valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,096 Commits 20 Branches 25 Tags 21 MiB
2f533c54b3
Commit Graph

474 Commits

Author SHA1 Message Date
juju4
d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4
21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke
4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke
03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth
edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke
d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke
5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke
167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
bfcc119a7f Merge branch 'master' into travis-test 2017-08-02 00:37:07 +02:00
Thomas Patzke
b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke
c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4
5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4
5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4
31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4
3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4
fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4
83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4
f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth
d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth
cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth
950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth
3f245d27f8 Eventlog cleared ID 104 2017-06-27 17:29:39 +02:00
Thomas Patzke
7fdc78c8bf Merge pull request #36 from dim0x69/master 
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
 2017-06-19 15:32:56 +02:00
Florian Roth
d1f1bd59da Changed level of PsExec events to 'low' 2017-06-17 08:50:16 +02:00
Thomas Patzke
a4c9e24380 File renaming while deletion with SDelete 2017-06-14 16:55:32 +02:00
Thomas Patzke
8c06a5d83f Access to wceaux.dll while WCE pass-the-hash login on source host 2017-06-14 15:59:45 +02:00
Thomas Patzke
4fcdcc3967 Added rule for PsExec 2017-06-12 23:57:06 +02:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Thomas Patzke
91b3c39c0d Amended condition 
Changed condition according to proposed syntax for related event matching (#4)
 2017-06-11 23:54:19 +02:00
dimi
ac95e372e5 clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes 2017-06-09 14:15:37 +02:00
dimi
a2a2366dfb rule to detect mimikatz lsadump::changentlm and lsadump::setntlm 2017-06-09 14:05:40 +02:00
Florian Roth
371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth
5dd3d4dd57 Generic Hacktool Use Rule 2017-05-31 08:42:35 +02:00
Florian Roth
0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth
ae4cab6783 Corrected - no lists needed 2017-05-25 12:07:11 +02:00
Florian Roth
6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth
01e1d3a3d7 WannaCry Service Install 2017-05-15 16:06:16 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
d35b6c0353 Backup catalog deletion rule 2017-05-12 23:00:56 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
1ab3c746c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-05-12 21:59:43 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
0b541b2689 Suspicious Windows Process Creations Update 2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e Fixed condition 
AND has higher precedence than OR.
 2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be Removed "1 of" expression (no bug, but cleaner) 2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b Microsoft Malware Protection Engine Crash - ref CVE-2017-0290 2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34 Updated sigma signature 2017-05-08 21:25:07 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
75e58b8142 Bugfix and date 2017-05-08 13:10:40 +02:00
Florian Roth
263c98a2c8 Suspicious DNS Server Config Error - ServerLevelPluginDLL issue 2017-05-08 13:09:50 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
dc4ae35be1 Schtasks frequency - minute 2017-04-28 17:03:35 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Nate Guagenti
53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Nate Guagenti
85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth
707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth
125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth
c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1 
Create win_pass_the_hash.yml
 2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
Florian Roth
85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth
4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth
de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Florian Roth
d6957f1c2e Merge pull request #10 from MHaggis/master 
Sysmon
 2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
 2017-03-08 22:49:35 -08:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644 Rule: Rare Windows Service Installs 2017-03-08 19:09:34 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00
Florian Roth
5484886932 Rule: Windows - Recon Activity (improved) 2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276 Rule: Windows - Recon Activity 2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834 Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9 Windows Malicious Password Dumper Service Installs 2017-03-05 23:52:02 +01:00
Florian Roth
7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination 2017-03-05 23:51:39 +01:00
Florian Roth
294df21c56 Added expression 2017-03-05 22:45:54 +01:00
Florian Roth
7fae49b183 More PowerShell rules 2017-03-05 15:01:51 +01:00
Florian Roth
1e1cf9cb9e PowerShell Rules Revision 2017-03-05 14:14:31 +01:00
Omer Yampel
97b4078d01 Update powershell_malicious_commandlets.yml 
Added https://github.com/putterpanda/mimikittenz reference
 2017-03-04 20:26:39 -05:00
Florian Roth
12535417d9 Typo 2017-03-05 01:47:37 +01:00
Florian Roth
d397ee9f68 First PowerShell Ruleset 2017-03-05 01:47:25 +01:00
Michael Haag
a3cd7123a8 wscript/cscript 
WSF, JSE, JS, VBA and VBE file execution
 2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479 mshta shells 
🐚 for all!
 2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2 Modifications 
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
 2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791 Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681 Rule: Certutil Decode in AppData 2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab Two new Sysmon rules for Office Macro/PS detection 2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab Removed Sysmon EventLog from selection > via 'logsource' 2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371 Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6 Added new rules 
From adsecurity.org:

* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
 2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f Fixed type of condition 2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00
Florian Roth
a6173df0b9 LSASS Remote Thread Update 2017-02-12 16:33:09 +01:00
Florian Roth
04ea201817 New rules and cleanup 2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5 Moved rules to a separate directory 2017-02-07 00:44:40 +01:00