zinint
c243c4e210
T1035
2019-10-29 20:58:52 +03:00
Florian Roth
1a3444d0ef
docs: comment on rule expression
2019-10-28 12:02:46 +01:00
RRRabbit
becfca6b41
Added Atomic Blue Detections Repo
2019-10-28 11:59:49 +01:00
Teimur Kheirkhabarov
32b0a3987e
Several mistakes were fixed
2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov
3125b39239
Change incorrect MITRE Tags for some rules
2019-10-28 07:56:15 +03:00
zinint
87c8326133
T1033
2019-10-27 23:49:07 +03:00
zinint
55eaae1cea
Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml
2019-10-27 23:15:10 +03:00
zinint
93b867024c
T1012
2019-10-27 23:13:03 +03:00
Teimur Kheirkhabarov
fde949174d
OSCD Task 1 - Privilege Escalation
2019-10-27 20:54:07 +03:00
4A616D6573
ca819d8707
Update win_susp_net_execution.yml
...
Updated tags to pass Travis CI checks.
2019-10-27 14:06:52 +11:00
root
717e40e8ed
modified win_susp_dxcap.yml
2019-10-26 20:27:32 +02:00
root
9bf0150100
modified win_susp_dnx.yml
2019-10-26 20:20:21 +02:00
root
3b70f2edd6
modified win_susp_dnx.yml
2019-10-26 20:16:40 +02:00
root
3528afeef7
modified win_susp_dnx.yml
2019-10-26 20:13:53 +02:00
root
1dca0456ee
modified win_susp_dxcap.yml
2019-10-26 20:09:25 +02:00
root
cbe0d73ce8
add win_susp_dxcap.yml
2019-10-26 20:06:02 +02:00
root
aaf63d2238
add win_susp_dxcap.yml
2019-10-26 20:02:25 +02:00
root
0616c2c39d
add win_susp_dnx.yml
2019-10-26 19:58:45 +02:00
root
ee21888e67
add win_susp_cdb.yml
2019-10-26 19:49:45 +02:00
Florian Roth
42808b7eb8
rule: webshell detection improved
2019-10-26 09:14:54 +02:00
root
844d55c781
add win_susp_bginfo.yml
2019-10-26 08:18:37 +02:00
root
5bb5938e86
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
root
01c4c7cdbd
modifed win_susp_msoffice.yml
2019-10-26 08:11:09 +02:00
root
bea2daac45
modifed win_susp_msoffice.yml
2019-10-26 07:55:44 +02:00
root
fc7f8ecea3
add win_susp_msoffice.yml
2019-10-26 07:48:38 +02:00
root
611c193826
modifed win_susp_odbcconf.yml
2019-10-26 07:45:53 +02:00
root
aa9a22e662
add win_susp_odbcconf.yml
2019-10-25 19:02:17 +02:00
alexpetrov12
8c2b7e9f85
fix
2019-10-25 18:30:40 +03:00
alexpetrov12
7aa804fe90
added new rules
...
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
2019-10-25 18:01:36 +03:00
zinint
6e94e798be
t1010
2019-10-25 16:12:51 +03:00
stvetro
dcaacd07bf
4 rules to cover ART
2019-10-25 15:38:47 +04:00
yugoslavskiy
5eb484a062
add tieto dns exfiltration rules
2019-10-25 04:30:55 +02:00
4A616D6573
5678357f4e
Update win_susp_net_execution.yml
...
Added tag for:
References:
https://attack.mitre.org/techniques/T1077/
https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
2019-10-25 12:20:47 +11:00
4A616D6573
a7a753862c
Update win_susp_net_execution.yml
...
Added:
1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.
Part of oscd.community effort.
2019-10-25 12:06:32 +11:00
Florian Roth
a5ec6722a1
rule: the actual changes to hwp rule
2019-10-24 15:35:13 +02:00
zinint
7c5dc0ca01
Update win_data_compressed.yml
2019-10-24 15:34:13 +03:00
Florian Roth
86c1b4ae4b
rule: hwp exploits
2019-10-24 11:46:56 +02:00
alexpetrov12
cc998aa667
fix
2019-10-24 00:48:43 +03:00
mrblacyk
499627edf3
File permissions modification (T1222)
2019-10-23 11:24:13 -07:00
mrblacyk
4979b56296
Domain Trust Discovery rule (T1482)
2019-10-23 11:23:12 -07:00
mrblacyk
262514c782
Windows Service stop rule (T1489)
2019-10-23 11:22:09 -07:00
alexpetrov12
4c84412944
added new rule
...
