Sander Wiebing
a241792e10
Reduce FP of legitime processes
...
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe
All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.
Python 2.7, 3.3 and 3.7 does not have any file characteristics.
So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support
...
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
...
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.
Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master
...
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
ecco
10ca3006f5
move rule where needed
2020-05-23 10:07:55 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
ecco
9a7f462d79
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
...
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd
refactore: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:09:58 +02:00
Thomas Patzke
96fae4be68
Added CrachMapExec rules
2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel
...
refactor: slightly improved Greenbug rule
2020-05-21 14:19:09 +02:00
Florian Roth
91c4c4ecc5
refactor: slightly improved Greenbug rule
2020-05-21 13:38:11 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel
...
Greenbug Rule
2020-05-21 09:55:46 +02:00
Florian Roth
9a3b6c1c77
docs: added MITRE ATT&CK group tag
2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5
rule: Greenbug campaign
2020-05-21 09:39:57 +02:00
ZikyHD
8963c0a65e
Remove duplicate 'CommandLine' in fields
2020-05-20 11:54:47 +02:00
ecco
fd386fe8eb
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel
...
Rule devel
2020-05-15 12:07:04 +02:00
ecco
54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
Florian Roth
ab950fb89d
fix: removed rules missing in master
2020-05-14 15:53:09 +02:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives
...
Widen the search as it gives too many false negatives
2020-05-13 21:02:12 +02:00
zaphod
78a5c743f2
Widen the search as it gives too many false negatives
2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6
...
Create win_advanced_ip_scanner.yml
2020-05-13 14:09:12 +02:00
Florian Roth
220a14f31c
fix: typo in contains
2020-05-13 12:38:54 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml
2020-05-13 11:56:25 +02:00
zaphod
a9ef7ef382
Fix a bad CommandLine search
2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml
...
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
2020-05-12 21:43:01 -06:00
Florian Roth
1104044f53
fix: delete duplicate rules
2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16
Merge branch 'master' into rule-devel
2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024
rule: Maze ransomware
2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4
Merge branch 'master' into rule-devel
...
# Conflicts:
# rules/proxy/proxy_ua_suspicious.yml
# rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
# rules/windows/process_creation/win_susp_csc_folder.yml
2020-05-11 10:44:19 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global
2020-05-06 23:00:45 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
...
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
...
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
Maxime Thiebaut
4600bf73dc
Update rules to follow the Sigma state specification
...
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional ) states the following:
> Declares the status of the rule:
> - stable: the rule is considered as stable and may be used in production systems or dashboards.
> - test: an almost stable rule that possibly could require some fine tuning.
> - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.
However the Sigma Rx YAML specification states the following:
> ```yaml
> status:
> type: //any
> of:
> - type: //str
> value: stable
> - type: //str
> value: testing
> - type: //str
> value: experimental
> ```
The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
- [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49)
)
- [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26)
)
- [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98)
)
Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule
2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut
2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule
2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule
2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
vesche
3889be6255
Replace reference link for win_susp_netsh_dll_persistence
2020-04-10 01:05:10 -05:00
vesche
82db80bee6
Remove wrong mitre technique
2020-04-10 01:02:43 -05:00
vesche
72b821e046
Update win_susp_netsh_dll_persistence.yml
2020-04-09 11:16:18 -05:00
Thomas Patzke
551a94af04
Merge branch 'master' of https://github.com/tileo/sigma into pr-658
2020-04-08 22:43:48 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
...
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
...
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo.
2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped.
2020-04-01 18:18:13 +02:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml
2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml
2020-03-28 13:12:07 +01:00
Justin Ellison
dabc759136
Eliminate title collision
...
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
Florian Roth
28953a2942
fix: MITRE tags in rule
2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d
rule: powershell downloadfile
2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7
Merge branch 'master' into devel
2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8
rule: Exploited CVE-2020-10189 Zoho ManageEngine
2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f
rule: extended web shell spawn rule
2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5
Change falsepositives to array
2020-03-24 19:59:54 +01:00
j91321
c784adb10b
Wrong indentation falsepositives
2020-03-24 19:55:41 +01:00
j91321
98a633e54c
Add missing status and falsepositives
2020-03-24 19:53:41 +01:00
j91321
bc442d3021
Add path with lowercase system32
2020-03-24 19:48:24 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
...
