Florian Roth
e9fcfcba7f
Improved NetNTLM downgrade rule
2018-03-20 15:03:55 +01:00
Florian Roth
a7eb4d3e34
Renamed rule
2018-03-20 11:12:35 +01:00
Florian Roth
b84bbd327b
Rule: NetNTLM Downgrade Attack
...
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 11:07:21 +01:00
Florian Roth
a6d293e31d
Improved tscon rule
2018-03-20 10:54:04 +01:00
Florian Roth
8fb6bc7a8a
Rule: Suspicious taskmgr as LOCAL_SYSTEM
2018-03-19 16:36:39 +01:00
Florian Roth
af8be8f064
Several rule updates
2018-03-19 16:36:15 +01:00
Florian Roth
648ac5a52e
Rules: tscon.exe anomalies
...
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
2018-03-17 19:14:13 +01:00
Karneades
49c12f1df8
Add missing binaries
2018-03-16 10:52:43 +01:00
Florian Roth
a257b7d9d7
Rule: Stickykey improved
2018-03-16 09:10:07 +01:00
Florian Roth
0460e7f18a
Rule: Suspicious process started from taskmgr
2018-03-15 19:54:03 +01:00
Florian Roth
f5494c6f5f
Rule: StickyKey-ike backdoor usage
2018-03-15 19:53:34 +01:00
Florian Roth
5ae5c9de19
Rule: Outlook spawning shells to detect Turla like C&C via Outlook
2018-03-10 09:04:11 +01:00
jmallette
aff46be8a3
Create cmdkey recon rule
2018-03-08 13:25:05 -05:00
Thomas Patzke
8ee24bf150
WMI persistence rules derived from blog article
...
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
2018-03-07 23:05:10 +01:00
Thomas Patzke
8041f77abd
Merged similar rules
2018-03-06 23:19:11 +01:00
Thomas Patzke
84645f4e59
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
Florian Roth
1001afb038
Rule: CVE-2015-1641
2018-02-22 16:59:40 +01:00
Florian Roth
25dc3e78be
Lowered severity of rule - prone to false positives
2018-02-22 16:59:11 +01:00
Florian Roth
9020a9aa32
Fixed file names "vuln" > "exploit"
2018-02-22 13:29:19 +01:00
Florian Roth
5d763581fa
Adding status "experimental" to that rule
2018-02-22 13:28:01 +01:00
Florian Roth
0be687d245
Rule: Detect CVE-2017-0261 exploitation
2018-02-22 13:27:20 +01:00
Florian Roth
fa4dbc0f2e
Rule: QuarksPwDump temp dump file
2018-02-10 15:25:36 +01:00
SherifEldeeb
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec
Massive Title Cleanup
2018-01-27 10:57:30 +01:00
Florian Roth
285f5bab4f
Removed duplicate string
2017-12-11 09:31:54 +01:00
Florian Roth
78854b79c4
Rule: System File Execution Location Anomaly
2017-11-27 14:09:22 +01:00
Florian Roth
93fbc63691
Rule to detect droppers exploiting CVE-2017-11882
2017-11-23 00:58:31 +01:00
Florian Roth
59e5b3b999
Sysmon: Named Pipe detection for APT malware
2017-11-06 14:24:42 +01:00
Florian Roth
37cea85072
Rundll32.exe suspicious network connections
2017-11-04 14:44:30 +01:00
Thomas Patzke
720c992573
Dropped within keyword
...
Covered by timeframe attribute.
Fixes issue #26 .
2017-10-30 00:25:56 +01:00
Thomas Patzke
27227855b5
Merge branch 'devel-sigmac'
2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f
Added proper handling of null/not null values
...
Fixes issue #25
2017-10-29 23:57:39 +01:00
Florian Roth
b7e8000ccb
Improved Office Shell rule > added 'schtasks.exe'
2017-10-25 23:53:45 +02:00
Thomas Patzke
d7c659128c
Removed unneeded array
2017-10-18 15:12:29 +02:00
Florian Roth
deea224421
Rule: New RUN Key Pointing to Suspicious Folder
2017-10-17 16:19:56 +02:00
Florian Roth
00baa4ed40
Executables Started in Suspicious Folder
2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0
Executables Started in Suspicious Folder
2017-10-14 23:22:20 +02:00
Florian Roth
20f9dbb31c
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 15:49:56 +02:00
Thomas Patzke
986c9ff9b7
Added field names to first rules
2017-09-12 23:54:04 +02:00
Thomas Patzke
68cb5e8921
Merge pull request #45 from secman-pl/patch-1
...
