Florian Roth
|
8af86fa97e
|
docs: change title and add references
|
2021-04-29 12:33:10 +02:00 |
|
Florian Roth
|
4b86d3f407
|
Merge pull request #1449 from SigmaHQ/rule-devel
Rule devel
|
2021-04-29 12:28:12 +02:00 |
|
Florian Roth
|
3e5f7aeb5e
|
rule: PowerShell Cmdlet Defender Exclusions
|
2021-04-29 09:56:26 +02:00 |
|
Florian Roth
|
161180c357
|
refactor: extended shellshock rule
|
2021-04-28 11:47:24 +02:00 |
|
Florian Roth
|
47504fbd56
|
fix: shellshock expression
|
2021-04-28 11:46:49 +02:00 |
|
BlueTeamOps
|
59d23535ce
|
Update win_lateral_movement.yml
|
2021-04-27 23:03:03 +10:00 |
|
BlueTeamOps
|
793504dd6b
|
Rename win_lateral_movement to win_lateral_movement.yml
|
2021-04-27 22:59:52 +10:00 |
|
BlueTeamOps
|
f75ad98903
|
Create win_lateral_movement
EID 4674 with the proposed attributes is very rare in prod environment.
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
|
2021-04-27 22:55:58 +10:00 |
|
Florian Roth
|
9166167447
|
Merge pull request #1433 from d4rk-d4nph3/master
Added rule for Lazarus activity of Apr 2021
|
2021-04-26 20:34:51 +02:00 |
|
Florian Roth
|
3008e5b9e7
|
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy
Fix typo on CommandLine field
|
2021-04-26 20:33:56 +02:00 |
|
Florian Roth
|
194b0af4d2
|
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas
Fix typo on CommandLine field
|
2021-04-26 20:33:45 +02:00 |
|
Ian Thieves
|
65294d97c4
|
Update win_scm_database_handle_failure.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:28:16 -07:00 |
|
Ian Thieves
|
8efa10465e
|
Update win_scm_database_privileged_operation.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:25:16 -07:00 |
|
Florian Roth
|
d24f0b8988
|
feat: generic registry events compatible with native audit logging
|
2021-04-26 09:31:36 +02:00 |
|
Cedric Hien
|
748005fc14
|
Fix typo on CommandLine field
|
2021-04-25 15:52:59 +02:00 |
|
Cedric Hien
|
c580db166c
|
Fix typo on CommandLine field
|
2021-04-25 15:50:44 +02:00 |
|
Florian Roth
|
1ff5e226ad
|
Merge pull request #1436 from SigmaHQ/rule-devel
Rule devel
|
2021-04-23 17:33:07 +02:00 |
|
Florian Roth
|
f2fa8dd956
|
rules: CobaltStrike named pipes
|
2021-04-23 17:16:09 +02:00 |
|
Florian Roth
|
c7ce9154d1
|
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
|
2021-04-23 16:52:25 +02:00 |
|
Florian Roth
|
a29ac79a3f
|
refactor: extended comsvcs.dll MiniDump rule
|
2021-04-23 16:46:04 +02:00 |
|
Florian Roth
|
6f12a1b099
|
docs: FPs and changed level
|
2021-04-23 16:45:52 +02:00 |
|
Florian Roth
|
1333a95c51
|
rule: get-process lsass
|
2021-04-23 16:44:53 +02:00 |
|
Florian Roth
|
5aed7c80db
|
Merge pull request #1435 from SigmaHQ/rule-devel
fix: FPs with certutil command and McAfee Chromium Container
|
2021-04-23 14:55:31 +02:00 |
|
Florian Roth
|
85582c540e
|
docs: changed modification date
|
2021-04-23 14:55:04 +02:00 |
|
Florian Roth
|
ce03ca9485
|
fix: Jitter keyword prone to FPs
|
2021-04-23 14:54:32 +02:00 |
|
Florian Roth
|
6256261d0e
|
fix: FPs with Certutil and McAfee Chromium Container
|
2021-04-23 12:49:16 +02:00 |
|
Florian Roth
|
64f5af4c45
|
Merge pull request #1432 from SigmaHQ/rule-devel
fix: splunk windows config, additional rule
|
2021-04-23 10:30:44 +02:00 |
|
Florian Roth
|
d5e88d369c
|
fix: fixed rule title
|
2021-04-23 09:51:31 +02:00 |
|
Florian Roth
|
b447e6338f
|
rule: Export-PfxCertificate
|
2021-04-23 09:01:14 +02:00 |
|
Scoubi
|
23791664eb
|
Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml
Gave the wrong name to the file, this is the correct one.
|
2021-04-21 08:45:15 -04:00 |
|
Scoubi
|
0b7ed7e690
|
Add a space
There was a missing space in `-attack` changed for `- attack`
|
2021-04-20 20:50:20 -04:00 |
|
Scoubi
|
fadb889116
|
Create win_Outlook_C2_Macro_Creation.yml
BEC is for Business Email Compromise (this can be changed)
|
2021-04-20 20:38:20 -04:00 |
|
Scoubi
|
678ce5d528
|
Create win_Outlook_C2_Macro_Creation.yml
Not 100% if this is the best place to put it.
|
2021-04-20 20:34:19 -04:00 |
|
Bhabesh Rai
|
dd391cd0b9
|
Added rule for Lazarus activity of Apr 2021
|
2021-04-20 20:05:51 +05:45 |
|
Josh Brower
|
dfc1218e6a
|
false positive - added Azure AD Connect
|
2021-04-20 08:24:38 -04:00 |
|
Florian Roth
|
68c59850af
|
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery
Fix invalid logsource on lnx_system_info_discovery rule
|
2021-04-20 09:06:54 +02:00 |
|
Florian Roth
|
20c5356c9e
|
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet
Fix typo on CommandLine
|
2021-04-20 09:06:38 +02:00 |
|
Josh Brower
|
2486a85a1f
|
Added MS Threat Docs for 4616 to references
|
2021-04-19 08:15:42 -04:00 |
|
Florian Roth
|
7039209a7a
|
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
|
2021-04-19 11:32:02 +02:00 |
|
Florian Roth
|
53c6a7c54e
|
refactor: tightened filter
|
2021-04-19 09:30:32 +02:00 |
|
Cedric Hien
|
1d6aec3c25
|
Fix typo on CommandLine
|
2021-04-19 08:20:44 +02:00 |
|
Cedric Hien
|
bbdbab700d
|
Fix invalid logsource on lnx_system_info_discovery rule
|
2021-04-17 12:57:30 +02:00 |
|
Florian Roth
|
941d47bc28
|
Merge pull request #1416 from sycophantic/master
Remove extra spaces
|
2021-04-15 13:20:49 +02:00 |
|
Steven
|
a8d8165541
|
Yet another syntax fix
|
2021-04-15 09:25:04 +02:00 |
|
Steven
|
8703d9f352
|
Remove another reference to hardcoded event ID
|
2021-04-15 03:07:18 +02:00 |
|
Steven
|
9f5e8a02a4
|
Fix parse errors
|
2021-04-15 02:46:41 +02:00 |
|
Steven
|
8301b9c221
|
Fix selection vs selection_1 in rule files
|
2021-04-15 02:41:04 +02:00 |
|
Steven
|
cce8d945a0
|
Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category
|
2021-04-15 02:30:41 +02:00 |
|
Steven
|
a9f2a80b8c
|
- Remove duplicate rule
- Fix linux rule (categories -> category)
|
2021-04-15 02:23:08 +02:00 |
|
Steven
|
f57e1a2231
|
Delete .keep file
|
2021-04-15 02:17:36 +02:00 |
|
Steven
|
70b106ef52
|
Fix syntax error
|
2021-04-15 02:11:13 +02:00 |
|
Steven
|
ecbd730dad
|
Fix syntax errors in some rules
|
2021-04-15 02:07:43 +02:00 |
|
Steven
|
d263b937b4
|
Clean-up service: sysmon as it will be replaced by filling the category
|
2021-04-15 02:02:25 +02:00 |
|
Steven
|
7b679cc1f7
|
- Modified rules to use categories instead of hardcoded event IDs
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
|
2021-04-15 01:40:31 +02:00 |
|
Steven
|
850a002840
|
Merge branch 'master' of https://github.com/SigmaHQ/sigma
|
2021-04-15 01:25:48 +02:00 |
|
Roberto Rodriguez
|
db0e969121
|
HybridConnectionMgr Service Activity
|
2021-04-12 16:26:15 -04:00 |
|
Florian Roth
|
ce0111aa6a
|
fix: FP with Proxy Execution via Wuauclt
|
2021-04-12 08:47:29 +02:00 |
|
Florian Roth
|
4abebd98d9
|
Merge pull request #1418 from SigmaHQ/rule-devel
Fixing false positives with newest OSCD rules
|
2021-04-09 17:26:02 +02:00 |
|
Florian Roth
|
897da252f1
|
fix: missing new line placeholder escape
|
2021-04-09 16:45:07 +02:00 |
|
Florian Roth
|
65a11dde52
|
fix: rules causing too many false positives
|
2021-04-09 15:55:14 +02:00 |
|
Thomas Patzke
|
08ca62cc88
|
Merge branch 'master' of https://github.com/SigmaHQ/sigma
|
2021-04-08 23:27:45 +02:00 |
|
Thomas Patzke
|
3fef2a10b8
|
