valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,466 Commits 20 Branches 25 Tags 21 MiB
1f47dc1cdc
Commit Graph

637 Commits

Author SHA1 Message Date
Thomas Patzke
a722fcd2b0
Merge pull request #156 from yt0ng/yt0ng-devel 
Adding LSASS Access Detected via Attack Surface Reduction
 2018-08-27 23:50:42 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name 2018-08-27 23:45:30 +02:00
Thomas Patzke
6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Unknown
2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Thomas Patzke
87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
Thomas Patzke
60a5922582 Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master 2018-08-26 22:12:19 +02:00
Florian Roth
5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
yt0ng
df9f6688eb
Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00
yt0ng
eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
yt0ng
c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Florian Roth
f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Thomas Patzke
49af499353
Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke
9235175e26
Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke
73535e58a5
Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke
d647a7de07
Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth
5de3cd71a4
Merge pull request #149 from yt0ng/development 
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 2018-08-22 17:19:10 +02:00
Florian Roth
040ba0338d
fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
megan201296
3f5c32c6da
Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296
76aabe7e05
Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman
e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng
ca7e8d6468
removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng
5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng
8ecf167e85
Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
Florian Roth
4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Thomas Patzke
2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke
2c0e76be3d
Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli
7cdc13ef11
Update 2018-08-08 17:05:51 +02:00
Lurkkeli
392351af25
Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli
4d721f1803
Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli
b9f433414d
hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke
92c0e0321a
Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli
a245820519
added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli
294677a2cc
added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli
a57e87b345
added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli
99253763af
added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli
0bff27ec21
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli
198cb63182
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke
518e21fcd2
Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke
b9fdf07926
Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli
b50c13dd1f
Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke
5d5d42eb9b
Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke
80eaedab8b
Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke
3509fbd201
Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke
b049210641
Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli
3456f9a74d
Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke
64fa3b162d
Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli
6472be5e19
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli
21bee17ffd
Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng
fc091fe3d7
Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng
b65cb5eaca
Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman
b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson
5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth
a9fcecab88
Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth
016b15a2a9
Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli
7796492c2b
Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Florian Roth
089498b0b3
Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth
dd857c4470
Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth
cf7f5c7473
Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng
b415fc8d42
Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli
db82322d17
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli
0e9c5bb14a
Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli
fd8c5c5bf6
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli
ad580635ea
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim
c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
Thomas Patzke
1601b00862
Merge pull request #125 from james0d0a/attack_tags 
windows builtin mitre attack tags
 2018-07-24 08:18:47 +02:00
Thomas Patzke
01e7675e24
Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke
30d255ab6f
Fixed tag 2018-07-24 07:58:25 +02:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
Lurkkeli
1898157df5
ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng
16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Suleyman Ozarslan
e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan
8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Suleyman Ozarslan
080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan
76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan
7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Florian Roth
1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth
83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00
Thomas Patzke
f98158f5ad Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
Suleyman Ozarslan
05b91847cd ATT&CK tagging of Suspicious Certutil Command rule 2018-07-19 16:42:39 +03:00
Thomas Patzke
bdea097b80 ATT&CK tagging 2018-07-17 23:58:11 +02:00
Florian Roth
9e92b97661
Merge pull request #111 from nikseetharaman/cmstp_execution 
Add sysmon_cmstp_execution
 2018-07-17 14:39:56 -06:00
Florian Roth
3f0040b983
Removed duplicate status field 2018-07-16 15:55:31 -06:00
Florian Roth
429474b6d6
Merge pull request #113 from megan201296/patch-9 
fixed typo
 2018-07-16 15:38:52 -06:00
megan201296
02ea2cf923
fixed typo 2018-07-16 16:20:33 -05:00
megan201296
60310e94c6
fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman
3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth
7a031709bb
Merge pull request #108 from megan201296/patch-5 
fixed typo
 2018-07-14 18:31:40 -06:00
Florian Roth