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
2017-09-10 22:52:37 +02:00
Florian Roth
bfe8378455
Rule: Suspicious svchost.exe process
2017-08-31 11:07:45 +02:00
secman-pl
9768f275d0
Update sysmon_susp_regsvr32_anomalies
...
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe.
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
2017-08-29 12:21:47 +02:00
Florian Roth
f3f2c14b3a
Added reference to regsvr32 rule
2017-08-29 08:45:29 +02:00
Florian Roth
55f4c37e22
Rule: Microsoft Binary Github Communication
2017-08-24 18:27:40 +02:00
Hans-Martin Münch
09e754a8f9
Small Typo fix
2017-08-22 10:56:25 +02:00
Florian Roth
59821d1bcb
Office Shell: Reference added to new entry
2017-08-22 10:04:22 +02:00
Florian Roth
8f4a780c3b
Added regsvr32.exe to suspicious child processes
2017-08-20 23:14:41 +02:00
Thomas Patzke
4578756cfd
Merge remote-tracking branch 'origin/master'
2017-08-05 00:35:24 +02:00
Thomas Patzke
03985288f6
Removed 'last' from timeframe
2017-08-05 00:32:24 +02:00
Florian Roth
edb52e098a
Extended hh.exe in Office Shell detection
...
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
2017-08-04 09:18:55 +02:00
Thomas Patzke
5706361464
Parsing of "near ... within" aggregation operator
...
* Operator is only parsed. No processing or passing of parsed data to
backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
2017-08-03 00:05:48 +02:00
Thomas Patzke
f768bf3d61
Fixed parse errors
2017-08-02 22:49:15 +02:00
Thomas Patzke
84418d2045
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
Florian Roth
cdf0894e6a
Corrected error in certutil rules (-f means force overwrite, not file)
...
> the -urlcache is the relevant command
2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2
certutil file download - more generic approach
2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458
certutil detections (renamed, extended)
...
see https://twitter.com/subTee/status/888102593838362624
2017-07-20 12:38:10 -06:00
Florian Roth
8f525d2f01
Wannacry Rules Reorg and Renaming
2017-06-28 09:08:53 +02:00
Florian Roth
576981820b
Moved PlugX rule & used builtin ID 4688 for another rule
2017-06-12 11:02:49 +02:00
Florian Roth
371b41acd9
Improved regsvr32.exe whitelisting bypass rule
...
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84
Improved regsvr32 whitelisting bypass rule
2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87
Regsvr32.exe anomalies (bugfix and new selection)
2017-06-07 11:43:25 +02:00
Florian Roth
0c222134b9
Extended malware script dropper rule
2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8
Improved Suspicious Net.exe Execution Rule
2017-05-25 12:44:56 +02:00
Florian Roth
6ad5f82248
Corrected rule
2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading
...
2) correct typo in dns server rule
2017-05-15 20:58:31 +02:00
Florian Roth
75e55d647b
Fixed and added strings
2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8
Wannacrypt Update
2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5
Changed rule as "m.vbs" isn't stable
2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5
Reference in WannaCrypt rule
2017-05-12 23:02:13 +02:00
Florian Roth
b7837d4cdb
Fixed WannaCrypt rule
2017-05-12 22:32:40 +02:00
Florian Roth
5cdb2b013b
WannaCrypt Ransomware
2017-05-12 21:57:53 +02:00
Florian Roth
16ac2337a4
Suspicious DNS Server Config Error - Sysmon Rule
2017-05-08 13:39:50 +02:00
Florian Roth
c7cc2a00d3
WScript/CScript Dropper
2017-05-05 17:30:46 +02:00
Florian Roth
a5c3f424c1
regsvr32 Anomalies
2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b
Minor fix > list to single value
2017-04-16 12:01:03 +02:00
Florian Roth
8363b25888
Suspicious Control Panel DLL Load
2017-04-15 23:32:26 +02:00
Florian Roth
89e43c1059
Improved MSHTA rule
2017-04-13 09:25:34 +02:00
Florian Roth
059cfbf15a
Removed duplicate
2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df
MSHTA Rule v1
2017-04-13 01:08:37 +02:00
Florian Roth
92b4a7ad93
Added reference
2017-04-07 15:42:08 +02:00
Florian Roth
0650aa3cbe
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
Florian Roth
fa90fb2fed
Improved WMIC process call create rule
2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8
PowerShell Combo - False Positive with MOM
2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f
Improved certutil.exe rules
2017-03-27 22:30:26 +02:00
Florian Roth
b0c8ffb051
Combined vssadmin rule
2017-03-26 01:27:26 +01:00
Florian Roth
800262a738
Renamed and double removed
2017-03-26 01:27:08 +01:00
Michael Haag
5ea6fad999
net.exe and wmic.exe
...