Merge branch 'pr-1158'
|
2021-04-08 23:01:54 +02:00 |
|
sycophantic
|
86b9652086
|
Remove extra spaces
|
2021-04-08 13:57:21 -04:00 |
|
Thomas Patzke
|
a10db2df89
|
Fixes&improvements
|
2021-04-08 01:06:40 +02:00 |
|
Florian Roth
|
00f01ea57f
|
Merge branch 'master' into rule-devel
|
2021-04-07 21:17:51 +02:00 |
|
Vasiliy Burov
|
e73e27e44f
|
Update win_hack_rubeus.yml
Added commandline parameters for constrained delegation abuse and for hashes calculation
|
2021-04-06 20:18:54 +03:00 |
|
Thomas Patzke
|
42cf81478b
|
Merge pull request #1412 from defensivedepth/patch-1
Clean up: Webshell ReGeorg Detection
|
2021-04-06 00:35:35 +02:00 |
|
Thomas Patzke
|
d1de168295
|
Merge branch 'oscd'
|
2021-04-06 00:05:35 +02:00 |
|
Josh Brower
|
af09dd8e3c
|
Clean up: Webshell ReGeorg Detection
|
2021-04-05 13:01:10 -04:00 |
|
Thomas Patzke
|
b1b0240692
|
Fixes
|
2021-04-03 23:21:13 +02:00 |
|
Thomas Patzke
|
90efe974b8
|
Fixes and improvements
|
2021-04-03 00:08:55 +02:00 |
|
phantinuss
|
4934f80601
|
fix: FP tuning for IIS Express and making use of value modifiers
|
2021-04-01 14:37:20 +02:00 |
|
phantinuss
|
8b4234de3b
|
refactor: make use of value modifiers
|
2021-04-01 14:37:17 +02:00 |
|
phantinuss
|
794865c79d
|
fix: adding filter to condition and reintroducing the users folder constraint
|
2021-04-01 14:37:17 +02:00 |
|
phantinuss
|
43be8c8cba
|
refactor: make use of value modifiers
|
2021-04-01 14:37:16 +02:00 |
|
phantinuss
|
bd5ba2ae01
|
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way
|
2021-04-01 14:37:15 +02:00 |
|
phantinuss
|
65bc62d401
|
fix: adding filter out for CamMute.exe
|
2021-04-01 14:37:14 +02:00 |
|
phantinuss
|
2cab121c71
|
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap
|
2021-04-01 14:37:13 +02:00 |
|
phantinuss
|
109b7890db
|
fix: taking windows security 4688 events into account for filter out
|
2021-04-01 14:36:57 +02:00 |
|
Florian Roth
|
428db0c74a
|
Merge pull request #1382 from d4rk-d4nph3/master
Added rule for CVE-2021-21978 in VMware View Planner
|
2021-03-29 11:22:56 +02:00 |
|
Florian Roth
|
b296c643de
|
Merge pull request #1346 from blueteam0ps/patch-3
Added win_ad_find_discovery.yml
|
2021-03-29 11:20:49 +02:00 |
|
BlueTeamOps
|
6ef5f0a0a2
|
Added detection for Dumpert
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
|
2021-03-27 07:34:05 +11:00 |
|
BlueTeamOps
|
8916459bab
|
Added additional CS signatures
|
2021-03-25 22:44:24 +11:00 |
|
Florian Roth
|
6b0f66e876
|
refactor: change level
|
2021-03-24 12:38:00 +01:00 |
|
Florian Roth
|
6d9fc65585
|
fix: FPs with www6
|
2021-03-24 12:37:35 +01:00 |
|
Florian Roth
|
a465f2722f
|
refactor: CobaltStrike beacon rule
|
2021-03-24 11:29:05 +01:00 |
|
Florian Roth
|
48265ad71a
|
Merge pull request #1398 from SigmaHQ/rule-devel
MSExchange Management log mapping, some fixes
|
2021-03-20 17:21:31 +01:00 |
|
Florian Roth
|
525f4b6a6b
|
Merge pull request #1388 from Cyb3rPandaH/master
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
|
2021-03-20 08:53:04 +01:00 |
|
Florian Roth
|
e47ee24889
|
Merge branch 'master' into rule-devel
|
2021-03-20 08:52:55 +01:00 |
|
Florian Roth
|
334dd9a058
|
Update win_set_oabvirtualdirectory_externalurl.yml
|
2021-03-20 08:34:02 +01:00 |
|
Florian Roth
|
33af006479
|
Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt
Fix ProcessCommandLine field
|
2021-03-20 08:29:23 +01:00 |
|
Florian Roth
|
01fcfd4f76
|
Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
|
2021-03-20 08:29:09 +01:00 |
|
Florian Roth
|
2472926c48
|
Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion
Fix win_etw_trace_evasion rule
|
2021-03-20 08:28:51 +01:00 |
|
Florian Roth
|
dd4a1ac393
|
fix: prone to FPs - use is unclear
https://regex101.com/r/tss5TZ/1
|
2021-03-18 16:44:49 +01:00 |
|
Florian Roth
|
6b2bcd3d87
|
Merge pull request #1395 from SigmaHQ/rule-devel
Rule devel
|
2021-03-18 10:52:02 +01:00 |
|
Florian Roth
|
d30e87d543
|
fix: lsass access - FPs with AV / EDR software
|
2021-03-18 09:04:03 +01:00 |
|
Florian Roth
|
92510e2507
|
extended Exchange post-exploitation rule
|
2021-03-17 18:01:45 +01:00 |
|
Florian Roth
|
943f8513e2
|
Merge pull request #1393 from SigmaHQ/rule-devel
Rule devel
|
2021-03-16 16:35:55 +01:00 |
|
Florian Roth
|
bfc99996b5
|
fix: Bug in rule condition
|
2021-03-16 16:35:21 +01:00 |
|
Florian Roth
|
32adf0c3ce
|
fix: prone to FPs
|
2021-03-16 15:52:35 +01:00 |
|
zikyhd
|
e91822e070
|
Fix win_etw_trace_evasion rule
|
2021-03-15 15:02:18 +01:00 |
|
Cedric HIEN
|
864973888e
|
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
|
2021-03-15 12:07:05 +01:00 |
|
Cedric HIEN
|
e4f24f4e1f
|
Fix ProcessCommandLine field
|
2021-03-15 11:56:19 +01:00 |
|
Florian Roth
|
310888bae7
|
Merge pull request #1386 from SigmaHQ/rule-devel
Rule devel
|
2021-03-15 10:52:57 +01:00 |
|
Florian Roth
|
70f9480ec5
|
fix: wrong field name
|
2021-03-15 08:14:43 +01:00 |
|
Cyb3rPandaH
|
f138a27426
|
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
|
2021-03-15 00:33:47 -04:00 |
|
Florian Roth
|
a0b034aa2b
|
fix: better exclusion
|
2021-03-13 09:09:43 +01:00 |
|
Florian Roth
|
145c3bc2ca
|
refactor: more hafnium indicators
|
2021-03-13 09:07:58 +01:00 |
|
Florian Roth
|
69ee1cece2
|
fix: FPs
|
2021-03-13 09:07:44 +01:00 |
|
Florian Roth
|
48da4e1314
|
Update win_apt_hafnium.yml
|
2021-03-11 13:55:31 +01:00 |
|
Florian Roth
|
9084fc4fa7
|
Update on HAFNIUM rule
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
|
2021-03-11 13:38:07 +01:00 |
|
Florian Roth
|
27fef60ace
|
Merge pull request #1383 from SigmaHQ/rule-devel
fix: FPs with LSASS Access from Non System Account
|
2021-03-10 18:59:29 +01:00 |
|
Florian Roth
|
78004cc29c
|
fix: condition contains - values without 0x
|
2021-03-10 18:56:05 +01:00 |
|
Florian Roth
|
29dec7dd8b
|
fix: FPs with LSASS Access from Non System Account
|
2021-03-10 18:51:27 +01:00 |
|
Bhabesh Rai
|
a58c5ed7cc
|
Added rule for CVE-2021-21978 in VMware View Planner
|
2021-03-10 18:05:15 +05:45 |
|
concorde18
|
87059fe80b
|
Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe
|
2021-03-10 11:35:55 +03:00 |
|
concorde18
|
f694de74aa
|
Create win_susp_diskshadow.yml
|
2021-03-10 11:33:12 +03:00 |
|
concorde18
|
b73815e883
|
Update win_susp_Register_cimprovider.yml
|
2021-03-10 11:25:13 +03:00 |
|
Florian Roth
|
f0051ffcf6
|
Merge pull request #1378 from SigmaHQ/rule-devel
HAFNIUM activity
|
2021-03-09 15:42:32 +01:00 |
|
Florian Roth
|
dca5c870d7
|
Merge pull request #1374 from hieuttmmo/master
Detect HAFNIUM operations
|
2021-03-09 09:16:52 +01:00 |
|
Florian Roth
|
ec490b40ec
|
fix: 1 of them condition
|
2021-03-09 09:15:12 +01:00 |
|
Florian Roth
|
563335ec5a
|
rule: suspicious service binary location
|
2021-03-09 09:01:36 +01:00 |
|
Florian Roth
|
2ded9543f3
|
rule: HAFNIUM post-exploitation activity
|
2021-03-09 09:01:24 +01:00 |
|
BlueTeamOps
|
26a5300208
|
added spaces for oudmp and dclist
|
2021-03-09 08:22:36 +11:00 |
|
Anton Kutepov
|
e4a38a8b71
|
Merge branch 'master' into oscd
|
2021-03-07 23:41:11 +03:00 |
|
Anton Kutepov
|
626d7ebd61
|
Applied the fixes made by the participants during the second sprint.