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
2019-10-23 18:08:30 +03:00
alexpetrov12
bc943343df
update win_sysmon_driver_unload
2019-10-23 15:41:14 +03:00
alexpetrov12
215e500894
fix
2019-10-23 14:43:01 +03:00
alexpetrov12
193c95a11a
add new rule1
2019-10-23 14:27:52 +03:00
root
edcbc49ce8
add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml
2019-10-23 13:00:21 +02:00
alexpetrov12
043e3f7ca6
fix
2019-10-23 13:48:44 +03:00
alexpetrov12
e38540a37f
fix
2019-10-23 13:28:04 +03:00
alexpetrov12
c1cfbacd24
fix
2019-10-23 13:18:57 +03:00
alexpetrov12
ad9b98541c
fix
2019-10-23 13:05:38 +03:00
alexpetrov12
fa4a8c974d
fix
2019-10-23 12:45:06 +03:00
alexpetrov12
f4ea01217e
fix
2019-10-23 02:47:04 +03:00
alexpetrov12
ebe4fe0377
fix
2019-10-23 02:42:37 +03:00
alexpetrov12
29cd7fed3e
fix
2019-10-23 02:39:40 +03:00
alexpetrov12
5a260db459
fix
2019-10-23 02:27:14 +03:00
alexpetrov12
6c4f4ce309
fix
2019-10-23 02:25:04 +03:00
alexpetrov12
8d0c89b598
added new rules
...
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
2019-10-23 01:55:03 +03:00
Florian Roth
3d4ce9d175
rule: another reference link for 'execution by ordinal'
2019-10-22 15:18:19 +02:00
zinint
a8bd2c8e78
Update win_data_compressed.yml
2019-10-22 14:57:53 +03:00
zinint
74d1fef8b8
Update win_data_compressed.yml
2019-10-22 14:53:43 +03:00
zinint
cc6d4b05ac
OSCD Task 7 : ART T1002 Exfiltration With Rar
...
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
2019-10-22 14:00:52 +03:00
Florian Roth
b3654947bc
rule: suspicious call by ordinal (rundll32)
2019-10-22 12:40:26 +02:00
Florian Roth
0f02f2bdfc
rule: adjusted very noisy rule on AppLocker whitelist bypass
2019-10-22 12:32:37 +02:00
root
00a757959e
add rule win_susp_capture_screenshots.yml
2019-10-22 06:06:07 +02:00
zinint
daf1034621
Update win_possible_applocker_bypass.yml
2019-10-22 00:54:29 +03:00
Florian Roth
ab292a4029
rule: simplified Emotet rule
2019-10-16 15:29:42 +02:00
Florian Roth
5d143f4f22
rule: emotet rule references extended
2019-10-16 13:18:44 +02:00
Florian Roth
d46154da5c
rule: extending Emotet rule
2019-10-16 10:22:48 +02:00
Florian Roth
4ea469d138
rule: suspicious compression tool parameters
2019-10-15 16:38:53 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe
...
remove .exe from lsass
2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910
fix: made rule compatible with event id 4688
2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176
rule: modified the default
2019-10-14 17:50:48 +02:00
Florian Roth
312311494d
rule: suspicious code page switch using chcp
2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad
remove .exe from lsass
2019-10-14 17:26:33 +02:00
Florian Roth
5583684efd
rule: extended suspicious procdump rule
2019-10-14 16:21:37 +02:00
Florian Roth
60af1f5a4b
rule: WMI Backdoor Exchange Transport Agent
2019-10-11 12:12:44 +02:00
Thomas Patzke
60ef593a6f
Fixed wrong backslash escaping of *
...
