Commit Graph

662 Commits

Author SHA1 Message Date
Jonhnathan
2e139b4264
Update win_protected_storage_service_access.yml 2021-05-22 00:57:25 -03:00
Jonhnathan
085218b25a
Update Threat Hunter Playbook Reference 2021-05-22 00:57:01 -03:00
Jonhnathan
3fb5f1c47e
Update Threat Hunter Playbook Reference 2021-05-22 00:56:32 -03:00
Jonhnathan
943e2c8c88
Update Threat Hunter Playbook Reference 2021-05-22 00:56:03 -03:00
Jonhnathan
9765fcbd0c
Update Threat Hunter Playbook Reference 2021-05-22 00:55:29 -03:00
Jonhnathan
e23147111b
Update Threat Hunter Playbook Reference 2021-05-22 00:54:57 -03:00
Florian Roth
a0efd7a4dc
Merge pull request #1494 from Karneades/patch-1
Add keyword WinRM to remote powershell rules
2021-05-21 10:35:18 +02:00
Andreas Hunkeler
d8ec5fa6af
Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Florian Roth
a30391f3b4
Merge pull request #1495 from SigmaHQ/rule-devel
rule refactoring: Cobalt Strike service start
2021-05-20 17:43:29 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3
Update win_scm_database_privileged_operation.yml
2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2
Update win_scm_database_handle_failure.yml
2021-05-11 15:00:09 +02:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master
Added rule for Moriya rootkit
2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
Ian Thieves
65294d97c4
Update win_scm_database_handle_failure.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
2021-04-26 11:28:16 -07:00
Ian Thieves
8efa10465e
Update win_scm_database_privileged_operation.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
2021-04-26 11:25:16 -07:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
2021-04-23 16:52:25 +02:00
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Florian Roth
941d47bc28
Merge pull request #1416 from sycophantic/master
Remove extra spaces
2021-04-15 13:20:49 +02:00
Steven
a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00
Steven
9f5e8a02a4 Fix parse errors 2021-04-15 02:46:41 +02:00
Steven
8301b9c221 Fix selection vs selection_1 in rule files 2021-04-15 02:41:04 +02:00
Steven
ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven
d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Roberto Rodriguez
db0e969121 HybridConnectionMgr Service Activity 2021-04-12 16:26:15 -04:00
Florian Roth
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel
Fixing false positives with newest OSCD rules
2021-04-09 17:26:02 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
sycophantic
86b9652086 Remove extra spaces 2021-04-08 13:57:21 -04:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Florian Roth
48265ad71a
Merge pull request #1398 from SigmaHQ/rule-devel
MSExchange Management log mapping, some fixes
2021-03-20 17:21:31 +01:00
Florian Roth
525f4b6a6b
Merge pull request #1388 from Cyb3rPandaH/master
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
2021-03-20 08:53:04 +01:00
Florian Roth
334dd9a058
Update win_set_oabvirtualdirectory_externalurl.yml 2021-03-20 08:34:02 +01:00
Florian Roth
dd4a1ac393 fix: prone to FPs - use is unclear
https://regex101.com/r/tss5TZ/1
2021-03-18 16:44:49 +01:00
Florian Roth
d30e87d543 fix: lsass access - FPs with AV / EDR software 2021-03-18 09:04:03 +01:00
Cyb3rPandaH
f138a27426 CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
2021-03-15 00:33:47 -04:00
Florian Roth
78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth
29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
Anton Kutepov
f461becc58 Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 23:34:34 +03:00
Anton Kutepov
3f45269296 Merge branch 'oscd'
B
B
B
B
A
2021-03-02 22:58:41 +03:00