|
2021-03-07 23:40:08 +03:00 |
|
Anton Kutepov
|
d7ef865bb9
|
Merge remote-tracking branch 'upstream/master' and fix conflicts
|
2021-03-07 23:36:13 +03:00 |
|
Anton Kutepov
|
ff6f10b484
|
Added the author of the duplicated rule (finger.exe)
|
2021-03-07 23:20:21 +03:00 |
|
Florian Roth
|
2b5f9f994f
|
Merge pull request #1376 from SigmaHQ/rule-devel
UNC2452 rules - GoldMax, GoldFinder, Sibot
|
2021-03-05 18:17:20 +01:00 |
|
Florian Roth
|
a61fbe6bd8
|
fix: duplicate UUID
|
2021-03-05 12:09:43 +01:00 |
|
Florian Roth
|
3a0fc4835a
|
Merge pull request #1363 from markus-nclose/master
Fix CobaltStrike typo
|
2021-03-05 12:06:31 +01:00 |
|
Florian Roth
|
b864768de8
|
fix: wrong conditions
|
2021-03-05 11:55:49 +01:00 |
|
Florian Roth
|
c3b84f2d5b
|
UNC2452 rules - GoldMax, Sibot, GoldFinder
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
|
2021-03-05 11:54:35 +01:00 |
|
Florian Roth
|
bdc35aa3ec
|
Update win_webshell_spawn.yml
|
2021-03-05 11:34:17 +01:00 |
|
Florian Roth
|
62b65a3578
|
Merge pull request #1375 from SigmaHQ/rule-devel
fix: description
|
2021-03-04 17:35:53 +01:00 |
|
Florian Roth
|
bea2f226c6
|
fix: description
|
2021-03-04 17:35:25 +01:00 |
|
Tran Trung Hieu
|
5f74a58081
|
Detect HAFNIUM operations
|
2021-03-04 00:01:54 +07:00 |
|
Florian Roth
|
9e921115bc
|
Merge pull request #1373 from SigmaHQ/rule-devel
HAFNIUM rule
|
2021-03-03 10:34:08 +01:00 |
|
Florian Roth
|
d8ded5ebdc
|
refactor: changed symbols after feedback from Volexity
|
2021-03-03 10:15:45 +01:00 |
|
Florian Roth
|
e17986ebd3
|
rule: HAFNIUM Exchange exploitation
|
2021-03-03 09:58:43 +01:00 |
|
Florian Roth
|
73a3a1e5cd
|
Merge pull request #1360 from d4rk-d4nph3/master
Added sigma rule for vSphere RCE CVE-2021-21972
|
2021-03-03 09:32:05 +01:00 |
|
Florian Roth
|
8c95f90075
|
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
|
2021-03-03 09:08:24 +01:00 |
|
Bhabesh Rai
|
56eed19fba
|
Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge
|
2021-03-03 12:46:50 +05:45 |
|
Florian Roth
|
6d30f87c0c
|
refactor: procdump use
|
2021-03-02 23:36:25 +01:00 |
|
Anton Kutepov
|
f461becc58
|
Added missed changes in win_net_ntlm_downgrade and merged duplicate rules
|
2021-03-02 23:34:34 +03:00 |
|
Anton Kutepov
|
3f45269296
|
Merge branch 'oscd'
B
B
B
B
A
|
2021-03-02 22:58:41 +03:00 |
|
Florian Roth
|
5c1dc30a13
|
Merge pull request #1369 from SigmaHQ/rule-devel
fix: FPs with rule and avast sandbox
|
2021-03-02 15:30:30 +01:00 |
|
Florian Roth
|
c873d878b9
|
fix: FPs with rule and avast sandbox
|
2021-03-02 10:08:30 +01:00 |
|
Florian Roth
|
b65dbee01f
|
Merge pull request #1366 from Neo23x0/rule-devel
rule: SilentProcessExit monitors
|
2021-02-26 18:09:44 +01:00 |
|
Florian Roth
|
ba7c7409a3
|
fix: typo in modified
|
2021-02-26 17:48:50 +01:00 |
|
Florian Roth
|
79acbbef9f
|
rule: SilentProcessExit monitors
|
2021-02-26 17:35:42 +01:00 |
|
Florian Roth
|
40710fe89a
|
Merge pull request #1357 from Neo23x0/rule-devel
Rule FP fixes
|
2021-02-26 11:05:00 +01:00 |
|
Florian Roth
|
274b7b0f2e
|
fix: search for keywords within message
|
2021-02-26 09:42:12 +01:00 |
|
Florian Roth
|
9d937705c0
|
fix: null values in separate filter expression
> null value in lists cause problems in some backends
|
2021-02-25 15:19:26 +01:00 |
|
markus-nclose
|
67d3d5e220
|
Fixed CobaltStrike typo
|
2021-02-25 07:25:20 +02:00 |
|
Anton Kutepov
|
120fd413b8
|
fix author field
|
2021-02-25 02:17:28 +03:00 |
|
Anton Kutepov
|
98cc025208
|
Renamed ProcessName field to Image for the process_creation category.
|
2021-02-25 01:57:26 +03:00 |
|
Anton Kutepov
|
96afd5845a
|
Merged identical rules. Added the author of the deleted rule to another rule.
|
2021-02-25 01:20:09 +03:00 |
|
Bhabesh Rai
|
e1dff01cea
|
Added sigma rule for vSphere RCE CVE-2021-21972
|
2021-02-24 23:48:08 +05:45 |
|
Florian Roth
|
a8912da1a0
|
rule: finger.exe execution
|
2021-02-24 17:47:56 +01:00 |
|
jaegeral
|
e1f43f17c2
|
fixed various spelling errors all over rules and source code
|
2021-02-24 14:43:13 +00:00 |
|
Florian Roth
|
f8b6b9d68e
|
fix: FPs with Suspect Svchost Activity
|
2021-02-24 13:55:40 +01:00 |
|
Florian Roth
|
0489d4bfa4
|
fix: rule
|
2021-02-24 13:44:13 +01:00 |
|
Florian Roth
|
9eb55016bf
|
fix: FPs with WMI Spawning Windows PowerShell
|
2021-02-24 13:32:30 +01:00 |
|
Florian Roth
|
b032bc3328
|
fix: FPs with Wmiprvse Spawning Process
|
2021-02-24 13:27:18 +01:00 |
|
Florian Roth
|
028ce2a548
|
fix: Sysmon NTLM downgrade attack - too many fps
|
2021-02-24 13:22:25 +01:00 |
|
Joshua Roys
|
025a17e44b
|
fix: case in level
Otherwise es-rule ends up with a null risk_score and invalid severity.
