Commit Graph

745 Commits

Author SHA1 Message Date
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
vesche
3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche
82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche
72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Justin Ellison
dabc759136
Eliminate title collision
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
Florian Roth
28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili
0947538228 MDATP schema changes
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased 2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field 2020-02-25 16:30:41 -05:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
Wagga
b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications
From suggestions of @yugoslavskiy in issue #554.
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported"
This reverts commit ba83b8862a.
2020-02-15 22:52:06 +01:00
Florian Roth
080532d20c
logsource change
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml
fixing to much original fork.
2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
Florian Roth
ba7c634f1a
More changes 2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes 2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload 2020-01-13 13:21:06 +08:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel
Devel
2019-12-30 15:08:43 +01:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
GelosSnake
f574c20432 Update win_system_exe_anomaly.yml
fixing to much original fork.
2019-12-29 18:02:49 +02:00
GelosSnake
7e7f6d1182 Update win_system_exe_anomaly.yml
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2019-12-29 18:01:19 +02:00
Justin Schoenfeld
a1f07cdb4b
Added new sticky key attack binary 2019-12-29 08:32:23 -05:00
david-burkett
4a65a25070
svchost spawned without cli 2019-12-28 10:28:08 -05:00
david-burkett
35b4806104
corrected logic 2019-12-28 09:55:39 -05:00
David Burkett
474a8617e5
Trickbot behavioral recon activity 2019-12-27 21:25:53 -05:00
Florian Roth
fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel
rule: improved bloodhound rule
2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel
Devel
2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth
0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel
Devel
2019-12-20 15:32:56 +01:00
Florian Roth
708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel
Devel
2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel
Improved PowerShell Encoded Command Rule
2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke
ef63a65efe Converted to Unix line end 2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil
d19df2e4f7 fix issues with wrong tagging 2019-12-15 00:17:22 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma
Added sigma rule to detect external devices or USB drive
2019-12-13 21:50:01 +01:00
Thomas Patzke
7a280ae092
Merge pull request #557 from robrankin/fix_dupe_rule_name
Elastalert error, duplicate rule titles
2019-12-13 21:46:58 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7
Added svchost.exe as a parent image
2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
2019-12-10 19:31:12 +03:00
Rob Rankin
e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Yugoslavskiy Daniil
185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00
Yugoslavskiy Daniil
4789b15fd5 add rules by Sergey Soldatov, Kaspersky Lab 2019-12-07 01:45:55 +01:00
Florian Roth
e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
yugoslavskiy
edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy
1273a10dcb add win_new_service_creation.yml 2019-12-02 01:19:54 +01:00
booberry46
df162b232f
Update win_malware_emotet.yml 2019-11-30 13:17:44 +08:00
yugoslavskiy
d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
yugoslavskiy
41a09cde34 updated filenames 2019-11-26 23:31:18 +01:00
Florian Roth
39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth
f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth
4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Florian Roth
da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth
ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Florian Roth
2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth
95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
yugoslavskiy
ac21810d7a
Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping
oscd task #2 completed
2019-11-14 01:03:27 +03:00
yugoslavskiy
9b9f37715f
Update process_creation_shadow_copies_deletion.yml 2019-11-14 00:50:10 +03:00
yugoslavskiy
a1831bb503
Update process_creation_shadow_copies_creation.yml 2019-11-14 00:48:50 +03:00
yugoslavskiy
1445589839
Update process_creation_copying_sensitive_files_with_credential_data.yml 2019-11-14 00:47:14 +03:00
yugoslavskiy
f2caf366cb moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml 2019-11-14 00:24:53 +03:00