Fixes issue #466
2019-10-07 22:14:44 +02:00
Florian Roth
3eaf4d6e94
fix: fixed typo in bluemashroom rule
2019-10-02 15:45:55 +02:00
Florian Roth
6d78a5fede
rule: extended the command line in bluemashroom rule
2019-10-02 14:03:34 +02:00
Florian Roth
7423fe2072
fix: fixed typo in APT group name
2019-10-02 14:02:07 +02:00
Florian Roth
e993ef46f0
rule: APT blue mushroom
2019-10-02 13:57:14 +02:00
Florian Roth
4bc7f6ea52
rule: QBot process creation
2019-10-01 17:25:04 +02:00
Florian Roth
52df9e9f44
rule: execution in Outlook temp folder
2019-10-01 16:07:43 +02:00
Florian Roth
9a7ef0e3c2
fix: fixed rule warning
2019-09-30 19:38:40 +02:00
Florian Roth
2fbd35053e
rule: improved formbook detection rule
2019-09-30 19:01:40 +02:00
Florian Roth
38831a05ae
rule: formbook malware process creation
2019-09-30 18:57:58 +02:00
Florian Roth
05ca684962
rule: improved emotet rule
2019-09-30 17:17:23 +02:00
Florian Roth
66cbdbfff5
rule: emotet process creation
2019-09-30 15:53:29 +02:00
Florian Roth
93227e1eec
Merge pull request #436 from EccoTheFlintstone/master
...
rule: impacket framework lateralization detection
2019-09-28 11:37:07 +02:00
Florian Roth
ad59c90b29
Capitalization in Title
2019-09-28 10:30:16 +02:00
Florian Roth
0eb5fd75e1
Merge pull request #446 from EccoTheFlintstone/eventclear
...
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-28 10:29:03 +02:00
Florian Roth
29c5a9dc8e
Merge pull request #458 from EccoTheFlintstone/psexec
...
fix: PsExec false positives
2019-09-28 10:15:23 +02:00
ecco
5a15687c6c
fix rule: task manager as parent: task manager can be run with higher privileges (show processes from all users --> UAC) and its parent is still the old taskmgr
2019-09-27 11:06:21 -04:00
ecco
7a1d48cccd
fix: PsExec false positives
2019-09-26 04:50:43 -04:00
Florian Roth
e77657db2f
Merge pull request #451 from EccoTheFlintstone/sysmon_clean
...
sysmon rules cleanup and move to process_creation
2019-09-25 17:28:23 +02:00
ecco
c2868f6e03
remove TAB from cli escape as it's currently unsupported in sigmac
2019-09-23 04:46:10 -04:00
ecco
0c96777f6a
sysmon rules cleanup and move to process_creation
2019-09-11 10:24:43 -04:00
ecco
b410710338
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-06 10:57:03 -04:00
Florian Roth
fcbae16cc8
rule: image debugger
2019-09-06 10:28:20 +02:00
Florian Roth
afcbf4226d
fix: duplicate rule - issue #441
2019-09-06 10:22:27 +02:00
Florian Roth
e85c204404
fix: removed event id
2019-09-06 10:20:36 +02:00
Florian Roth
01d5e3882f
fix: log source category
2019-09-06 10:17:32 +02:00
Florian Roth
e9fc8d3d09
rule: split up registry debugger registration rule into two
2019-09-06 10:13:21 +02:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master
...
Escaped '\*' to '\*' where required
2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim
...
Fixed commandline to detect any shim install from any location
2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb
fix typo
2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7
rule: minor improvement to susp ps enc cmd
2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
ecco
fc89804f34
rule: impacket framework lateralization detection
2019-09-03 10:28:59 -04:00
ecco
8cad0c638e
add comcvcs.dll memdump method
2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master
...
add/modify powershell Empire rules
2019-09-02 11:40:36 +02:00
ecco
5f30e52739
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6
rule: improved csc rule
2019-08-31 08:44:09 +02:00
Florian Roth
f2c44c80b6
Merge branch 'master' into rule-devel
...
