valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,590 Commits 20 Branches 25 Tags 21 MiB
38d548868d
Commit Graph

930 Commits

Author SHA1 Message Date
Unknown
4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1
150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1
21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron
35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch
bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth
5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth
8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth
5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth
abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Florian Roth
c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Tareq AlKhatib
7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Thomas Patzke
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib
ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Florian Roth
90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Florian Roth
cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
Florian Roth
b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Florian Roth
8c4b21f063 Rule: Apache threading errors 2019-01-22 08:49:10 +01:00
keepwatch
f99df33b01 SSP added to LSA configuration 2019-01-18 14:05:21 -05:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Florian Roth
5645c75576 Rule: updated relevant AV signatures - exploiting 
https://twitter.com/haroldogden/status/1085556071891173376
 2019-01-16 18:43:28 +01:00
Florian Roth
f759e8b07c Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
Thomas Patzke
7622b17415 Moved test rule to final location/naming scheme 2019-01-14 23:58:25 +01:00
Thomas Patzke
a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Florian Roth
604d88cf1e Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
Florian Roth
63f96d58b4 Rule: Renamed PowerShell.exe 2019-01-12 12:03:36 +01:00
Florian Roth
b7eb79f8da Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
Florian Roth
d4a1fe786a Rule: Dridex pattern 2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Tareq AlKhatib
8b94860ee6 Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
Tareq AlKhatib
925ffae9b8 Removed Outlook detection which is a subset of the Office one 2019-01-02 07:47:44 +03:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Florian Roth
a7fa20546a Rule: proxy user agents updated with MacControl user agent 2018-12-17 14:18:03 +01:00
Florian Roth
99f773dcf6 Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth
b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Roberto Rodriguez
9567ce588d Merge remote-tracking branch 'upstream/master' 2018-12-09 09:27:43 +03:00
Roberto Rodriguez
8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Roberto Rodriguez
a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00
Florian Roth
2e5a739c6c fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:59:10 +01:00
Florian Roth
9b15b64a9a fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:44:20 +01:00
Roberto Rodriguez
87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
 2018-12-05 07:58:13 +03:00
Roberto Rodriguez
bff7ec52db Update av_relevant_files.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection

This affetcs Elastalert integration
 2018-12-05 07:53:53 +03:00
Roberto Rodriguez
104ee6c33b Update win_susp_commands_recon_activity.yml 
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
 2018-12-05 05:55:36 +03:00
Roberto Rodriguez
328762ed67 Update powershell_xor_commandline.yml 
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
 2018-12-05 05:51:41 +03:00
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
3861dd5912 Rule: APT29 campaign against US think tanks 
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 2018-12-04 17:04:03 +01:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
AL
9f1df6164b
adding new rules detecting recently active APTs 2018-12-03 09:42:29 +02:00
Florian Roth
2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Florian Roth
7ba1fe4309 Turla PNG Dropper Service Name 2018-11-23 08:46:20 +01:00
Florian Roth
e7762c71ce Merge remote-tracking branch 'origin/master' 2018-11-22 19:14:12 +01:00
Florian Roth
ec83ab5e13 APT28 Zebrocy rule 
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
 2018-11-22 19:14:07 +01:00
Thomas Patzke
a1940c6eaa Simplified rule 2018-11-21 22:34:04 +01:00
Kyle Polley
60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Sherif Eldeeb
cd5950749e revert to upstream 2018-11-15 08:45:25 +03:00
Sherif Eldeeb
742192b452
Merge pull request #4 from Neo23x0/master 
fetch updates from upstream
 2018-11-15 08:32:33 +03:00
Florian Roth
b92c032c2d Linux JexBoss back connect shell 2018-11-08 23:21:36 +01:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Thomas Patzke
ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke
a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Thomas Patzke
732de3458f
Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke
fdd0823e07
Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Florian Roth
3c3b14a26b rule: new malware UA 2018-10-10 15:27:58 +02:00
Florian Roth
fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296
fdd264d946
Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
megan201296
7997cb3001
Remove duplicate value 2018-10-08 13:00:59 -05:00
Florian Roth
54678fcb36 Rule: CertUtil UA 
https://twitter.com/ItsReallyNick/status/1047151134501216258
 2018-10-06 16:47:37 +02:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Ensar Şamil
dec7568d4c
Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli 
Add group by to windows multiple suspicious cli rule
 2018-09-26 11:49:57 +02:00
Florian Roth
a2c6f344ba
Lower case T 2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth
68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
Florian Roth
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1 
Create win_susp_powershell_hidden_b64_cmd.yml
 2018-09-08 10:23:05 +02:00
Florian Roth
5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Florian Roth
d0f2fbb6d6
Merge pull request #161 from megan201296/patch-12 
Fix typo
 2018-09-08 10:21:20 +02:00
Florian Roth
3f444b5fc2
Merge pull request #162 from megan201296/patch-13 
Added .yml extension and fix typo
 2018-09-08 10:21:00 +02:00
Unknown
863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Unknown
d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown
cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00
megan201296
3154be82f3
Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
megan201296
525326d15f
Fix typo 2018-09-06 20:20:11 -05:00
Florian Roth
ec1bd77f2e Rule: Proxy UA rule update - from Kaspersky report 
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
 2018-09-05 20:39:19 +02:00
Lurkkeli
30fc4bd030
powershell xor commandline 
New rule to detect -bxor usage in a powershell commandline.
 2018-09-05 09:21:15 +02:00
Florian Roth
49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00
Florian Roth
3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth
9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1
afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth
d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth
1c87f77223 Rule: Fixed false positive in suspicious UA rule 2018-09-04 11:33:05 +02:00
Florian Roth
9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth
b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth
2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Florian Roth
7a3890ad76 Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
Florian Roth
d83f124f5f Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
Florian Roth
e70395744b Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
Thomas Patzke
d17cc5c07d
Merge pull request #157 from yt0ng/development 
Added Detection of Sysinternals Tools via eulaaccepted registry key
 2018-08-28 22:37:00 +02:00
Unknown
75d72344ca Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 17:36:22 +02:00
Thomas Patzke
a722fcd2b0
Merge pull request #156 from yt0ng/yt0ng-devel 
Adding LSASS Access Detected via Attack Surface Reduction
 2018-08-27 23:50:42 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name 2018-08-27 23:45:30 +02:00
Thomas Patzke
f2fd3b9443 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-08-27 23:41:41 +02:00
Thomas Patzke
6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Unknown
2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Thomas Patzke
8308cd6c1a
Rule fix 2018-08-26 22:35:35 +02:00
Thomas Patzke
87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
Thomas Patzke
60a5922582 Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master 2018-08-26 22:12:19 +02:00
Florian Roth
5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
yt0ng
df9f6688eb
Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00
yt0ng
eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
Florian Roth
6bde2cd08f
Update lnx_buffer_overflows.yml 2018-08-25 00:20:34 +02:00
Florian Roth
234a48af19 rule: Linux SSHD exploit CVE-2018-15473 
https://github.com/Rhynorater/CVE-2018-15473-Exploit
 2018-08-24 16:40:41 +02:00
yt0ng
c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Florian Roth
f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Thomas Patzke
49af499353
Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke
9235175e26
Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke
73535e58a5
Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke
d647a7de07
Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth
5de3cd71a4
Merge pull request #149 from yt0ng/development 
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 2018-08-22 17:19:10 +02:00
Florian Roth
040ba0338d
fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
Florian Roth
0c729d1eea
Already used in different rule 2018-08-22 17:02:03 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
megan201296
3f5c32c6da
Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296
76aabe7e05
Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman
e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng
ca7e8d6468
removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng
5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng
8ecf167e85
Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
yt0ng
07e411fe6b
Oilrig Information gathering 
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 2018-08-15 14:29:59 +02:00
Florian Roth
4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth
7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke
2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke
2c0e76be3d
Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli
7cdc13ef11
Update 2018-08-08 17:05:51 +02:00
Lurkkeli
392351af25
Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli
4d721f1803
Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli
b9f433414d
hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke
01215a645e
Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke
58afccb2f3
Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng
e44b4f450e
DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke
92c0e0321a
Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli
a245820519
added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli
294677a2cc
added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli
a57e87b345
added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli
99253763af
added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli
0bff27ec21
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli
198cb63182
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke
518e21fcd2
Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke
b9fdf07926
Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli
b50c13dd1f
Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke
5d5d42eb9b
Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke
80eaedab8b
Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke
3509fbd201
Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke
b049210641
Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli
3456f9a74d
Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke
64fa3b162d
Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli
6472be5e19
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli
21bee17ffd
Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng
fc091fe3d7
Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng
b65cb5eaca
Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Thomas Patzke
0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman
b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson
5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth
a9fcecab88
Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth
016b15a2a9
Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli
7796492c2b
Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Thomas Patzke
5e3211928f
Merge pull request #132 from dspautz/master 
Add tags to APT rules
 2018-07-25 09:57:35 +02:00
David Spautz
f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth
089498b0b3
Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth
dd857c4470
Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth
cf7f5c7473
Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng
b415fc8d42
Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli
db82322d17
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli
0e9c5bb14a
Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli
fd8c5c5bf6
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli
ad580635ea
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim
c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
Thomas Patzke
1601b00862
Merge pull request #125 from james0d0a/attack_tags 
windows builtin mitre attack tags
 2018-07-24 08:18:47 +02:00
Thomas Patzke
01e7675e24
Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke
30d255ab6f
Fixed tag 2018-07-24 07:58:25 +02:00
Thomas Patzke
baaf8006bc
Merge pull request #123 from yt0ng/sysmon 
added additional binaries and attack tactics/techniques
 2018-07-24 07:57:30 +02:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
Lurkkeli
1898157df5
ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng
16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Florian Roth
1134051fba
Update web_cve_2018_2894_weblogic_exploit.yml 
Ah, we could do it this way *.js*
 2018-07-23 06:19:25 -06:00
Florian Roth
03a64cca74
Update web_cve_2018_2894_weblogic_exploit.yml 
We try to avoid false positives
 2018-07-23 06:18:38 -06:00
MATTHEW CARR
dfb77e936d
Update web_cve_2018_2894_weblogic_exploit.yml 
To detect all possible extensions .jspx, .jsw, .jsv, and .jspf
 2018-07-23 07:41:47 +02:00
Florian Roth
0f1b440b91 Rule: widened the CVE-2018-2894 WebLogic rule 
https://twitter.com/lo_security/status/1021148314308358144
 2018-07-22 20:36:10 -06:00
Florian Roth
ffb0cf5ed5 Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop 2018-07-22 15:09:45 -06:00