Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
vesche
3889be6255
Replace reference link for win_susp_netsh_dll_persistence
2020-04-10 01:05:10 -05:00
vesche
82db80bee6
Remove wrong mitre technique
2020-04-10 01:02:43 -05:00
vesche
72b821e046
Update win_susp_netsh_dll_persistence.yml
2020-04-09 11:16:18 -05:00
Thomas Patzke
551a94af04
Merge branch 'master' of https://github.com/tileo/sigma into pr-658
2020-04-08 22:43:48 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
...
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
...
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo.
2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped.
2020-04-01 18:18:13 +02:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml
2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml
2020-03-28 13:12:07 +01:00
Justin Ellison
dabc759136
Eliminate title collision
...
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
Florian Roth
28953a2942
fix: MITRE tags in rule
2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d
rule: powershell downloadfile
2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7
Merge branch 'master' into devel
2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8
rule: Exploited CVE-2020-10189 Zoho ManageEngine
2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f
rule: extended web shell spawn rule
2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5
Change falsepositives to array
2020-03-24 19:59:54 +01:00
j91321
c784adb10b
Wrong indentation falsepositives
2020-03-24 19:55:41 +01:00
j91321
98a633e54c
Add missing status and falsepositives
2020-03-24 19:53:41 +01:00
j91321
bc442d3021
Add path with lowercase system32
2020-03-24 19:48:24 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
...
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319
Fix of '1 of x' condition
2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a
suspicious powershell parent process...
2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd
Fix namefield.
2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7
Restructure new improvement to process_creation folder.
2020-03-20 23:29:32 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
...
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e
fix: reduced level due to false positives
2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53
rule should be wildcard AND had a prepended ^
in one of the CommandLine conditions that would have caused to not trigger
2020-03-14 15:00:42 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
...
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues
2020-03-09 17:43:16 +01:00
David Szili
0947538228
MDATP schema changes
...
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
Florian Roth
ddefb3bc58
Merge branch 'master' into devel
2020-03-07 11:06:25 +01:00
ecco
b9e4734087
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d
rule: extended webshell rule with tomcat.exe
2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
...
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df
fix: wrong identifier
2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8
fix avoiding FPs with MpCmdRun
...
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Thomas Patzke
b63889af75
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
...
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
...
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
...
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased
2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
...
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
4f3e3166d3
fixing false positives
2020-02-26 09:33:55 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field
2020-02-25 16:30:41 -05:00
ecco
3247d5692a
wmiprvse subprocess: add fallback check on username instead of only logonid
2020-02-24 09:25:20 -05:00
ecco
df7356e829
Rule: restore initial behaviour matching single word with spaces on each side
2020-02-24 08:00:06 -05:00
ecco
aa1eff5419
fix FP on rmdir matching dir
2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
...
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 03:03:46 -05:00
ecco
1703b725d3
fix non ascii character in rule
2020-02-24 02:58:34 -05:00
Thomas Patzke
48d95f027c
Merge branch 'oscd'
2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Florian Roth
6413730810
fix: fixing too restrictive rule
...
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c
fix: character in filename
2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed
rule: process dump via rundll32 and comsvcs.dll's MiniDumpW
2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc
rule: changed lsass process dump to level high
2020-02-18 10:03:25 +01:00
Wagga
b9c745a1b2
New Koadic detection rule
2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18
fix typo (duplicates)
2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664
Further fixes and deduplications
...
From suggestions of @yugoslavskiy in issue #554 .
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14
Revert "Moved rules with enrichments into unsupported"
...
This reverts commit ba83b8862a
.
2020-02-15 22:52:06 +01:00
Florian Roth
080532d20c
logsource change
...
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524
additional gallium ttp
...
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Thomas Patzke
7fdd6f7bce
Swapped accidental deletion of older rule duplicate
2020-02-06 23:41:05 +01:00
Thomas Patzke
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0
Deduplication
2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17
Merge branch 'master' into oscd
2020-02-02 13:40:08 +01:00
Thomas Patzke
ba83b8862a
Moved rules with enrichments into unsupported
2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c
additional execution observed
2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
...
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
...
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f
rule: winnti group campaign against HK universities
2020-02-01 15:43:30 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master
2020-01-31 14:45:29 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
...
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872
rule: wsreset.exe UAC bypass
2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
...
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master
...
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename
2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything
...