# Conflicts:
# rules/windows/process_creation/win_encoded_frombase64string.yml
# rules/windows/process_creation/win_susp_csc_folder.yml
2019-08-28 09:21:25 +02:00
Florian Roth
f71dc41531
rule: extended csc rule
2019-08-28 09:00:43 +02:00
Florian Roth
406b40af11
rule: suspicious msbuild folder
2019-08-28 09:00:35 +02:00
Florian Roth
70a26a6132
fix: fixed MITRE tags
2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680
rule: csc.exe suspicious source folder
2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817
rules: encoded FromBase64String keyword
2019-08-24 13:53:05 +02:00
Florian Roth
1dfd560299
rule: csc.exe suspicious source folder
2019-08-24 13:49:40 +02:00
Florian Roth
a137a1380b
rules: encoded FromBase64String keyword
2019-08-24 12:38:51 +02:00
Florian Roth
c9a4e6fe8a
rule: process creations in env var folders
2019-08-24 08:26:37 +02:00
Florian Roth
87ce52f6fe
fix: fixed wrong MITRE tag
2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21
rule: encoded IEX
2019-08-23 23:13:36 +02:00
Florian Roth
cc01f76e99
docs: minor changes
2019-08-22 14:22:55 +02:00
ecco
d0a24f4409
filter NULL values to remove false positives
2019-08-20 05:10:41 -04:00
Florian Roth
4fcb52d098
fix: removed mmc susp rule due to many FPs
2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4
Rule: separate Ryuk rule created for VBurovs strings
2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5
...
Ryuk Ransomware commands from real case
2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code
2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule
2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell
...
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml . And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml .
2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says
...
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac
rule: reworked vssadmin rule
2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf
fix: fixing rule win_cmstp_com_object_access
...
https://github.com/Neo23x0/sigma/issues/408
2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99
Rule: reworked win_susp_powershell_enc_cmd
2019-07-30 14:36:30 +02:00
Tareq AlKhatib
d08a993159
Fixed commandline to detect any shim install from any location
2019-07-08 12:31:18 +03:00
Florian Roth
0b883a90b6
fix: null value in separate expression
2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3
fix: added null value / application to 4688 problem
2019-07-02 10:51:48 +02:00
Vasiliy Burov
2f123f64a7
Added command that stops services.
2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case
2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf
fix: removed unusable extensions in proc exec context
2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002
fix: fixed duplicate element in new double extension rule
2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959
Rule: suspicious double extension
2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7
Rule: Suspicious userinit.exe child process
2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35
fix: fixed image in taskmgr rule
2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e
Adjusted level
2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652
Rule fixes
...
* tagging
* removed spaces
* converted to generic log source
* typos/case
2019-06-20 00:01:56 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing
...
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
2019-06-19 23:43:10 +02:00
Thomas Patzke
dbbc1751ef
Converted rule to generic log source
2019-06-19 23:25:25 +02:00
Michael Wade
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
Thomas Patzke
a23f15d42b
Converted rule to generic log source
2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9
Usage of Channel field name in ELK Windows config
2019-06-11 13:15:43 +02:00
yugoslavskiy
5827165c2d
event id deleted
2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720
changed to process_creation category
2019-06-03 15:47:24 +02:00
Florian Roth
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Thomas Patzke
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
Alec Costello
886de39814
Small edits
...
Got trigger happy, first time doing this, please dont cruicify me.
2019-05-17 17:40:32 +03:00
Alec Costello
34d9b4b365
Update win_susp_process_creations.yml
...
Tested the type method redirecting to a file and dumping the hashes out with pwdump.
Used the wmic method to create the shadow copy.
2019-05-17 16:10:43 +03:00
Alec Costello
3c8be3d48b
Update win_susp_vssadmin_ntds_activity.yml
2019-05-17 15:19:03 +03:00
Alec Costello
8b14a5673d
Update win_susp_vssadmin_ntds_activity.yml
...
Updated with SAM and SYSTEM for esentutl
2019-05-17 15:18:01 +03:00
Codehardt
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
Codehardt
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
Thomas Patzke
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
Thomas Patzke
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
Thomas Patzke
121e21960e
Rule changes
...
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799
Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2
2019-05-09 22:55:07 +02:00
Karneades
b47900fbee
Add default path to filter for explorer in exe anomaly rule
2019-04-21 17:42:47 +02:00
Thomas Patzke
49beb5d1a8
Integrated PR from @P4T12ICK in existing rule
...