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319
Fix of '1 of x' condition
2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a
suspicious powershell parent process...
2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd
Fix namefield.
2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7
Restructure new improvement to process_creation folder.
2020-03-20 23:29:32 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
...
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e
fix: reduced level due to false positives
2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53
rule should be wildcard AND had a prepended ^
in one of the CommandLine conditions that would have caused to not trigger
2020-03-14 15:00:42 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
...
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues
2020-03-09 17:43:16 +01:00
David Szili
0947538228
MDATP schema changes
...
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
Florian Roth
ddefb3bc58
Merge branch 'master' into devel
2020-03-07 11:06:25 +01:00
ecco
b9e4734087
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d
rule: extended webshell rule with tomcat.exe
2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
...
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df
fix: wrong identifier
2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8
fix avoiding FPs with MpCmdRun
...
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Thomas Patzke
b63889af75
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
...
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
...
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
...
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased
2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
...
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
4f3e3166d3
fixing false positives
2020-02-26 09:33:55 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field
2020-02-25 16:30:41 -05:00
ecco
3247d5692a
wmiprvse subprocess: add fallback check on username instead of only logonid
2020-02-24 09:25:20 -05:00
ecco
df7356e829
Rule: restore initial behaviour matching single word with spaces on each side
2020-02-24 08:00:06 -05:00
ecco
aa1eff5419
fix FP on rmdir matching dir
2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
...
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 03:03:46 -05:00
ecco
1703b725d3
fix non ascii character in rule
2020-02-24 02:58:34 -05:00
Thomas Patzke
48d95f027c
Merge branch 'oscd'
2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Florian Roth
6413730810
fix: fixing too restrictive rule
...
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c
fix: character in filename
2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed
rule: process dump via rundll32 and comsvcs.dll's MiniDumpW
2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc
rule: changed lsass process dump to level high
2020-02-18 10:03:25 +01:00
Wagga
b9c745a1b2
New Koadic detection rule
2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18
fix typo (duplicates)
2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664
Further fixes and deduplications
...
From suggestions of @yugoslavskiy in issue #554 .
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14
Revert "Moved rules with enrichments into unsupported"
...
This reverts commit ba83b8862a
.
2020-02-15 22:52:06 +01:00
Florian Roth
080532d20c
logsource change
...
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524
additional gallium ttp
...
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Thomas Patzke
7fdd6f7bce
Swapped accidental deletion of older rule duplicate
2020-02-06 23:41:05 +01:00
Thomas Patzke
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0
Deduplication
2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17
Merge branch 'master' into oscd
2020-02-02 13:40:08 +01:00
Thomas Patzke
ba83b8862a
Moved rules with enrichments into unsupported
2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c
additional execution observed
2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
...
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
...
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f
rule: winnti group campaign against HK universities
2020-02-01 15:43:30 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master
2020-01-31 14:45:29 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
...
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872
rule: wsreset.exe UAC bypass
2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
...
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master
...
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename
2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything
...
This rule had a lot of errors and problems.
- title
- file name
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name
2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition
2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload
2020-01-30 11:29:01 +08:00
Florian Roth
a816f4775f
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29
rule: dctask64.exe evasion techniques
...
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
Florian Roth
5f0589b787
rule: mstsc shadowing
2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
GelosSnake
8fbe08d5fa
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68
svchost spawned without cli
2020-01-24 15:31:06 +01:00
david-burkett
032c382184
corrected logic
2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51
Trickbot behavioral recon activity
2020-01-24 15:31:06 +01:00
Thomas Patzke
9bb50f3d60
OSCD QA wave 2
...
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
Florian Roth
ba7c634f1a
More changes
2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes
2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload
2020-01-13 13:21:06 +08:00
Thomas Patzke
ae6fcefbcd
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4
OSCD QA wave 1
...
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
Florian Roth
48f5f480fd
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel
...
Devel
2019-12-30 15:08:43 +01:00