Suspicious execution of net and wmic
2017-03-25 06:48:23 -07:00
Florian Roth
10ee36f26c
Updated Eventvwr UAC evasion
2017-03-22 14:40:55 +01:00
Florian Roth
3bfa9ed121
Bugfix: Minor fix cause Sysmon uses SID as Software key
2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32
Bugfix: Fixed UAC bypass rules
2017-03-21 10:42:22 +01:00
Florian Roth
f9be5b99ad
Rule: Suspicious task creation description changed
2017-03-21 10:23:53 +01:00
Florian Roth
6f38a44ec1
Broader definition certutil.exe rule
2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605
Bugfix in UAC Rule
2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7
Rule: UAC bypass via eventvwr, minor changes
2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
Thomas Patzke
56f415e42c
Fixed rule
2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb
Create sysmon_sdclt_uac_bypass.yml
...
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ . Sorry in advance for not being 100% about the sysmon event ids / fields
2017-03-17 14:31:26 -04:00
Florian Roth
3a7652fff9
Added references to rule
2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc
Rule: Vssadmin / NTDS.dit activity
2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5
Rule: Windows recon activity
2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2
Rule: Suspicious PowerShell parent image combination
2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7
Renamed and removed double space
2017-03-16 18:58:32 +01:00
Florian Roth
cb683a6b56
Rule: Suspicious executions in web folders / non-exe folders
2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b
Rule: Scheduled task creation
2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0
Reduced to user accounts
2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8
Restrict rule to non-private IP ranges only
2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5
Rule: Suspicious PowerShell Parameter Substring
2017-03-13 17:23:25 +01:00
Florian Roth
85c298c43c
Bugfix in rule
2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a
Rule: PowerShell with network connections
2017-03-13 13:57:41 +01:00
Florian Roth
a0047f7c67
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
Florian Roth
4470c2f893
PowerShell Suspicious Invocation > Sysmon
2017-03-12 17:11:05 +01:00
Florian Roth
d6957f1c2e
Merge pull request #10 from MHaggis/master
...
Sysmon
2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829
bitsadmin & VSSAdmin
...
+Bitsadmin download
+VSSAdmin delete
2017-03-08 22:49:35 -08:00
Florian Roth
7b815ef3e5
Sysmon PowerShell - Suspicious Param Combination
2017-03-05 23:51:39 +01:00
Florian Roth
12535417d9
Typo
2017-03-05 01:47:37 +01:00
Michael Haag
a3cd7123a8
wscript/cscript
...
WSF, JSE, JS, VBA and VBE file execution
2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479
mshta shells
...
🐚 for all!
2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2
Modifications
...
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab
Two new Sysmon rules for Office Macro/PS detection
2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab
Removed Sysmon EventLog from selection > via 'logsource'
2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371
Proposed changes to mimimkatz-inmemory aggregation
2017-03-01 10:16:43 +01:00
Thomas Patzke
15c6f9411b
Rule review
...
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Florian Roth
52d04e52ac
Removed lists from log source section
2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0
Sysmon rules 'logsource' change
2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
a6173df0b9
LSASS Remote Thread Update
2017-02-12 16:33:09 +01:00
Florian Roth
04ea201817
New rules and cleanup
2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5
Moved rules to a separate directory
2017-02-07 00:44:40 +01:00