This rule had a lot of errors and problems.
- title
- file name
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name
2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition
2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload
2020-01-30 11:29:01 +08:00
Florian Roth
a816f4775f
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29
rule: dctask64.exe evasion techniques
...
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
Florian Roth
5f0589b787
rule: mstsc shadowing
2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
GelosSnake
8fbe08d5fa
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68
svchost spawned without cli
2020-01-24 15:31:06 +01:00
david-burkett
032c382184
corrected logic
2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51
Trickbot behavioral recon activity
2020-01-24 15:31:06 +01:00
Thomas Patzke
9bb50f3d60
OSCD QA wave 2
...
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
Florian Roth
ba7c634f1a
More changes
2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes
2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload
2020-01-13 13:21:06 +08:00
Thomas Patzke
ae6fcefbcd
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4
OSCD QA wave 1
...
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
Florian Roth
48f5f480fd
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel
...
Devel
2019-12-30 15:08:43 +01:00
Florian Roth
5980cb8d0c
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1
...
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
GelosSnake
f574c20432
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2019-12-29 18:02:49 +02:00
GelosSnake
7e7f6d1182
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2019-12-29 18:01:19 +02:00
Justin Schoenfeld
a1f07cdb4b
Added new sticky key attack binary
2019-12-29 08:32:23 -05:00
david-burkett
4a65a25070
svchost spawned without cli
2019-12-28 10:28:08 -05:00
david-burkett
35b4806104
corrected logic
2019-12-28 09:55:39 -05:00
David Burkett
474a8617e5
Trickbot behavioral recon activity
2019-12-27 21:25:53 -05:00
Florian Roth
fc8607bbea
rule: whoami as local system
2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac
rule: CreateMiniDump
2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6
rule: modified Bloodhound rule
2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel
...
rule: improved bloodhound rule
2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e
rule :improved bloodhound rule
2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel
...
Devel
2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0
fix: fixed wrong condition
2019-12-20 16:11:39 +01:00
Florian Roth
0000257371
rule: improved bloodhound rule
2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2
rule: changed level of BloodHound rule
2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d
rule: false positive condition for BloodHound rule
2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel
...
Devel
2019-12-20 15:32:56 +01:00
Florian Roth
708c17e2bc
rule: Bloodhound
2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7
style: minor changes
2019-12-20 14:59:26 +01:00
Thomas Patzke
924e1feb54
UUIDs + moved unsupported logic
...
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
testing.
2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539
Merge branch 'master' into oscd
2019-12-19 23:15:15 +01:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel
...
Devel
2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556
rule: updating csc.exe rule
2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593
rule: improved csc.exe rule
2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c
rule: ryuk ransomware
2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel
...
Improved PowerShell Encoded Command Rule
2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217
rule: better JAB rule
2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e
rule: improved JAB expression
2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588
rule: suspicious PS rule modified to cover newest malware campaigns
2019-12-16 19:02:57 +01:00
Thomas Patzke
ef63a65efe
Converted to Unix line end
2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil
d19df2e4f7
fix issues with wrong tagging
2019-12-15 00:17:22 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma
...
Added sigma rule to detect external devices or USB drive
2019-12-13 21:50:01 +01:00
Thomas Patzke
7a280ae092
Merge pull request #557 from robrankin/fix_dupe_rule_name
...
Elastalert error, duplicate rule titles
2019-12-13 21:46:58 +01:00
Florian Roth
9c59e3cf13
Merge branch 'master' into devel
2019-12-12 09:40:02 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7
...
Added svchost.exe as a parent image
2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations
...
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image
...
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ ) and my investigations.
