords & source to sysmon_powershell_download.yml
2019-02-07 18:25:04 -08:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml
2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit
...
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
2019-02-07 00:19:38 -05:00
Florian Roth
adb6690c80
Rule: Suspicious GUP.exe usage
2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40
Rule: fixed date - wrong year
2019-02-06 19:21:16 +01:00
keepwatch
e6217928f3
Added '/' prefix, -encode switch, better renamed certutil coverage
2019-02-06 10:45:32 -05:00
Unknown
2f66ba25f0
adjusted MITRE ATTCK tag
2019-02-06 11:27:51 +01:00
Unknown
a9731d211d
removed my garbage
2019-02-06 11:16:40 +01:00
Unknown
4d048c71bb
adjusted spaces
2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd
adjusted space
2019-02-06 11:10:00 +01:00
Unknown
a0bac993ed
adjusted spaces
2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171
added reverted base64 with dosfuscation
2019-02-06 10:59:09 +01:00
Unknown
22b67a67ac
Initial Commit Cobalt Malleable for OneDrive
2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c
CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL
2019-02-06 10:58:48 +01:00
t0x1c-1
150499d151
Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
2019-02-06 10:58:37 +01:00
Unknown
c78ac9333c
adjusted formatting
2019-02-06 10:54:12 +01:00
t0x1c-1
21f34ab8ba
suspicious behaviour
2019-02-06 10:52:41 +01:00
neu5ron
35ebcff543
add new rule
2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba
added false positive possibility
2019-02-05 18:45:53 -05:00
keepwatch
bad80ffa78
Update sysmon_ssp_added_lsa_config.yml
...
Syntax fix
2019-02-05 16:28:06 -05:00
Florian Roth
5092b1e603
Rule: removed overlapping strings in Linux rule
2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f
Rule: extended suspicious command lines
2019-02-05 15:58:15 +01:00
Florian Roth
8f684ddd06
Rule: FP in WMI persistence with SCCM
2019-02-05 15:57:54 +01:00
Florian Roth
dfd4ce878f
Rule: limiting rule to DHCP log
2019-02-05 14:35:23 +01:00
Florian Roth
5b92790e3f
Rule: WMI Persistence - FPs
2019-02-05 14:35:23 +01:00
Florian Roth
abf5a5088e
Rule: more malicious UAs
2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
Thomas Patzke
6440bc962b
CACTUSTORCH detection
2019-02-01 23:27:53 +01:00
Thomas Patzke
6436cb3ae1
Added missing conditions
2019-02-01 23:02:03 +01:00
Florian Roth
27c2684a0f
Rule: Chafer malware proxy pattern
2019-01-31 12:31:48 +01:00
Florian Roth
a8d1e7c62b
Rule: Fixed ntdsutil rule field in 4688 events
2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e
Rule: Fixed field in RDP rule
2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8
Rule: Netsh port forwarding
2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495
Rule: Netsh RDP port forwarding rule
2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6
Rule: Adjusted RDP login from localhost rule level
2019-01-29 14:04:10 +01:00
Florian Roth
c9ec469180
style: cosmetics - removed empty lines at file end
2019-01-29 12:54:07 +01:00
Thomas Patzke
516bfc88ff
Added rule: RDP login from localhost
2019-01-28 22:43:22 +01:00
Tareq AlKhatib
7e4bb1d21a
Removed duplicate filters
2019-01-25 12:21:57 +03:00
Thomas Patzke
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework
...