yugoslavskiy
94caaff4fa Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2019-11-14 00:23:22 +03:00
yugoslavskiy
cb29628ceb modify rules based on BSI contribution 2019-11-14 00:23:16 +03:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth
b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
yugoslavskiy
a4331b0eec
Merge pull request #498 from theRabbitCode/oscd
[OSCD] Added Atomic Blue Detections Repo
2019-11-11 23:22:57 +03:00
yugoslavskiy
1f142f6613
Delete win_reg_sam_dumping.yml
redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee
authorship has been updated
2019-11-11 23:22:47 +03:00
yugoslavskiy
cad0e30933
Update process_creation_grabbing_sensitive_hives_via_reg.yml 2019-11-11 23:22:25 +03:00
yugoslavskiy
38d0f832a4
Update win_uac_wsreset.yml 2019-11-11 23:13:28 +03:00
yugoslavskiy
49fb6bdf8f
Update win_uac_fodhelper.yml 2019-11-11 23:10:49 +03:00
yugoslavskiy
f991bf20b0
Update win_uac_cmstp.yml 2019-11-11 23:05:43 +03:00
yugoslavskiy
7f975f5878
Update win_trust_discovery.yml 2019-11-11 23:02:13 +03:00
yugoslavskiy
4c10a36e94
Update win_remote_time_discovery.yml 2019-11-11 22:51:35 +03:00
yugoslavskiy
ef55a580cf
Update win_net_enum.yml 2019-11-11 22:36:00 +03:00
yugoslavskiy
4635c5b1f9
Update win_net_user_add.yml 2019-11-11 22:35:43 +03:00
yugoslavskiy
bf4c2a508d
Update win_powershell_bitsjob.yaml 2019-11-11 22:06:57 +03:00
yugoslavskiy
90bf1c4187
Update win_powershell_audio_capture.yml 2019-11-11 22:03:49 +03:00
yugoslavskiy
8d9e293143
Update win_net_user_add.yml 2019-11-11 22:00:46 +03:00
yugoslavskiy
81b373cea7
Update win_net_enum.yml 2019-11-11 21:54:23 +03:00
yugoslavskiy
b181f09339
Update win_net_enum.yml 2019-11-11 21:53:18 +03:00
yugoslavskiy
f169163d3e
Update win_mshta_javascript.yml 2019-11-11 21:49:46 +03:00
yugoslavskiy
20a116cde5
Update win_lsass_dump.yml 2019-11-11 21:46:54 +03:00
yugoslavskiy
119a3417c6
Update win_interactive_at.yml 2019-11-11 04:06:37 +03:00
yugoslavskiy
e18ff0b9f9
Update win_interactive_at.yml 2019-11-11 04:05:21 +03:00
yugoslavskiy
c584b67095
Update win_indirect_cmd.yml 2019-11-11 03:20:09 +03:00
yugoslavskiy
f585c556a4
Update win_hh_chm.yml 2019-11-11 03:04:54 +03:00
yugoslavskiy
7e170900ba
Merge pull request #485 from 4A616D6573/patch-1
Update win_susp_net_execution.yml
2019-11-11 02:58:31 +03:00
yugoslavskiy
24ea49a2a1
Update win_susp_net_execution.yml 2019-11-11 02:57:59 +03:00
yugoslavskiy
03d08067b5
Delete win_fsutil_usn_delete.yml
redundant with ./rules/windows/process_creation/win_susp_fsutil_usage.yml.
authorship has been updated
2019-11-11 02:11:28 +03:00
yugoslavskiy
e7e9185f99
Delete win_eventlog_cleared.yml
redundant with ./rules/windows/process_creation/win_susp_eventlog_clear.yml
2019-11-11 01:59:29 +03:00
yugoslavskiy
521d9311c7
Delete win_cmd_rar.yml
redundant with  ./rules/windows/process_creation/win_data_compressed_with_rar.yml
authorship was updated
2019-11-11 01:58:22 +03:00
yugoslavskiy
afb17d0e0e
Update win_bootconf_mod.yml 2019-11-11 01:53:46 +03:00
yugoslavskiy
fc8901fa1a
Update win_soundrec_audio_capture.yml 2019-11-11 01:45:39 +03:00
yugoslavskiy
570f5b238e
Update win_soundrec_audio_capture.yml 2019-11-11 01:40:45 +03:00
yugoslavskiy
37098be291
Update win_net_user_add.yml 2019-11-11 01:35:51 +03:00
yugoslavskiy
385ebac502
Merge pull request #497 from Heirhabarov/master
OSCD Task 1 - Privilege Escalation
2019-11-11 01:33:28 +03:00
yugoslavskiy
20c87ae83c
Update win_whoami_as_system.yml 2019-11-11 01:18:45 +03:00
yugoslavskiy
0e6d4f7d76
Update win_using_sc_to_change_sevice_image_path_by_non_admin.yml 2019-11-11 01:17:47 +03:00
yugoslavskiy
454701cbee
Update win_possible_privilege_escalation_using_rotten_potato.yml 2019-11-11 01:10:18 +03:00
yugoslavskiy
24e17a9c50
Update win_meterpreter_or_cobaltstrike_getsystem_service_start.yml 2019-11-11 01:08:35 +03:00
yugoslavskiy
1f5a31f0e7 fix logsource for remote_powershell_session_process.yml 2019-11-10 23:10:24 +03:00
yugoslavskiy
86d315598b Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2019-11-10 21:40:15 +03:00
yugoslavskiy
6f2243efc4 fix reg rule 2019-11-10 21:40:08 +03:00
yugoslavskiy
e5e44e2ade
Merge pull request #488 from stvetro/oscd
[OSCD][ART] Task 7: T1060, T1031
2019-11-10 21:39:32 +03:00
yugoslavskiy
0d00b643cd
Update win_susp_service_path_modification.yml 2019-11-10 21:25:26 +03:00
yugoslavskiy
b9991bb2ec
Update win_susp_netsh_dll_persistence.yml 2019-11-10 21:21:42 +03:00
yugoslavskiy
b665b1b990
Update and rename win_susp_direct_run_key_modification.yml to win_susp_direct_asep_reg_keys_modification.yml 2019-11-10 21:19:06 +03:00
yugoslavskiy
0db5436778 add tieto dns exfil rules 2019-11-10 20:27:21 +03:00
yugoslavskiy
bdac415fea
Merge pull request #486 from yugoslavskiy/tieto_oscd
[OSCD] Tieto DNS exfiltration rules
2019-11-10 19:36:02 +03:00
yugoslavskiy
4fa928866f oscd task #6 done.
add 25 new rules:

- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml

improve 1 rule:

- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 18:43:41 +03:00
yugoslavskiy
c0ac9b8fb9 fix conflict 2019-11-10 17:31:33 +03:00
yugoslavskiy
a59d4fdd33 Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd 2019-11-10 14:47:27 +03:00
Florian Roth
8cc16d252a fix: more FP reductions 2019-11-09 23:36:29 +01:00
Florian Roth
be62fad5cc fix: fixed false positive in suspicious shell spawn rule 2019-11-09 10:45:46 +01:00
Thomas Patzke
8ae824f09f Improved rules
Reduced false positives
2019-11-08 23:56:14 +01:00
Thomas Patzke
6e2fe09d24 Removed invalid tags 2019-11-08 22:02:12 +01:00
yugoslavskiy
5861664d0f
Update win_dsquery_domain_trust_discovery.yml 2019-11-08 02:58:32 +03:00
yugoslavskiy
3624a7d5da
Update win_file_permission_modifications.yml 2019-11-08 02:51:42 +03:00
yugoslavskiy
7d3c9e129d
Update win_service_stop.yml 2019-11-08 02:40:37 +03:00
yugoslavskiy
b176339da8
Merge pull request #479 from alexpetrov12/master
add rule
2019-11-08 02:16:22 +03:00
yugoslavskiy
00fc6c62b4
Delete renamed_binary_description.yml
agreed on improvements. will be added later
2019-11-08 02:16:01 +03:00
yugoslavskiy
4443870577
Delete win_odbcconf_execution.yml
merged with rules/windows/process_creation/win_odbcconf_execution.yml
2019-11-08 01:36:03 +03:00
yugoslavskiy
3b34ed6150 add modifiers 2019-11-08 01:34:30 +03:00
yugoslavskiy
82b185db6a
Update win_sysmon_driver_unload.yml 2019-11-07 04:11:26 +03:00
yugoslavskiy
404a6d9915
Update win_netsh_packet_capture.yml 2019-11-07 03:37:41 +03:00
yugoslavskiy
ddf24819ed
Update silenttrinity_stage_use.yml 2019-11-07 03:33:12 +03:00
yugoslavskiy
0d8c64da86
duplicate rule deleted
this rule already present in Sigma repo — [./rules/windows/process_creation/win_susp_comsvcs_procdump.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_comsvcs_procdump.yml)
2019-11-07 03:21:09 +03:00
yugoslavskiy
5513687e63 Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd 2019-11-07 03:03:35 +03:00
webhead404
f7a968e3d2
Update and add another selection for regsvr32
Added cmd.exe to the detection after observing Atomic Red Team test 

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution
2019-11-06 15:49:53 -06:00
Florian Roth
c60563e546 rule: add modified rule date 2019-11-05 11:24:52 +01:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
2019-11-05 04:55:29 +03:00
yugoslavskiy
cc7aebe9b6
Update win_service_execution.yml 2019-11-05 04:42:53 +03:00
yugoslavskiy
479aafe466
Update win_service_execution.yml 2019-11-05 04:26:19 +03:00