|
2021-02-22 21:34:06 -05:00 |
|
Florian Roth
|
96803a5a27
|
Merge pull request #1355 from Neo23x0/rule-devel
Rule devel
|
2021-02-22 17:46:21 +01:00 |
|
Florian Roth
|
94035e1e11
|
fix: error in condition
|
2021-02-22 17:30:11 +01:00 |
|
Florian Roth
|
749789c17d
|
fix: condition in eventlog rule
|
2021-02-22 17:24:19 +01:00 |
|
Florian Roth
|
aea03076c2
|
rule: simplified rule
|
2021-02-22 17:19:14 +01:00 |
|
Florian Roth
|
43b2ad580f
|
rule: DEWMODE webshell
|
2021-02-22 17:15:32 +01:00 |
|
Florian Roth
|
f834862833
|
Merge pull request #1107 from vburov/patch-10
Update win_susp_eventlog_cleared.yml
|
2021-02-18 11:19:53 +01:00 |
|
Florian Roth
|
a6684c66d6
|
Merge pull request #1110 from vburov/patch-11
Update win_disable_event_logging.yml
|
2021-02-18 11:18:32 +01:00 |
|
Florian Roth
|
f62fc2e889
|
Merge pull request #1341 from d4rk-d4nph3/master
Added rule for TerraMaster TOS CVE-2020-28188
|
2021-02-18 11:17:48 +01:00 |
|
Florian Roth
|
786a799c3f
|
Merge pull request #1345 from blueteam0ps/patch-2
Created win_sus_auditpol_usage.yml
|
2021-02-18 11:17:04 +01:00 |
|
Florian Roth
|
76e6f38215
|
Merge pull request #1348 from bartlomiej-czyz/patch-1
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
|
2021-02-18 11:14:40 +01:00 |
|
Florian Roth
|
089a931007
|
rule: ScreenConnect remote access
|
2021-02-11 13:04:16 +01:00 |
|
Florian Roth
|
4c2691d3c3
|
rule: disable windows eventlog
|
2021-02-11 12:28:52 +01:00 |
|
Florian Roth
|
18f2e32774
|
Domestic Kitten Furball malware pattern
|
2021-02-08 17:52:55 +01:00 |
|
bartlomiej-czyz
|
b771fb0c55
|
Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level
|
2021-02-08 12:45:59 +01:00 |
|
Florian Roth
|
8ae8c213a9
|
Merge pull request #1337 from architect00/master
rule: scheduled task deletion
|
2021-02-07 15:26:13 +01:00 |
|
GlebSukhodolskiy
|
daaba7022b
|
Merge branch 'oscd' into oscd_wmi
|
2021-02-06 00:34:53 +03:00 |
|
yugoslavskiy
|
fb1f04ec8a
|
Merge pull request #1249 from oscd-initiative/oscd_art_linux_task_18_T1083
[OSCD] ART sync, test T1083: File and Directory Discovery (Linux)
|
2021-02-04 22:34:47 +01:00 |
|
bartlomiej-czyz
|
ae15cef5e7
|
Rename .yaml to .yml
|
2021-02-03 22:20:48 +01:00 |
|
bartlomiej-czyz
|
e79168ee56
|
Create win_rundll32_without_parameters.yml
|
2021-02-03 22:18:23 +01:00 |
|
bartlomiej-czyz
|
3e9c177c65
|
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
|
2021-02-03 22:16:21 +01:00 |
|
BlueTeamOps
|
1a124f9193
|
Added win_ad_find_discovery.yml
Rule to detect the most commons switches used in AdFind tool
|
2021-02-02 23:34:10 +11:00 |
|
BlueTeamOps
|
c3c706503e
|
Update win_sus_auditpol_usage.yml
|
2021-02-02 22:24:54 +11:00 |
|
BlueTeamOps
|
b0d0bb95b0
|
Created win_sus_auditpol_usage.yml
This adds detection for suspicious behaviour of the auditpol binary
|
2021-02-02 19:12:13 +11:00 |
|
Bhabesh Rai
|
a8d33171d7
|
Fixed c-uri
|
2021-02-02 10:23:47 +05:45 |
|
Florian Roth
|
309e15dc5c
|
rule: add call by ordinal
|
2021-02-01 20:16:31 +01:00 |
|
Florian Roth
|
597633c938
|
rule: ShimCache Flush
|
2021-02-01 20:05:28 +01:00 |
|
Florian Roth
|
2c48d2b0bb
|
fix: missing global action and sections
|
2021-02-01 20:00:06 +01:00 |
|
Bhabesh Rai
|
63e2f4bbce
|
Added rule for Sudo CVE-2021-3156 Exploitation Attempt
|
2021-02-01 23:08:45 +05:45 |
|
Florian Roth
|
179db920ec
|
Merge pull request #1343 from Neo23x0/rule-devel
Rule devel
|
2021-02-01 12:28:22 +01:00 |
|
Florian Roth
|
aaeb72a2b6
|
fix: FPs
|
2021-02-01 11:47:23 +01:00 |
|
Florian Roth
|
33fee6af8b
|
rule: security product uninstallation
|
2021-01-30 11:24:08 +01:00 |
|
Florian Roth
|
e533b4effb
|
fix: tags
|
2021-01-28 13:51:51 +01:00 |
|
Florian Roth
|
cd4491cba2
|
rule: disable volume snaptshots
|
2021-01-28 13:48:30 +01:00 |
|
Florian Roth
|
6b9eef58da
|
Merge pull request #1338 from Neo23x0/rule-devel
Improved UNC2452 activity rules
|
2021-01-25 14:36:44 +01:00 |
|
Florian Roth
|
7d99a48bb2
|
rule: new Quakbot pattern
|
2021-01-25 12:03:30 +01:00 |
|
Florian Roth
|
a4bec724a6
|
rule: SonicWall exploitation
|
2021-01-25 11:54:23 +01:00 |
|
Bhabesh Rai
|
465ab713b0
|
Added rule for TerraMaster TOS CVE-2020-28188
|
2021-01-25 13:01:27 +05:45 |
|
Florian Roth
|
b62c705bf0
|
Improved UNC2452 activity rules
|
2021-01-22 09:18:11 +01:00 |
|
k-vdv
|
e4edf7bc1b
|
fix service from system to security for rule win_pcap_drivers.yml
|
2021-01-22 09:10:02 +01:00 |
|
David Straßegger
|
6a6929cfb6
|
implemented rule for scheduled task deletion
|
2021-01-22 08:09:56 +01:00 |
|
Florian Roth
|
efa39eb18d
|
Merge pull request #1336 from Neo23x0/rule-devel
rule: Raccine uninstall
|
2021-01-21 18:17:31 +01:00 |
|
Florian Roth
|
4ad70f0aaa
|
rule: Raccine uninstall
|
2021-01-21 17:59:17 +01:00 |
|
Florian Roth
|
492d931138
|
Merge pull request #1335 from Neo23x0/rule-devel
rule: UNC2452 PowerShell pattern
|
2021-01-21 09:20:22 +01:00 |
|
Florian Roth
|
c5a7558ca0
|
fix: fixed actor name in description
|
2021-01-21 09:19:51 +01:00 |
|
Florian Roth
|
a0b8eeac6f
|
fix: minor issues
|
2021-01-20 18:52:50 +01:00 |
|
Florian Roth
|
8b319e3686
|
rule: UNC2452 PowerShell pattern
|
2021-01-20 18:51:49 +01:00 |
|
Florian Roth
|
cd4fbca66b
|
Merge pull request #1330 from d4rk-d4nph3/master
Added Stealthy Office Persistence via VSTO
|
2021-01-20 11:36:25 +01:00 |
|
Florian Roth
|
c00d3a8fe0
|
Merge pull request #1334 from Neo23x0/rule-devel
rule: plink anomaly rules
|
2021-01-20 11:36:16 +01:00 |
|
Bhabesh Rai
|
dac229a8bb
|
Added rule for Oracle WebLogic Exploit CVE-2021-2109
|
2021-01-20 14:28:18 +05:45 |
|
Florian Roth
|
eedc483be4
|
rework: impossible rule with Sysmon
|
2021-01-19 14:12:40 +01:00 |
|
Florian Roth
|
fdc969385a
|
rule: plink anomaly rules
|
2021-01-19 12:39:40 +01:00 |
|
Florian Roth
|
7162528a1a
|
docs: removed CVE
|
2021-01-15 13:25:10 +01:00 |
|
Florian Roth
|
3d2c6a118d
|
Merge pull request #1332 from 2d4d/master
Add xHunt Campaign: BumbleBee Webshell
|
2021-01-13 18:19:01 +01:00 |
|
Florian Roth
|
d58cdeab3a
|
Merge pull request #1331 from Neo23x0/rule-devel
rule: NTFS vulnerability
|
2021-01-12 09:09:33 +01:00 |
|
Arnim Rupp
|
b2860b870e
|
Update win_webshell_detection.yml
|
2021-01-11 21:08:20 +01:00 |
|
Florian Roth
|
cf37abee4d
|
docs: more details
|
2021-01-11 19:56:36 +01:00 |
|
Arnim Rupp
|
5d80d634c3
|
Add xHunt Campaign: BumbleBee Webshell
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
|
2021-01-11 19:44:07 +01:00 |
|
Florian Roth
|
a0fccf8647
|
rule: NTFS vulnerability
https://twitter.com/jonasLyk/status/1347900440000811010
|
2021-01-11 14:51:26 +01:00 |
|
Bhabesh Rai
|
93c7931037
|
Added Stealthy Office Persistence via VSTO
|
2021-01-10 17:54:17 +05:45 |
|
Florian Roth
|
c571285fd8
|
Merge pull request #1329 from Neo23x0/rule-devel
Rule devel
|
2021-01-09 11:32:36 +01:00 |
|
Florian Roth
|
63cc0d23c6
|
changes provided by FPT.EagleEye Team in
https://github.com/Neo23x0/sigma/pull/1218/files
|
2021-01-09 10:38:20 +01:00 |
|
Florian Roth
|
19171f5bed
|
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule
Split up cmstp rule into 3 separate rules and remove duplicates
|
2021-01-09 10:30:33 +01:00 |
|
Florian Roth
|
947925d81f
|
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic
Update the azure image_load rule to be a generic sysmon rule
|
2021-01-09 10:29:52 +01:00 |
|
Florian Roth
|
04f7766d7a
|
Merge pull request #1319 from hieuttmmo/master
Detect Emotet DLL loading by looking rundll32.exe
|
2021-01-09 10:29:24 +01:00 |
|
Florian Roth
|
1a8bb9c991
|
Merge pull request #1327 from 2d4d/master
more AV event and suspicious commands
|
2021-01-09 10:28:30 +01:00 |
|
GlebSukhodolskiy
|
3f519ffa20
|
Just Check
|
2021-01-07 21:31:51 +03:00 |
|
Arnim Rupp
|
d5de3fe5f9
|
more AV event and suspicious commands
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
|
2021-01-07 17:54:19 +01:00 |
|
Florian Roth
|
30dcc28a1f
|
Cisco ASA FTD Exploit CVE-2020-3452
|
2021-01-07 13:17:58 +01:00 |
|
GlebSukhodolskiy
|
da5ec4e952
|
Update win_wmi_persistence.yml
Removed sequence of EIDs in Windows Security section.
