valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,106 Commits 20 Branches 25 Tags 21 MiB
2bad4bb60d
Commit Graph

2119 Commits

Author SHA1 Message Date
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Florian Roth
0022705373 fix: filter not functional 
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
 2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier 
Identifiers shared between global document and rule gets overwritten
 2020-06-15 20:20:23 +02:00
Florian Roth
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Florian Roth
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish
dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish
f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish
8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00
Brad Kish
f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Iveco
40f0fd989d - moved to "process_creation" folder instead of "sysmon" 
- renamed .yml file
 2020-06-11 19:21:17 +02:00
Iveco
34d7ea2974 removed one field 2020-06-11 16:23:15 +02:00
Iveco
2081baafe5 updated to process_creation 2020-06-11 15:58:05 +02:00
Iveco
f56e2599b1 Cmd.exe Path Traversal Detection 2020-06-11 15:48:48 +02:00
Florian Roth
a7136481f1
Update win_pcap_drivers.yml 2020-06-11 11:14:43 +02:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Cian Heasley
9835c6d67d
add win_pcap_drivers.yml 2020-06-10 15:53:22 +01:00
Florian Roth
96309d247b
fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth
6e4aa01baa
Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth
13c7d40a22
Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth
f553fb2e33
Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Steven Goossens
e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00
Remco Hofman
8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman
83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman
cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman
a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman
4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman
d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth
6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth
3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth
246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth
d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth
2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN
082696ee84
Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN
e958a6a939
Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN
5e373153eb
Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN
0744107fbb
Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick
6c8c0cd85d
Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick
3c89f46899
removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick
2af501c9f5
added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
Trent Liffick
a2ca199e7d
added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
William Bruneau
84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
ecco
b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing
a00f7f19a1
Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing
38afd8b5de
Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
Florian Roth
39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth
76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth
ec313b6c8a
Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing
d44fc43c54
Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing
f6ec724d51
Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth
5bb6770f53
Merge pull request #800 from SanWieb/win_system_exe_anomaly 
Extended Windows processes: win_system_exe_anomaly
 2020-05-26 14:28:47 +02:00
Florian Roth
4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing
3681b8cb56
Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth
c1f4787566
Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00
Florian Roth
ce1f46346f
Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access 
Add 'Add-Content' to powershell_ntfs_ads_access
 2020-05-26 13:20:40 +02:00
Florian Roth
e131f3476e
Merge pull request #796 from EccoTheFlintstone/fp 
add more false positives
 2020-05-26 13:20:23 +02:00
Sander Wiebing
f9f814f3b3
Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Remco Hofman
48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
ecco
7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth
0afe0623af
Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing
b8ee736f44
Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
ecco
f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
Florian Roth
3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth
df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
ecco
67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
ecco
10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco
d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco
78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco
75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco
9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco
cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco
ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573
879ad6f206
Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573
daa3c5e053
Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573
0f8f5fb29c
Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth
91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth
9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco
0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke
96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth
e7980bb434
Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
ZikyHD
8963c0a65e
Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito
c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito
49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco
1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco
088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco
e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth
8154ca355a
Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
Maxime Lamothe-Brassard
25d3a5a893
Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth
a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth
d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco
fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
ecco
0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth
cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth
8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth
beb62dc163
fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth
5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth
2282432b6f
Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth
28dc2a2267
Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick
40ab1b7247
added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick
56a2747a70
Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick
fb1d8d7a76
Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick
8aff6b412e
added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod
1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
zaphod
d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila
6ec74364f2
Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila
ccacedf621
Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
Florian Roth
24c0765694 Merge branch 'master' into devel 2020-05-08 12:17:14 +02:00
Florian Roth
7cc1b300d2 rule: maze ransomware patterns 2020-05-08 11:42:06 +02:00
Rettila
07a50edf89
Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman
123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Rettila
6aed82a039
Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila
2beb65076c
Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila
7371ce234b
Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Florian Roth
473c31232e
add additional reference 2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4 
Create powershell_create_local_user.yml
 2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing 2020-04-14 13:40:34 +02:00
Florian Roth
ecdec93800
Casing 2020-04-14 13:39:58 +02:00
Florian Roth
5cbe008350
Casing 2020-04-14 13:39:22 +02:00
Florian Roth
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence 
Update win_susp_netsh_dll_persistence.yml
 2020-04-14 13:37:53 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks 
Update win_GPO_scheduledtasks.yml
 2020-04-14 13:36:17 +02:00
Maxime Thiebaut
86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche
1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
teddy-ROxPin
1501331f77
Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
vesche
3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche
82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche
72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Iveco
61b9234d7f
Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco
c5211eb94a
Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco
fc1febdebe
Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco
5e724a0a54
Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco
e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Florian Roth
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Clément Notin
18cdddb09e
Small typo 2020-03-31 15:22:00 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman
b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Florian Roth
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth
e2b90220a2
Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Florian Roth
2426b39d83
Merge pull request #678 from justintime/title_collision 
Eliminate title collision
 2020-03-28 12:57:55 +01:00
Remco Hofman
f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Iveco
55258e1799
Title capitalized 2020-03-26 17:04:08 +01:00
Iveco
3f577c98e7
Title capalized 2020-03-26 17:03:33 +01:00
Iveco
68c20dca20
Fixed title length 2020-03-26 16:56:46 +01:00
Iveco
39a3af04ce
Fixed title length 2020-03-26 16:56:06 +01:00
Justin Ellison
dabc759136
Eliminate title collision 
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
 2020-03-26 09:13:52 -05:00
iveco
ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth
28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321
78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules 
Updates sigmac and rules
 2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR
b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR
30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR
1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR
293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR
74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR
b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Maxime Thiebaut
dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel 
Devel
 2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron
4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili
0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
ecco
2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth
7e8b59abe6
Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
Florian Roth
c609de4f27
Merge pull request #648 from NVISO-BE/patch-azure-ad-replication 
Exclude Azure AD sync accounts from AD Replication rule
 2020-03-07 10:39:04 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Remco Hofman
d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Florian Roth
19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth
fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth
fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35
0d932810b5
Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth
f88225dd2a
Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth
6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule 
New Koadic detection rule
 2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased 2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1 
fix missing status & description in status field
 2020-02-26 09:40:55 +01:00
Florian Roth
031e6d3ee6
Merge pull request #635 from EccoTheFlintstone/fix_fp4 
wmiprvse subprocess: add fallback check on username instead of only l…
 2020-02-26 09:40:34 +01:00
Florian Roth
4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Florian Roth
82d2b1e6f0 Merge branch 'master' into devel 
# Conflicts:
#	rules/windows/process_creation/win_susp_squirrel_lolbin.yml
 2020-02-26 09:27:48 +01:00
Florian Roth
e7aff17e72 FP: OneDrive setup 2020-02-26 09:26:19 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field 2020-02-25 16:30:41 -05:00
Florian Roth
a152853ac3
Merge pull request #624 from Antonlovesdnb/master 
New rules for Macro Detections
 2020-02-25 15:44:31 +01:00
Antonlovesdnb
e8b861bff4
Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb
4c5d489428
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00
Antonlovesdnb
f92e2f2b18
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:23:22 -05:00
Antonlovesdnb
8141b1ae90
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-25 09:22:56 -05:00
Antonlovesdnb
45e4a585bf
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-25 09:22:37 -05:00
Antonlovesdnb
c5b42aeaed
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-25 09:19:03 -05:00
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix 
fix false positive on taskkill.exe not related to service stop at all
 2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Florian Roth
ab1dda7685 fix: non-ascii rule 2020-02-21 16:21:39 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth
6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Wagga
b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported" 
This reverts commit ba83b8862a.
 2020-02-15 22:52:06 +01:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth
080532d20c
logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00