70ab83eb65
Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296
be7a3b0774
Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296
a6455cc612
typo fix 2018-07-13 18:48:36 -05:00
megan201296
8944be1efd
Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
megan201296
a169723005
fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke
2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth
57727d2397
Merge pull request #107 from megan201296/typo-fixes 
Typo fixes
 2018-07-10 10:29:10 -06:00
megan201296
24d2d0b258
Fixed typo 2018-07-10 09:14:37 -05:00
megan201296
d6ea0a49fc
Fixed typoes 2018-07-10 09:14:07 -05:00
megan201296
3ec67393cd
Fixed typo 2018-07-10 09:13:41 -05:00
megan201296
b0bc3b66ed
Fixed typo 2018-07-09 13:32:16 -05:00
megan201296
120479abb7
removed duplicates 2018-07-09 12:32:41 -05:00
megan201296
c4bd267151
Fixed typo 2018-07-09 12:02:42 -05:00
megan201296
a7ccfcb50d
Fixed spelling mistake 2018-07-09 09:13:31 -05:00
Florian Roth
c8fef4d093
fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth
dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
yt0ng
6a014a3dc8
MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth
ed470feb21
Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng
b21afc3bc8
user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng
f84c33d005
Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth
7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth
e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng
42941ee105
Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth
c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma
19ba5df207
False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth
f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth
1a1011b0ad
Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng
c59d0c7dca
Added additional options 2018-06-23 15:54:31 +02:00
yt0ng
cc3fd9f5d0
Detects the creation of a schtask via PowerSploit Default Configuration 
8690399ef7/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth
d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth
8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
3c1c9d2b31
Merge pull request #81 from yt0ng/sigma-yt0ng 
added SquiblyTwo Detection
 2018-04-18 16:39:37 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Markus Härnvi
cf237cf658
"author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth
d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth
58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth
0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth
52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth
b065c2c35c
Simplified rule 2018-04-11 19:03:35 +02:00
Karneades
fa6677a41d
Remove @ in author 
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
 2018-04-11 15:21:42 +02:00
Karneades
be3c27981f
Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Florian Roth
a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth
e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Thomas Patzke
f113832c04
Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Thomas Patzke
dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth
e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth
b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth
a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth
8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
Florian Roth
af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth
648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades
49c12f1df8
Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth
a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Florian Roth
0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth
f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth
5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
jmallette
aff46be8a3
Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth
1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth
25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth
9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth
5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth
0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Florian Roth
285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Florian Roth
78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth
93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Thomas Patzke
2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth
3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00
Florian Roth
6e4e857456 Improved Adwind Sigma rule 2017-11-10 12:39:08 +01:00
Florian Roth
57d56dddb7 Improved Adwind RAT rule 2017-11-09 18:53:46 +01:00
Florian Roth
b558f5914e Added reference to Tom Ueltschie's slides 2017-11-09 18:30:50 +01:00
Florian Roth
781db7404e Updated Adwind RAT rule 2017-11-09 18:28:27 +01:00
Florian Roth
970f01f9f2 Renamed file for consistency 2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1 Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder 2017-11-09 15:43:32 +01:00
Florian Roth
a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Florian Roth
59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth
37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b 
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
 2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
Thomas Patzke
0df60fe004 Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b 2017-10-30 00:13:21 +01:00
Thomas Patzke
27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
juju4
4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4
07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4
19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4
ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4
9d968de337 Merge remote-tracking branch 'upstream/master' 2017-10-29 14:14:47 -04:00
Florian Roth
b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Florian Roth
d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth
0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke
d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth
deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
juju4
e6661059c2 Merge remote-tracking branch 'upstream/master' 2017-10-15 11:58:01 -04:00
Florian Roth
00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
juju4
cbde0ee5e5 Merge remote-tracking branch 'upstream/master' 2017-09-16 10:03:18 -04:00
Florian Roth
20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
juju4
e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00