Rule testing framework
2019-01-23 23:16:46 +01:00
Tareq AlKhatib
ecffe28933
Correct MITRE tag
2019-01-22 21:26:07 +03:00
Florian Roth
90e8eba530
rule: false positive reduction in PowerShell rules
2019-01-22 16:37:36 +01:00
Florian Roth
cc6e0baef1
rule: extended certutil rule to include verifyctl and allows renamed certutil
...
https://twitter.com/egre55/status/1087685529016193025
2019-01-22 16:20:06 +01:00
Florian Roth
b1ea976f66
fix: fixed bug inntdsutil rule that included a white space
2019-01-22 16:18:43 +01:00
Florian Roth
8c4b21f063
Rule: Apache threading errors
2019-01-22 08:49:10 +01:00
keepwatch
f99df33b01
SSP added to LSA configuration
2019-01-18 14:05:21 -05:00
Thomas Patzke
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
Florian Roth
5645c75576
Rule: updated relevant AV signatures - exploiting
...
https://twitter.com/haroldogden/status/1085556071891173376
2019-01-16 18:43:28 +01:00
Florian Roth
f759e8b07c
Rule: Suspicious Program Location Process Starts
2019-01-15 15:40:51 +01:00
Thomas Patzke
7622b17415
Moved test rule to final location/naming scheme
2019-01-14 23:58:25 +01:00
Thomas Patzke
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint
...
Fix yamllint config
2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389
Rule: PowerShell script run in AppData folders
2019-01-12 12:03:36 +01:00
Florian Roth
604d88cf1e
Rule: WMI Event Subscription
2019-01-12 12:03:36 +01:00
Florian Roth
63f96d58b4
Rule: Renamed PowerShell.exe
2019-01-12 12:03:36 +01:00
Florian Roth
b7eb79f8da
Rule: UserInitMprLogonScript persistence method
2019-01-12 12:03:36 +01:00
Florian Roth
d4a1fe786a
Rule: Dridex pattern
2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d
Fix YAML errors reported by yamllint
...
Especially the config for ArcSight, that was invalid:
tools/config/arcsight.yml
89:5 error duplication of key "product" in mapping (key-duplicates)
90:5 error duplication of key "conditions" in mapping (key-duplicates)
rules/windows/builtin/win_susp_commands_recon_activity.yml
10:9 error too many spaces after colon (colons)
2019-01-10 09:51:39 +01:00
Tareq AlKhatib
8b94860ee6
Corrected class B private IP range to prevent false negatives
2019-01-04 12:50:41 +03:00
Tareq AlKhatib
925ffae9b8
Removed Outlook detection which is a subset of the Office one
2019-01-02 07:47:44 +03:00
Tareq AlKhatib
0a5e79b1e0
Fixed the RC section to use rc.exe instead of oleview.exe
2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6
Corrected reference to references as per Sigma's standard
2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205
Rule: Hacktool Rubeus
2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master
...
Field-Index Mapping File & SIGMA Rules Field names fix
2018-12-19 00:38:06 +01:00
Florian Roth
a7fa20546a
Rule: proxy user agents updated with MacControl user agent
2018-12-17 14:18:03 +01:00
Florian Roth
99f773dcf6
Rule: false positive reduction in rule
2018-12-17 10:02:55 +01:00
Florian Roth
172236e130
Rule: updated ATT&CK tags in MavInject rule
2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8
Rule: docs: reference update in MavInject rule
2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue
...
Bugfix: wrong field for 4688 process creation events
2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8
Rule: MavInject process injection
2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
Florian Roth
b5d78835b6
Removed overlapping rule with sysmon_office_shell.yml
2018-12-11 13:37:47 +01:00
Roberto Rodriguez
a0486edeea
Field-Index Mapping File & SIGMA Rules Field names fix
...
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
Roberto Rodriguez
9567ce588d
Merge remote-tracking branch 'upstream/master'
2018-12-09 09:27:43 +03:00
Roberto Rodriguez
8c577a329f
Improve Rule & Updated HELK SIGMA Standardization Config
...
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.
SIGMA HELK standardization config updated to match latest HELK Common Information Model
2018-12-08 11:30:21 +03:00
Roberto Rodriguez
a35f945c71
Update win_disable_event_logging.yml
...