|
2021-01-06 16:50:28 +03:00 |
|
yugoslavskiy
|
05c91cd12f
|
Merge pull request #1238 from alx1m1k/oscd-3
[OSCD] T1030: Split A File Into Pieces - Lin/macOS
|
2021-01-06 00:33:12 +03:00 |
|
yugoslavskiy
|
057c33354a
|
Merge pull request #1237 from alx1m1k/oscd-2
[OSCD] T1027.001: Binary Padding - Lin/macOS
|
2021-01-06 00:33:05 +03:00 |
|
yugoslavskiy
|
befcad2df7
|
Merge pull request #1234 from w0rk3r/oscd1
[OSCD] Update win_susp_replace_lolbin.yml
|
2021-01-06 00:32:55 +03:00 |
|
yugoslavskiy
|
6ebcb10abd
|
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
|
2021-01-06 00:32:44 +03:00 |
|
yugoslavskiy
|
3bf1663503
|
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
|
2021-01-06 00:32:35 +03:00 |
|
yugoslavskiy
|
e4c302bf6f
|
Merge pull request #1231 from vburov/patch-16
[OSCD] Detects LockerGoga Ransomware command line.
|
2021-01-06 00:30:08 +03:00 |
|
yugoslavskiy
|
2985836e36
|
Merge pull request #1140 from omkar72/oscd-5
[OSCD] adding shortened commands for Netsh in the existing rule
|
2021-01-06 00:24:43 +03:00 |
|
yugoslavskiy
|
d25ca9b280
|
Merge pull request #1229 from zinint/1009-19-1
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:24:08 +03:00 |
|
yugoslavskiy
|
7889df6644
|
Merge pull request #1227 from stvetro/oscd-runscripthelper
[OSCD] - Runscripthelper.exe runs script (LoLBin)
|
2021-01-06 00:24:00 +03:00 |
|
yugoslavskiy
|
0ed153237e
|
Merge pull request #1226 from stvetro/oscd-winword
[OSCD] - Force winword.exe to load DLL (LoLBin)
|
2021-01-06 00:23:52 +03:00 |
|
yugoslavskiy
|
1d2f027035
|
Merge pull request #1224 from stvetro/oscd
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
|
2021-01-06 00:23:45 +03:00 |
|
yugoslavskiy
|
f4578b0698
|
Merge pull request #1223 from zinint/1009-23-1
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:23:33 +03:00 |
|
yugoslavskiy
|
23519e47cd
|
Merge pull request #1222 from feedb/oscd
[OSCD] zer0w
|
2021-01-06 00:23:25 +03:00 |
|
yugoslavskiy
|
93718975fb
|
Merge pull request #1221 from grikos/OSCD_117_128
[OSCD] suspicious csi.exe (rcsi.exe) LOLBAS detection rule
|
2021-01-06 00:23:13 +03:00 |
|
yugoslavskiy
|
cd62929bb0
|
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
|
2021-01-06 00:23:06 +03:00 |
|
yugoslavskiy
|
70eff4b1fc
|
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
|
2021-01-06 00:22:57 +03:00 |
|
yugoslavskiy
|
a5bbccf16c
|
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative
[OSCD] Always Install Elevated Alternative
|
2021-01-06 00:22:37 +03:00 |
|
yugoslavskiy
|
a217a3cfc7
|
Merge pull request #1213 from alx1m1k/oscd
[OSCD] T1552.003: Suspicious history file operations - Linux/macOS
|
2021-01-06 00:21:19 +03:00 |
|
yugoslavskiy
|
066be03c19
|
Merge pull request #1212 from aleqs4ndr/oscd-2020
[OSCD] Added a rule to detect possible Zerologon exploitation
|
2021-01-06 00:21:12 +03:00 |
|
yugoslavskiy
|
29fe6e46d8
|
Merge pull request #1211 from zipa-original/win_persistence_telemetry
[OSCD] Added a rule to detect abusing windows telemetry for persistence
|
2021-01-06 00:20:51 +03:00 |
|
yugoslavskiy
|
c71e0ae0ea
|
Merge pull request #1209 from vburov/patch-15
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
|
2021-01-06 00:19:41 +03:00 |
|
yugoslavskiy
|
38661bbc10
|
Merge pull request #1208 from NikitaStormwind/RTT(17)
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
|
2021-01-06 00:19:20 +03:00 |
|
yugoslavskiy
|
2cf1994763
|
Merge pull request #1206 from w0rk3r/oscd5
[OSCD] Windows - Suspicious Service DACL Modification
|
2021-01-06 00:18:53 +03:00 |
|
yugoslavskiy
|
aad2838f58
|
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2
[OSCD] Always Install Elevated - Slide 50 - Rule 2
|
2021-01-06 00:18:44 +03:00 |
|
yugoslavskiy
|
e0286abb62
|
Merge pull request #1197 from w0rk3r/oscd_rules_improvement2
[OSCD] Small improvements on others rules
|
2021-01-06 00:18:36 +03:00 |
|
yugoslavskiy
|
0b7babaa84
|
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1
[OSCD] Always Install Elevated - Slide 50 - Rule 1
|
2021-01-06 00:18:26 +03:00 |
|
yugoslavskiy
|
fc1fa23440
|
Merge pull request #1191 from vburov/patch-14
[OSCD] Create powershell_cmdline_special_characters.yml
|
2021-01-06 00:18:12 +03:00 |
|
yugoslavskiy
|
8e50eeb4a9
|
Merge pull request #1187 from nsaddler/lolbas108
[OSCD] LOLBAS Manage-bde.yml
|
2021-01-06 00:18:02 +03:00 |
|
yugoslavskiy
|
cfbd10ab8b
|
Merge pull request #1186 from nsaddler/lolbas107_2
[OSCD] LOLBAS CL_Mutexverifiers - powershell
|
2021-01-06 00:17:54 +03:00 |
|
yugoslavskiy
|
e91d48cc93
|
Merge pull request #1185 from nsaddler/lolbas107_1
[OSCD] LOLBAS CL_Mutexverifiers - process_creation
|
2021-01-06 00:17:46 +03:00 |
|
yugoslavskiy
|
9d1c695204
|
Merge pull request #1184 from nsaddler/lolbas106_1
[OSCD] LOLBAS CL_Invocation - powershell
|
2021-01-06 00:17:10 +03:00 |
|
yugoslavskiy
|
def4a7dbb9
|
Merge pull request #1183 from nsaddler/lolbas106
[OSCD] LOLBAS CL_Invocation - process_creation
|
2021-01-06 00:17:01 +03:00 |
|
yugoslavskiy
|
6f2e8c56b2
|
Merge pull request #1182 from nsaddler/lolbas80
[OSCD] LOLBAS wab.yml
|
2021-01-06 00:16:53 +03:00 |
|
yugoslavskiy
|
e1fd69f548
|
Merge pull request #1179 from SanWieb/OSCD_regedit_3
[OSCD] regedit.exe LOLbas 72 [3]
|
2021-01-06 00:16:45 +03:00 |
|
yugoslavskiy
|
8e6b77fc4f
|
Merge pull request #1177 from OpalSec/oscd
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
|
2021-01-06 00:16:34 +03:00 |
|
yugoslavskiy
|
95d8a9daf0
|
Merge pull request #1174 from uncleAntik/update
[OSCD] LOLBin vsjitdebugger.exe #136
|
2021-01-06 00:16:20 +03:00 |
|
yugoslavskiy
|
252345ca00
|
Merge pull request #1173 from uncleAntik/fix
[OSCD] LOLBin te.exe #133
|
2021-01-06 00:16:12 +03:00 |
|
yugoslavskiy
|
aeb448cd4d
|
Merge pull request #1171 from alejandroortuno/network-sniffing
[OSCD] MacOS Network Sniffing
|
2021-01-06 00:15:52 +03:00 |
|
yugoslavskiy
|
ebc6451b86
|
Merge pull request #1170 from alejandroortuno/startup-items
[OSCD] MacOS Startup Items
|
2021-01-06 00:15:45 +03:00 |
|
yugoslavskiy
|
ad739f7f29
|
Merge pull request #1169 from remotephone/oscd_t1113
