Commit Graph

2551 Commits

Author SHA1 Message Date
Jonhnathan
09e6b05033
Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Jonhnathan
1695bc56dc
Remove commas 2020-10-08 15:31:17 -03:00
Jonhnathan
8d94e993ab
Update win_susp_rundll32_activity.yml 2020-10-07 18:27:25 -03:00
Jonhnathan
109b1ea9cf Revert "Create win_susp_replace_lolbin.yml"
This reverts commit e6a6549676.
2020-10-07 18:26:11 -03:00
Jonhnathan
15bd7dcd3b Revert "Changed the rule to download only and not the copy"
This reverts commit 1324bc1ad1.
2020-10-07 18:26:04 -03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml
Item 77 of #1014
2020-10-07 10:37:15 -03:00
Florian Roth
c56cd2dfff
Merge pull request #1024 from omkar72/master
Com hijack shell folder
2020-10-02 09:24:16 +02:00
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
Florian Roth
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns
WannaCry Killswitch domain DNS query
2020-09-29 09:27:21 +02:00
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master
Sigma rule to detect AdFind.exe execution
2020-09-27 09:50:41 +02:00
Florian Roth
8020fe3c40
false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth
60795f7050
Update win_susp_adfind.yml
Fear that a simple adfind.exe causes too many false positives
2020-09-26 17:02:39 +02:00
Florian Roth
dbdd758365
Duplicate Rule
we already have a rule for that
2020-09-26 17:01:32 +02:00
Tran Trung Hieu
d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu
c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade
f76f80db80 Killswitch domain 2020-09-16 20:32:31 -06:00
Mike Wade
7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade
6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00
Florian Roth
2cd9b794e6
Merge pull request #1007 from d4rk-d4nph3/master
Windows Defender AMSI Trigger Detected
2020-09-15 15:45:00 +02:00
Remco Hofman
6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Mike Wade
1ddba05eb2 Second round 2020-09-15 07:02:30 -06:00
Mike Wade
da9b32bdd6 we 2020-09-15 06:24:44 -06:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Thomas Patzke
378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
2020-09-15 08:17:02 +02:00
Bhabesh Rai
03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Mike Wade
57cae0ded1 Fixed reference typo 2020-09-13 22:07:43 -06:00
Mike Wade
52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Mike Wade
249c255435 No Idea why these files are deleted 2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil
1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J
c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
2020-09-11 16:06:51 +01:00
Tran Trung Hieu
49ba107dce Fixed Title 2020-09-10 17:36:37 +07:00
Tran Trung Hieu
f7d5240d40 Added UID, fixed rule description 2020-09-10 17:20:16 +07:00
Tran Trung Hieu
1b6c6ec5bf Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender 2020-09-10 17:16:06 +07:00
Bhabesh Rai
ed059a9831 Added Credential Dumping by LaZagne 2020-09-09 18:27:14 +05:45
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master
[OSCD Initiative][ATT&CK tags update]
2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2
New rules for Linux
2020-09-07 09:41:43 +02:00
Florian Roth
39dfcd40ec
Merge pull request #921 from d4rk-d4nph3/master
Added support for Defender's PSExec and WMI ASR rules.
2020-09-07 09:40:46 +02:00
Florian Roth
6f96bbbe65
Merge pull request #977 from barvhaim/patch-1
Update win_new_service_creation.yml typo
2020-09-07 09:39:28 +02:00
Florian Roth
37751fc3a1
Merge pull request #978 from barvhaim/patch-2
Update sysmon_apt_muddywater_dnstunnel.yml typo
2020-09-07 09:39:11 +02:00
e6e6e
98c412044a att&ck tags review: windows/process_creation part 5
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-07 02:00:41 +04:00
e6e6e
7ae76b8d99 Revert "att&ck tags review: windows/process_creation part 5"
This reverts commit e94c47e74e.
2020-09-07 01:28:08 +04:00
e6e6e
e94c47e74e att&ck tags review: windows/process_creation part 5
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-07 01:19:41 +04:00