2019-12-10 19:31:12 +03:00
Rob Rankin
e251568760
Data Compressed duplciate titles
2019-12-09 16:24:10 +00:00
Yugoslavskiy Daniil
185a634bd9
update authors for 2 rules
2019-12-07 02:10:06 +01:00
Yugoslavskiy Daniil
4789b15fd5
add rules by Sergey Soldatov, Kaspersky Lab
2019-12-07 01:45:55 +01:00
Florian Roth
e1244acf49
rule: fixed and extended bitsadmin rule
2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7
Merge branch 'master' into devel
2019-12-06 13:38:29 +01:00
Florian Roth
c8e29da7ec
fix: simplified rule with RE
2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56
style: fixed title
2019-12-03 11:24:06 +01:00
yugoslavskiy
edad1695f6
Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd
2019-12-02 02:56:53 +01:00
yugoslavskiy
1273a10dcb
add win_new_service_creation.yml
2019-12-02 01:19:54 +01:00
booberry46
df162b232f
Update win_malware_emotet.yml
2019-11-30 13:17:44 +08:00
yugoslavskiy
d5722979ea
add rules by Daniel Bohannon
2019-11-27 00:02:45 +01:00
yugoslavskiy
41a09cde34
updated filenames
2019-11-26 23:31:18 +01:00
Florian Roth
39293d5f2b
rule: another reference for CVE-2019-1388 rule
2019-11-20 15:09:30 +01:00
Florian Roth
f9e6a929ba
rule: made it more specific - command line must contain URL
2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843
rule: added status
2019-11-20 09:21:42 +01:00
Florian Roth
4022e3251b
rule: changed title
2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065
rule: exploitation of CVE-2019-1388
2019-11-20 09:12:02 +01:00
yugoslavskiy
efc404fbae
resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml
2019-11-19 02:11:19 +01:00
Florian Roth
da05c9bb82
fix: line break in description
2019-11-18 15:26:55 +01:00
Florian Roth
ff3ed04405
rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-15 00:26:18 +01:00
Florian Roth
2b7699cc15
fix: fixed broken condition
2019-11-14 10:15:18 +01:00
Florian Roth
95a8563606
Rule: suspicious msiexec directory
2019-11-14 09:51:55 +01:00
yugoslavskiy
ac21810d7a
Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping
...
oscd task #2 completed
2019-11-14 01:03:27 +03:00
yugoslavskiy
9b9f37715f
Update process_creation_shadow_copies_deletion.yml
2019-11-14 00:50:10 +03:00
yugoslavskiy
a1831bb503
Update process_creation_shadow_copies_creation.yml
2019-11-14 00:48:50 +03:00
yugoslavskiy
1445589839
Update process_creation_copying_sensitive_files_with_credential_data.yml
2019-11-14 00:47:14 +03:00
yugoslavskiy
f2caf366cb
moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml
2019-11-14 00:24:53 +03:00
yugoslavskiy
94caaff4fa
Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd
2019-11-14 00:23:22 +03:00
yugoslavskiy
cb29628ceb
modify rules based on BSI contribution
2019-11-14 00:23:16 +03:00
Thomas Patzke
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
Thomas Patzke
0065e2420f
Merge branch 'oscd-qa'
2019-11-12 20:54:11 +01:00
Florian Roth
b7c3f8da91
refactor: cleanup, single element lists, renamed files, level adjustments
2019-11-12 12:55:05 +01:00
yugoslavskiy
a4331b0eec
Merge pull request #498 from theRabbitCode/oscd
...
[OSCD] Added Atomic Blue Detections Repo
2019-11-11 23:22:57 +03:00
yugoslavskiy
1f142f6613
Delete win_reg_sam_dumping.yml
...
redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee
authorship has been updated
2019-11-11 23:22:47 +03:00
yugoslavskiy
cad0e30933
Update process_creation_grabbing_sensitive_hives_via_reg.yml
2019-11-11 23:22:25 +03:00
yugoslavskiy
38d0f832a4
Update win_uac_wsreset.yml
2019-11-11 23:13:28 +03:00
yugoslavskiy
49fb6bdf8f
Update win_uac_fodhelper.yml
2019-11-11 23:10:49 +03:00
yugoslavskiy
f991bf20b0
Update win_uac_cmstp.yml
2019-11-11 23:05:43 +03:00
yugoslavskiy
7f975f5878
Update win_trust_discovery.yml
2019-11-11 23:02:13 +03:00
yugoslavskiy
4c10a36e94
Update win_remote_time_discovery.yml
2019-11-11 22:51:35 +03:00
yugoslavskiy
ef55a580cf
Update win_net_enum.yml
2019-11-11 22:36:00 +03:00
yugoslavskiy
4635c5b1f9
Update win_net_user_add.yml
2019-11-11 22:35:43 +03:00
yugoslavskiy
bf4c2a508d
Update win_powershell_bitsjob.yaml
2019-11-11 22:06:57 +03:00
yugoslavskiy
90bf1c4187
Update win_powershell_audio_capture.yml
2019-11-11 22:03:49 +03:00
yugoslavskiy
8d9e293143
Update win_net_user_add.yml
2019-11-11 22:00:46 +03:00
yugoslavskiy
81b373cea7
Update win_net_enum.yml
2019-11-11 21:54:23 +03:00
yugoslavskiy
b181f09339
Update win_net_enum.yml
2019-11-11 21:53:18 +03:00
yugoslavskiy
f169163d3e
Update win_mshta_javascript.yml
2019-11-11 21:49:46 +03:00
yugoslavskiy
20a116cde5
Update win_lsass_dump.yml
2019-11-11 21:46:54 +03:00
yugoslavskiy
119a3417c6
Update win_interactive_at.yml
2019-11-11 04:06:37 +03:00
yugoslavskiy
e18ff0b9f9
Update win_interactive_at.yml
2019-11-11 04:05:21 +03:00
yugoslavskiy
c584b67095
Update win_indirect_cmd.yml
2019-11-11 03:20:09 +03:00
yugoslavskiy
f585c556a4
Update win_hh_chm.yml
2019-11-11 03:04:54 +03:00
yugoslavskiy
7e170900ba
Merge pull request #485 from 4A616D6573/patch-1
...