[OSCD] - T1113 - macOS Screencapture via builtin screencapture utility
|
2021-01-06 00:15:37 +03:00 |
|
yugoslavskiy
|
d50c081f3f
|
Merge pull request #1168 from remotephone/oscd_t1056_002
[OSCD] macOS - T1056.002 - GUI Input capture
|
2021-01-06 00:15:30 +03:00 |
|
yugoslavskiy
|
1fd0afc58e
|
Merge pull request #1167 from tas-kmanager/mt-oscd-sigma547-43
[OSCD] Add Accesschk tool usage rule
|
2021-01-06 00:14:08 +03:00 |
|
yugoslavskiy
|
5ade9208d5
|
Merge pull request #1166 from drdoc/oscd
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
|
2021-01-06 00:12:34 +03:00 |
|
yugoslavskiy
|
5ec4e42569
|
Merge pull request #1165 from w0rk3r/oscd3
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
|
2021-01-06 00:12:22 +03:00 |
|
yugoslavskiy
|
46eb01f3c5
|
Merge pull request #1164 from GlebSukhodolskiy/oscd_reg
[OSCD] Modified Rule "Autorun Keys Modification"
|
2021-01-06 00:11:58 +03:00 |
|
yugoslavskiy
|
4c8e0b201d
|
Merge pull request #1162 from uncleAntik/131
[OSCD] LOLBin sqltoolsps.exe #131
|
2021-01-06 00:11:33 +03:00 |
|
yugoslavskiy
|
b56a7181ce
|
Merge pull request #1157 from invrep-de/oscd
[OSCD] Bad Opsec Powershell Artifacts
|
2021-01-06 00:11:24 +03:00 |
|
yugoslavskiy
|
319ebd158c
|
Merge pull request #1155 from sn0w0tter/oscd2
[OSCD] LOLBAS atbroker suspicious creation of ATs
|
2021-01-06 00:11:13 +03:00 |
|
yugoslavskiy
|
d2087c276c
|
Merge pull request #1151 from zinint/1009-27-2
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (Services)
|
2021-01-06 00:10:55 +03:00 |
|
yugoslavskiy
|
0bd955f097
|
Merge branch 'oscd' into oscd-5
|
2021-01-06 00:09:47 +03:00 |
|
yugoslavskiy
|
1f0d081c01
|
Merge pull request #1144 from NikitaStormwind/regular28(3)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (Services)
|
2021-01-05 23:23:00 +03:00 |
|
yugoslavskiy
|
1cfc0d17ef
|
Merge pull request #1141 from omkar72/oscd-6
[OSCD] suspicious clr logs creation
|
2021-01-05 23:22:36 +03:00 |
|
yugoslavskiy
|
82e5d031b0
|
Merge pull request #1139 from omkar72/oscd-4
[OSCD] script applications loading .net dll
|
2021-01-05 23:17:25 +03:00 |
|
yugoslavskiy
|
635ac44949
|
Merge pull request #1132 from remotephone/oscd_t1070_002
[OSCD] Adding t1070_002 - Clear mac system logs
|
2021-01-05 23:16:57 +03:00 |
|
yugoslavskiy
|
793d271d37
|
Merge pull request #1131 from oscd-initiative/oscd_sigma_art_macos_task_63
[OSCD] macOS hidden user creation
|
2021-01-05 23:16:36 +03:00 |
|
yugoslavskiy
|
a82c559816
|
Merge pull request #1130 from vburov/patch-13
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
|
2021-01-05 23:16:24 +03:00 |
|
yugoslavskiy
|
dd7a95ac74
|
Merge pull request #1081 from cy1337/patch-1
[OSCD] Added nltest LOLBIN
|
2021-01-05 23:16:14 +03:00 |
|
yugoslavskiy
|
a4101a6808
|
Merge pull request #1128 from alejandroortuno/local-group
[OSCD] Local System Groups Discovery
|
2021-01-05 23:14:47 +03:00 |
|
yugoslavskiy
|
db66f8365e
|
Merge pull request #1127 from alejandroortuno/account-creation
[OSCD] MacOS local account creation
|
2021-01-05 23:14:28 +03:00 |
|
yugoslavskiy
|
f2c6011c6b
|
Merge pull request #1126 from skirankumar/master
[OSCD]Sysmon_silenttrinity_stager_msbuild_activity.yml
|
2021-01-05 23:14:20 +03:00 |
|
yugoslavskiy
|
1c1c38e091
|
Merge pull request #1119 from uncleAntik/oscd
[OSCD] sqlps.exe LOLbin
|
2021-01-05 23:14:02 +03:00 |
|
yugoslavskiy
|
07ac09f9aa
|
Merge pull request #1114 from NikitaStormwind/regular29(3)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (Services)
|
2021-01-05 23:13:48 +03:00 |
|
yugoslavskiy
|
220a4873c7
|
Merge pull request #1109 from NikitaStormwind/regular31(3)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (Services)
|
2021-01-05 23:13:38 +03:00 |
|
yugoslavskiy
|
9803dc8baa
|
Merge pull request #1108 from NikitaStormwind/regular30(3)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)
|
2021-01-05 23:13:27 +03:00 |
|
yugoslavskiy
|
39991a8ab6
|
Merge pull request #1106 from stvetro/2020
[OSCD] Suspicious ftp.exe usage (LOLBin)
|
2021-01-05 23:13:03 +03:00 |
|
yugoslavskiy
|
804db42b7a
|
Merge pull request #1105 from Vasilisa-L/OSCD_rasautou
[OSCD] Rasautou.exe LOLbin
|
2021-01-05 23:12:48 +03:00 |
|
yugoslavskiy
|
794cd7aaeb
|
Merge pull request #1104 from Vasilisa-L/OSCD_rpcping
[OSCD] rpcping lolbin
|
2021-01-05 23:12:35 +03:00 |
|
yugoslavskiy
|
05b03afddb
|
Merge pull request #1103 from concorde18/oscd_win_susp_diskshadow
[OSCD] win_susp_diskshadow
|
2021-01-05 23:10:55 +03:00 |
|
yugoslavskiy
|
d48bac226f
|
Merge pull request #1099 from NikitaStormwind/regular31(2)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (process_creation)
|
2021-01-05 23:10:46 +03:00 |
|
yugoslavskiy
|
32aea9ad2b
|
Merge pull request #1098 from NikitaStormwind/regular31
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
|
2021-01-05 23:10:28 +03:00 |
|
yugoslavskiy
|
ae3c0d0801
|
Merge pull request #1095 from esebese/task136
[OSCD]win_pe_exec_vsjitdebugger.yml added
|
2021-01-05 23:10:18 +03:00 |
|
yugoslavskiy
|
e492263a31
|
Merge pull request #1091 from alejandroortuno/sigma-local-account-rule
[OSCD] Local System Accounts Discovery
|
2021-01-05 23:10:09 +03:00 |
|
yugoslavskiy
|
d9a0f6c41a
|
Merge pull request #1090 from alejandroortuno/sigma-cron-rule
[OSCD] Scheduled Task/Job: Cron
|
2021-01-05 23:09:59 +03:00 |
|
yugoslavskiy
|
aa9182593a
|
Merge pull request #1087 from Vasilisa-L/OSCD_pester.bat
[OSCD] 109: Pester.bat
|
2021-01-05 23:09:47 +03:00 |
|
yugoslavskiy
|
c8da05fa5d
|
Merge pull request #1086 from remotephone/oscd
[OSCD] T1016 - linux/macOS firewall enumeration
|
2021-01-05 23:09:15 +03:00 |
|
yugoslavskiy
|
caf01c57bf
|
Merge pull request #1083 from omergunal/patch-8
[OSCD] T1082: System Information Discovery - Linux
|
2021-01-05 23:08:19 +03:00 |
|
yugoslavskiy
|
1992b1ac9f
|
Merge pull request #1074 from semanurguneysu/oscd
[OSCD] Create sysmon_abusing_debug_privilege.yml
|
2021-01-05 23:06:57 +03:00 |
|
yugoslavskiy
|
b5c78212ad
|
Merge pull request #1076 from nsaddler/oscd5
[OSCD] Powershell without powershell.exe Rule Added
|