Description value breaking SIGMA Elastalert Backend
2018-12-06 05:09:41 +03:00
Florian Roth
2e5a739c6c
fix: fixed author string (cannot be list according to sigma specs)
2018-12-05 11:59:10 +01:00
Florian Roth
9b15b64a9a
fix: fixed author string (cannot be list according to sigma specs)
2018-12-05 11:44:20 +01:00
Roberto Rodriguez
87ce07088f
Update sysmon_plugx_susp_exe_locations.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location
This impats Elastalert integration since you cannot have two rules with the same name
2018-12-05 07:58:13 +03:00
Roberto Rodriguez
bff7ec52db
Update av_relevant_files.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection
This affetcs Elastalert integration
2018-12-05 07:53:53 +03:00
Roberto Rodriguez
104ee6c33b
Update win_susp_commands_recon_activity.yml
...
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
2018-12-05 05:55:36 +03:00
Roberto Rodriguez
328762ed67
Update powershell_xor_commandline.yml
...
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
2018-12-05 05:51:41 +03:00
Roberto Rodriguez
6dc36c8749
Update win_eventlog_cleared.yml
...
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml
. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2
Update win_rare_service_installs.yml
...
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d
Update win_rare_schtasks_creations.yml
...
Count(taskName) not being taken by elastalert integration with Sigmac
2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557
Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master
2018-12-04 23:35:23 +01:00
Florian Roth
3861dd5912
Rule: APT29 campaign against US think tanks
...
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
2018-12-04 17:04:03 +01:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype
...
changed .yaml files to .yml for consistency
2018-12-03 09:00:14 +01:00
AL
9f1df6164b
adding new rules detecting recently active APTs
2018-12-03 09:42:29 +02:00
Florian Roth
2ebbdebe46
rule: Cobalt Strike beacon detection via Remote Threat Creation
...
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
2018-11-30 10:25:05 +01:00
Thomas Patzke
f6ad36f530
Fixed rule
2018-11-29 00:00:18 +01:00
Florian Roth
7ba1fe4309
Turla PNG Dropper Service Name
2018-11-23 08:46:20 +01:00
Florian Roth
e7762c71ce
Merge remote-tracking branch 'origin/master'
2018-11-22 19:14:12 +01:00
Florian Roth
ec83ab5e13
APT28 Zebrocy rule
...
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
2018-11-22 19:14:07 +01:00
Thomas Patzke
a1940c6eaa
Simplified rule
2018-11-21 22:34:04 +01:00
Kyle Polley
60538e2e12
changed .yaml files to .yml for consistency
2018-11-20 21:07:36 -08:00
Florian Roth
a31acd6571
fix: fixed procdump rule
2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641
Rule: Detect base64 encoded PowerShell shellcode
...
https://twitter.com/cyb3rops/status/1063072865992523776
2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
Sherif Eldeeb
cd5950749e
revert to upstream
2018-11-15 08:45:25 +03:00
Sherif Eldeeb
742192b452
Merge pull request #4 from Neo23x0/master
...
fetch updates from upstream
2018-11-15 08:32:33 +03:00
Florian Roth
b92c032c2d
Linux JexBoss back connect shell
2018-11-08 23:21:36 +01:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml
...
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f
Suspicious svchost.exe executions
2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4
Improved procdump on lsass rule
2018-10-30 09:37:40 +01:00
Thomas Patzke
ff98991c80
Fixed rule
2018-10-18 16:20:51 +02:00
Thomas Patzke
a2da73053d
Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9
2018-10-18 16:16:57 +02:00
Thomas Patzke
732de3458f
Merge pull request #186 from megan201296/patch-15
...
Update sysmon_cmstp_com_object_access.yml
2018-10-18 15:49:06 +02:00
Thomas Patzke
fdd0823e07
Merge pull request #187 from megan201296/patch-16
...
Additional MITRE ATT&CK Tagging
2018-10-18 15:38:11 +02:00
Florian Roth
3c3b14a26b
rule: new malware UA
2018-10-10 15:27:58 +02:00
Florian Roth
fd34437575
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
megan201296
fdd264d946
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
megan201296
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
Florian Roth
54678fcb36
Rule: CertUtil UA
...
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
Ensar Şamil
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
Florian Roth
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
Karneades
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00