Update win_susp_net_execution.yml
2019-11-11 02:58:31 +03:00
yugoslavskiy
24ea49a2a1
Update win_susp_net_execution.yml
2019-11-11 02:57:59 +03:00
yugoslavskiy
03d08067b5
Delete win_fsutil_usn_delete.yml
...
redundant with ./rules/windows/process_creation/win_susp_fsutil_usage.yml.
authorship has been updated
2019-11-11 02:11:28 +03:00
yugoslavskiy
e7e9185f99
Delete win_eventlog_cleared.yml
...
redundant with ./rules/windows/process_creation/win_susp_eventlog_clear.yml
2019-11-11 01:59:29 +03:00
yugoslavskiy
521d9311c7
Delete win_cmd_rar.yml
...
redundant with ./rules/windows/process_creation/win_data_compressed_with_rar.yml
authorship was updated
2019-11-11 01:58:22 +03:00
yugoslavskiy
afb17d0e0e
Update win_bootconf_mod.yml
2019-11-11 01:53:46 +03:00
yugoslavskiy
fc8901fa1a
Update win_soundrec_audio_capture.yml
2019-11-11 01:45:39 +03:00
yugoslavskiy
570f5b238e
Update win_soundrec_audio_capture.yml
2019-11-11 01:40:45 +03:00
yugoslavskiy
37098be291
Update win_net_user_add.yml
2019-11-11 01:35:51 +03:00
yugoslavskiy
385ebac502
Merge pull request #497 from Heirhabarov/master
...
OSCD Task 1 - Privilege Escalation
2019-11-11 01:33:28 +03:00
yugoslavskiy
20c87ae83c
Update win_whoami_as_system.yml
2019-11-11 01:18:45 +03:00
yugoslavskiy
0e6d4f7d76
Update win_using_sc_to_change_sevice_image_path_by_non_admin.yml
2019-11-11 01:17:47 +03:00
yugoslavskiy
454701cbee
Update win_possible_privilege_escalation_using_rotten_potato.yml
2019-11-11 01:10:18 +03:00
yugoslavskiy
24e17a9c50
Update win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
2019-11-11 01:08:35 +03:00
yugoslavskiy
1f5a31f0e7
fix logsource for remote_powershell_session_process.yml
2019-11-10 23:10:24 +03:00
yugoslavskiy
86d315598b
Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd
2019-11-10 21:40:15 +03:00
yugoslavskiy
6f2243efc4
fix reg rule
2019-11-10 21:40:08 +03:00
yugoslavskiy
e5e44e2ade
Merge pull request #488 from stvetro/oscd
...
[OSCD][ART] Task 7: T1060, T1031
2019-11-10 21:39:32 +03:00
yugoslavskiy
0d00b643cd
Update win_susp_service_path_modification.yml
2019-11-10 21:25:26 +03:00
yugoslavskiy
b9991bb2ec
Update win_susp_netsh_dll_persistence.yml
2019-11-10 21:21:42 +03:00
yugoslavskiy
b665b1b990
Update and rename win_susp_direct_run_key_modification.yml to win_susp_direct_asep_reg_keys_modification.yml
2019-11-10 21:19:06 +03:00
yugoslavskiy
0db5436778
add tieto dns exfil rules
2019-11-10 20:27:21 +03:00
yugoslavskiy
bdac415fea
Merge pull request #486 from yugoslavskiy/tieto_oscd
...