2021-01-05 23:06:37 +03:00 |
|
yugoslavskiy
|
c7e9522f29
|
Merge pull request #1077 from uchakin/oscd
[OSCD] UAC bypass added
|
2021-01-05 23:06:24 +03:00 |
|
yugoslavskiy
|
e002ffa404
|
Merge pull request #1079 from omergunal/patch-6
[OSCD] T1070.004: File Deletion - Linux
|
2021-01-05 23:06:12 +03:00 |
|
yugoslavskiy
|
1939b815d6
|
Merge pull request #1078 from omergunal/patch-5
[OSCD] T1070.002: Clear Linux or Mac System Logs - Linux
|
2021-01-05 23:06:02 +03:00 |
|
yugoslavskiy
|
ff373b0f33
|
Update win_nltest_query.yml
|
2021-01-05 23:03:41 +03:00 |
|
yugoslavskiy
|
75feffb016
|
Merge pull request #1082 from omergunal/patch-7
[OSCD] T1201: Password Policy Discovery - Linux
|
2021-01-05 23:02:06 +03:00 |
|
yugoslavskiy
|
bceb3c8af0
|
Merge pull request #1047 from grikos/sigma/oscd
[OSCD] Registry modify via VBoxDrvInst
|
2021-01-05 23:00:20 +03:00 |
|
yugoslavskiy
|
3ef76437e4
|
Merge pull request #1055 from omergunal/patch-2
[OSCD] Scheduled Task/Job: At
|
2021-01-05 22:59:09 +03:00 |
|
yugoslavskiy
|
f65e7100ec
|
Merge pull request #1057 from omergunal/patch-4
[OSCD] T1057: Process Discovery
|
2021-01-05 22:58:35 +03:00 |
|
yugoslavskiy
|
87e5e5a7fc
|
Merge pull request #1069 from nsaddler/oscd3
[OSCD] Powershell Script Installed as a Service Rule added
|
2021-01-05 22:58:21 +03:00 |
|
yugoslavskiy
|
57947fbd39
|
Merge pull request #1044 from omergunal/patch-1
[OSCD] Linux - Install Root Certificate
|
2021-01-05 22:56:18 +03:00 |
|
yugoslavskiy
|
733277d490
|
Merge pull request #1248 from oscd-initiative/oscd_art_macos_task_28_T1083
[OSCD] ART sync, test T1083: File and Directory Discovery (macOS)
|
2021-01-05 22:55:40 +03:00 |
|
yugoslavskiy
|
f825003690
|
Merge pull request #1239 from alx1m1k/oscd-4
[OSCD] T1529: System Shutdown/Reboot - Lin/macOS
|
2021-01-05 22:55:14 +03:00 |
|
Florian Roth
|
40e0e3bc99
|
Merge pull request #1193 from w0rk3r/oscd_rules_improvement
[OSCD] Windows Rules - Review for improvements on selections and logic
|
2020-12-31 12:10:15 +01:00 |
|
Thomas Patzke
|
9b4c1662b0
|
Merge pull request #1240 from alx1m1k/oscd-5
[OSCD] T1070.006: File Time Attribute Change - Lin/macOS
|
2020-12-30 23:00:54 +01:00 |
|
Thomas Patzke
|
1dcc56a0b0
|
Merge pull request #1241 from alx1m1k/oscd-6
[OSCD] T1552.001: Credentials In Files - Lin/macOS
|
2020-12-30 22:59:49 +01:00 |
|
Thomas Patzke
|
e0f7dc125c
|
Merge pull request #1244 from oscd-initiative/oscd_art_macos_task_3_T1027
[OSCD] ART sync, test T1027: Obfuscated Files or Information (macOS)
|
2020-12-30 22:58:26 +01:00 |
|
Thomas Patzke
|
810485993a
|
Merge pull request #1245 from oscd-initiative/oscd_art_linux_task_4_T1027
[OSCD] ART sync, test T1027: Obfuscated Files or Information (Linux)
|
2020-12-30 22:57:59 +01:00 |
|
Thomas Patzke
|
aa5396cb9f
|
Merge pull request #1246 from oscd-initiative/oscd_art_macos_task_14_T1049
[OSCD] ART sync, test T1049: System Network Connections Discovery (macOS)
|
2020-12-30 22:57:29 +01:00 |
|
Thomas Patzke
|
fb9698345b
|
Merge pull request #1247 from oscd-initiative/oscd_art_linux_task_8__T1049
[OSCD] ART sync, test T1049: System Network Connections Discovery (Linux)
|
2020-12-30 22:57:11 +01:00 |
|
Thomas Patzke
|
6a7991ee96
|
Merge pull request #1250 from oscd-initiative/oscd_art_macos_task_41_T1518.001
[OSCD] ART sync, test T1518.001: Security Software Discovery (macOS)
|
2020-12-30 22:41:18 +01:00 |
|
Thomas Patzke
|
a88c853237
|
Merge pull request #1251 from oscd-initiative/oscd_art_linux_task_26_T1518.001
[OSCD] ART sync, test T1518.001: Security Software Discovery (Linux)
|
2020-12-30 22:40:32 +01:00 |
|
Thomas Patzke
|
436fd37655
|
Merge pull request #1252 from oscd-initiative/oscd_art_macos_task_55_T1553.001
[OSCD] ART sync, test T1553.001: Gatekeeper Bypass (macOS)
|
2020-12-30 22:39:36 +01:00 |
|
Thomas Patzke
|
5de952d488
|
Merge pull request #1253 from oscd-initiative/oscd_art_macos_task_60_T1562.001
[OSCD] ART sync, test T1562.001: Disable or Modify Tools (macOS)
|
2020-12-30 22:39:15 +01:00 |
|
Thomas Patzke
|
e223d34a6e
|
Merge pull request #1257 from alejandroortuno/service-scanning
[OSCD] Network Service Scanning
|
2020-12-30 22:35:47 +01:00 |
|
Thomas Patzke
|
5c03c4d4ec
|
Merge pull request #1258 from alejandroortuno/applescript
[OSCD] MacOS Applescript
|
2020-12-30 22:31:30 +01:00 |
|
Thomas Patzke
|
06c168d9b2
|
Merge pull request #1259 from alejandroortuno/firewall
[OSCD] Firewall Disable (Linux)
|
2020-12-30 22:30:41 +01:00 |
|
Florian Roth
|
ab408750ac
|
Merge pull request #1314 from Neo23x0/rule-devel
rule: Lazarus activity
|
2020-12-30 13:27:38 +01:00 |
|
Florian Roth
|
9ecaeb715f
|
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock
Fix missing product mouse lock
|
2020-12-30 13:27:20 +01:00 |
|
ZikyHD
|
8a6b182fee
|
Update win_susp_adfind.yml
|
2020-12-29 14:41:46 +01:00 |
|
ZikyHD
|
ece829bb25
|
Update win_susp_adfind.yml
Typo on field name
|
2020-12-29 14:40:36 +01:00 |
|
Florian Roth
|
0a83f91386
|
Merge pull request #1321 from d4rk-d4nph3/master
Fixed typo in file format
|
2020-12-28 09:13:48 +01:00 |
|
Bhabesh Rai
|
bf77c8266a
|
Fixed typo in file format
|
2020-12-28 11:46:02 +05:45 |
|
Florian Roth
|
896fc21911
|
Merge pull request #1320 from d4rk-d4nph3/master
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
|
2020-12-27 20:37:36 +01:00 |
|
Florian Roth
|
a6212a4490
|
style: some minor style changes
|
2020-12-27 20:06:19 +01:00 |
|
Bhabesh Rai
|
1cfad987b0
|
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
|
2020-12-27 17:34:49 +05:45 |
|
Florian Roth
|
43033ab874
|
Update win_susp_emotet_rudll32_execution.yml
|
2020-12-25 09:05:55 +01:00 |
|
Tran Trung Hieu
|
d551b88d5c
|
Edit title convention
|
2020-12-25 14:21:26 +07:00 |
|
Tran Trung Hieu
|
4297e68704
|
Detect Emotet DLL loading by looking rundll32.exe
|
2020-12-25 14:09:40 +07:00 |
|
Daniel Masse
|
fedda17231
|
Update the azure image_load rule to be a generic sysmon rule
|
2020-12-23 16:29:49 -05:00 |
|
Daniel Masse
|
bf539fd1fe
|
Revert "Fix bug changing the logsource service to category"
This reverts commit 0f51e53d0e.