PR #321
2019-04-21 00:28:40 +02:00
Florian Roth
aab3dbee4f
Rule: Detect Empire PowerShell Default Cmdline Params
2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990
Rule: Extended PowerShell Susp Cmdline Enc Commands
2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3
...
Remove too loose filter in notepad++ updater rule
2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2
...
Remove too loose filter in mshta rule
2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software
2019-04-19 09:51:32 +02:00
Karneades
d75ea35295
Restrict whitelist filter in system exe anomaly rule
2019-04-18 22:06:12 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master
...
added rules for renamed wscript, cscript and paexec. Added two direct…
2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path
2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped
2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes
2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications
2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications
2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications
2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule
...
Adding rpcnet.exe as ParentImage
2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545
Rule: extended parent list for legitimate svchost starts
...
https://twitter.com/Sam0x90/status/1117768799816753153
2019-04-15 14:54:35 +02:00
Florian Roth
612a7642d2
Added Local directory
2019-04-15 08:47:53 +02:00
Florian Roth
1d3159bef0
Rule: Extended Office Shell rule
2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule
2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1
...
Remove too loose filter in wmi spwns powershell rule
2019-04-14 23:11:57 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives
...
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875
added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7
2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 08:07:30 -04:00
Karneades
97376c00de
Fix condition
2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition
2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition
2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule
2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule
2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule
2019-04-04 22:12:28 +02:00
yt0ng
e0459cec1c
renamed file
2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c
WMI spawning PowerShell seen in various attacks
2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0
adjusted link
2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c
Auto stash before rebase of "Neo23x0/master"
2019-04-03 16:25:18 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium
2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7
Allow Incoming Connections by Port or Application on Windows Firewall
2019-04-01 08:16:56 +02:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml
...
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `
Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.
example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37
Rule: extended LockerGoga description
2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b
Rule: LockerGoga
2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589
fix: rule field fix in proc_creation rule
2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37
Added CAR tags
2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0
Incorporated MITRE CAR mapping from #55
2019-03-16 00:03:27 +01:00
Yugoslavskiy Daniil
5d54e9c8a1
nbstat.exe -> nbtstat.exe
2019-03-11 19:28:29 +01:00
Thomas Patzke
3c1948f089
Merge pull request #277 from megan201296/patch-18
...
Remove invalid link
2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil
475113b1c1
fixed incorrect date format
2019-03-07 22:52:11 +01:00
megan201296
c2a16591af
Remove invalid link
...
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
2019-03-07 14:22:29 -06:00
Yugoslavskiy Daniil
cb7243de5d
fixed wrong tags
2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil
8bec627ff1
fixed multiple tags issue
2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil
5154460726
changed service to product
2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil
05cc7e455d
atc review
2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master
...
Fix rules
2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35
Merge branch 'master' of https://github.com/krakow2600/sigma
2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745
rules update
2019-03-06 00:43:42 +01:00
mrblacyk
6232362f04
Missing tags
2019-03-06 00:16:40 +01:00
mrblacyk
07807837ee
Missing tags
2019-03-06 00:02:37 +01:00
mikhail
be108d95cc
Merge branch 'master' of https://github.com/AverageS/sigma
2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf
Fix 4 rules
2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
Florian Roth
7b3d67ae66
fix: bugfix in new proc creation rule
2019-03-02 11:28:13 +01:00
Florian Roth
1a583c158d
fixed typo as in pull request by @m0jtaba
2019-03-02 08:16:25 +01:00
Florian Roth
2188001f98
Extended filter list provided by @Ov3rflow
2019-03-02 08:13:29 +01:00
Thomas Patzke
56a1ed1eac
Merge branch 'project-1'
2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138
Increased indentation to 4
...
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00
Thomas Patzke
6bdb4ab78a
Merge cleanup
2019-02-27 22:05:27 +01:00
Thomas Patzke
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
Thomas Patzke
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
Thomas Patzke
7622b17415
Moved test rule to final location/naming scheme
2019-01-14 23:58:25 +01:00