[OSCD] Tieto DNS exfiltration rules
2019-11-10 19:36:02 +03:00
yugoslavskiy
4fa928866f
oscd task #6 done.
...
add 25 new rules:
- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml
improve 1 rule:
- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 18:43:41 +03:00
yugoslavskiy
c0ac9b8fb9
fix conflict
2019-11-10 17:31:33 +03:00
yugoslavskiy
a59d4fdd33
Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd
2019-11-10 14:47:27 +03:00
Florian Roth
8cc16d252a
fix: more FP reductions
2019-11-09 23:36:29 +01:00
Florian Roth
be62fad5cc
fix: fixed false positive in suspicious shell spawn rule
2019-11-09 10:45:46 +01:00
Thomas Patzke
8ae824f09f
Improved rules
...
Reduced false positives
2019-11-08 23:56:14 +01:00
Thomas Patzke
6e2fe09d24
Removed invalid tags
2019-11-08 22:02:12 +01:00
yugoslavskiy
5861664d0f
Update win_dsquery_domain_trust_discovery.yml
2019-11-08 02:58:32 +03:00
yugoslavskiy
3624a7d5da
Update win_file_permission_modifications.yml
2019-11-08 02:51:42 +03:00
yugoslavskiy
7d3c9e129d
Update win_service_stop.yml
2019-11-08 02:40:37 +03:00
yugoslavskiy
b176339da8
Merge pull request #479 from alexpetrov12/master
...
add rule
2019-11-08 02:16:22 +03:00
yugoslavskiy
00fc6c62b4
Delete renamed_binary_description.yml
...
agreed on improvements. will be added later
2019-11-08 02:16:01 +03:00
yugoslavskiy
4443870577
Delete win_odbcconf_execution.yml
...
merged with rules/windows/process_creation/win_odbcconf_execution.yml
2019-11-08 01:36:03 +03:00
yugoslavskiy
3b34ed6150
add modifiers
2019-11-08 01:34:30 +03:00
yugoslavskiy
82b185db6a
Update win_sysmon_driver_unload.yml
2019-11-07 04:11:26 +03:00
yugoslavskiy
404a6d9915
Update win_netsh_packet_capture.yml
2019-11-07 03:37:41 +03:00
yugoslavskiy
ddf24819ed
Update silenttrinity_stage_use.yml
2019-11-07 03:33:12 +03:00
yugoslavskiy
0d8c64da86
duplicate rule deleted
...
this rule already present in Sigma repo — [./rules/windows/process_creation/win_susp_comsvcs_procdump.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_comsvcs_procdump.yml )
2019-11-07 03:21:09 +03:00
yugoslavskiy
5513687e63
Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd
2019-11-07 03:03:35 +03:00
webhead404
f7a968e3d2
Update and add another selection for regsvr32
...
Added cmd.exe to the detection after observing Atomic Red Team test
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution
2019-11-06 15:49:53 -06:00
Florian Roth
c60563e546
rule: add modified rule date
2019-11-05 11:24:52 +01:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd
...
add 13 new rules:
- rules/linux/auditd/lnx_auditd_masquerading_crond.yml
- rules/linux/auditd/lnx_auditd_user_discovery.yml
- rules/linux/auditd/lnx_data_compressed.yml
- rules/linux/auditd/lnx_network_sniffing.yml
- rules/windows/powershell/powershell_data_compressed.yml
- rules/windows/powershell/powershell_winlogon_helper_dll.yml
- rules/windows/process_creation/win_change_default_file_association.yml
- rules/windows/process_creation/win_data_compressed_with_rar.yml
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml
- rules/windows/process_creation/win_network_sniffing.yml
- rules/windows/process_creation/win_query_registry.yml
- rules/windows/process_creation/win_service_execution.yml
- rules/windows/process_creation/win_xsl_script_processing.yml
modify 1 rule:
- rules/windows/process_creation/win_possible_applocker_bypass.yml
2019-11-05 04:55:29 +03:00
yugoslavskiy
cc7aebe9b6
Update win_service_execution.yml
2019-11-05 04:42:53 +03:00
yugoslavskiy
479aafe466
Update win_service_execution.yml
2019-11-05 04:26:19 +03:00