|
2020-12-23 15:50:49 -05:00 |
|
Daniel Masse
|
71ea5c7437
|
Add missing product in logsource
|
2020-12-23 15:45:00 -05:00 |
|
Daniel Masse
|
0f51e53d0e
|
Fix bug changing the logsource service to category
|
2020-12-23 15:12:31 -05:00 |
|
Daniel Masse
|
e4c052154d
|
Remove unneeded file
|
2020-12-23 14:30:24 -05:00 |
|
Daniel Masse
|
d2edf715f2
|
Split up cmstp rule into 3 separate rules and remove duplicates
|
2020-12-23 12:17:39 -05:00 |
|
Florian Roth
|
dedc34e91a
|
fix: typos and description
|
2020-12-23 14:46:08 +01:00 |
|
Florian Roth
|
cdc29dfbe8
|
rule: Lazarus activity
|
2020-12-23 14:43:32 +01:00 |
|
Florian Roth
|
821af35557
|
Merge pull request #1313 from Neo23x0/rule-devel
Rule devel
|
2020-12-23 13:57:11 +01:00 |
|
Florian Roth
|
7286d01f78
|
fix: typo in rule
|
2020-12-23 13:26:44 +01:00 |
|
Florian Roth
|
80aa398392
|
rule: Lazarus group loaders
|
2020-12-23 13:25:16 +01:00 |
|
Florian Roth
|
e67d17a967
|
rule: improved solarwinds webshell rule
|
2020-12-22 10:36:34 +01:00 |
|
Florian Roth
|
c3f891beab
|
Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_
[OSCD] Added a rule to detect potential persistence using registry keys
|
2020-12-21 18:33:17 +01:00 |
|
Florian Roth
|
7954684fbf
|
Merge pull request #1260 from alejandroortuno/remote-system-discovery
[OSCD] Remote System Discovery
|
2020-12-21 18:32:08 +01:00 |
|
Florian Roth
|
64197d0dec
|
Merge pull request #1261 from alejandroortuno/emond
[OSCD] MacOS Emond Launch Daemon
|
2020-12-21 18:30:56 +01:00 |
|
Florian Roth
|
133b98ffcb
|
Merge pull request #1262 from invrep-de/oscd
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
|
2020-12-21 18:30:21 +01:00 |
|
Florian Roth
|
f20f346a6a
|
Merge pull request #1264 from omkar72/sdev-1
Adding 2 rules - Conhost & office test registry persistence
|
2020-12-21 18:28:59 +01:00 |
|
Florian Roth
|
e78d7e6aee
|
Merge pull request #1296 from mat-gas/fix-references
fix "references" field + add test for references in plural form
|
2020-12-21 18:25:35 +01:00 |
|
Florian Roth
|
377454cb31
|
Merge pull request #1299 from tjgeorgen/patch-1
ATT&CK subtechnique tag updates
|
2020-12-21 18:24:00 +01:00 |
|
Florian Roth
|
35ab80b39e
|
Merge pull request #1306 from d4rk-d4nph3/master
Added rule for Impacket's PsExec execution
|
2020-12-21 18:23:41 +01:00 |
|
Florian Roth
|
9c8e1387a9
|
rule: Solarwinds SUPERNOVA web shell access
|
2020-12-17 09:05:08 +01:00 |
|
Bhabesh Rai
|
0a7e95954e
|
Fix for fail build
|
2020-12-14 12:55:08 +05:45 |
|
Bhabesh Rai
|
63fb31882e
|
Added rule for Impacket's PsExec execution
|
2020-12-14 12:48:26 +05:45 |
|
Florian Roth
|
80e1a5e7eb
|
Merge pull request #1292 from toffeebr33k/master
Create 2 new rules on AWS Privilege Escalation and AWS Enumeration
|
2020-12-13 19:06:44 +01:00 |
|
Florian Roth
|
1b0aaf62c3
|
Merge pull request #1266 from omkar72/ryuk
modifying couple of rules
|
2020-12-13 19:05:54 +01:00 |
|
Florian Roth
|
e2ade077ed
|
Merge pull request #1275 from bczyz1/patch-3
update win_apt_slingshot.yml
|
2020-12-13 19:04:47 +01:00 |
|
Florian Roth
|
5197f21ed1
|
fix: duplicate ID
|
2020-12-13 18:59:04 +01:00 |
|
Florian Roth
|
612008a4d8
|
fix identation
|
2020-12-11 18:40:17 +01:00 |
|
Tran Trung Hieu
|
edc79a8bb6
|
Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
|
2020-12-11 15:17:23 +07:00 |
|
Florian Roth
|
cfe60d180b
|
Merge pull request #1301 from d4rk-d4nph3/master
Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
|
2020-12-08 11:09:51 +01:00 |
|
Florian Roth
|
b6d62b7a21
|
Merge pull request #1302 from Neo23x0/rule-devel
TA505 Dropper, minor fix in PowerShell Rule
|
2020-12-08 10:40:07 +01:00 |
|
Florian Roth
|
2c642c64d2
|
Removed a value
|
2020-12-08 10:38:32 +01:00 |
|
Florian Roth
|
a87a81d8cc
|
Update web_fortinet_cve_2018_13379_preauth_read_exploit.yml
|
2020-12-08 10:33:52 +01:00 |
|
Florian Roth
|
640470cefd
|
TA505 Loader Rule
|
2020-12-08 10:15:30 +01:00 |
|
Bhabesh Rai
|
3ddf940812
|
Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
|
2020-12-08 14:46:47 +05:45 |
|
Florian Roth
|
540039cbc3
|
fix: Malicious Nishang PowerShell Commandlets FP with MDATP
|
2020-12-05 09:33:42 +01:00 |
|
tjgeorgen
|
1c6c3a36fe
|
include updated RDP att&ck tag
|
2020-12-04 11:59:23 -05:00 |
|
tjgeorgen
|
0eda1ab462
|
also update tag for folder variant
|
2020-12-04 11:42:05 -05:00 |
|
tjgeorgen
|
5208bdd65a
|
add new version of ATT&CK T1500 tag
|
2020-12-04 11:19:16 -05:00 |
|
yugoslavskiy
|
378f663502
|
Update lnx_clear_logs.yml
|
2020-12-02 01:28:29 +01:00 |
|
yugoslavskiy
|
6ce08935bb
|
Update lnx_file_deletion.yml
|
2020-12-02 01:27:35 +01:00 |
|
yugoslavskiy
|
1c4c5af99f
|
Update lnx_clear_logs.yml
|
2020-12-02 01:24:59 +01:00 |
|
Ömer Günal
|
4ab522815b
|
Update lnx_clear_logs.yml
|
2020-12-01 21:28:12 +03:00 |
|
Ömer Günal
|
d0bb6e9e81
|
Update lnx_file_deletion.yml
|
2020-12-01 21:24:57 +03:00 |
|
yugoslavskiy
|
a028cdf1ee
|
Update powershell_shellcode_b64.yml
|
2020-12-01 02:24:35 +01:00 |
|
yugoslavskiy
|
7309fb7d0e
|
Update powershell_winlogon_helper_dll.yml
|
2020-12-01 02:23:02 +01:00 |
|
yugoslavskiy
|
36754ae3d5
|
Update win_vul_cve_2020_0688.yml
|
2020-12-01 02:16:22 +01:00 |
|
yugoslavskiy
|
0188e45925
|
Update win_malware_script_dropper.yml
|
2020-12-01 02:12:53 +01:00 |
|