Tareq AlKhatib
45458121c6
Updated to use the new process_creation logsource
2019-03-04 16:13:27 +03:00
Florian Roth
ae1541242c
New custom suspicious TLD in rule ".pw"
2019-03-03 10:58:12 +01:00
Thomas Patzke
17e9729ddd
Merge pull request #273 from TareqAlKhatib/process_create
...
Process create
2019-03-02 21:57:59 +01:00
Tareq AlKhatib
58c61430a2
updated to use process_creation
2019-03-02 21:05:15 +03:00
Tareq AlKhatib
be2ca8dc4d
Added checks for Sysmon 1 or EID 4688 instead of process_creation
2019-03-02 20:51:49 +03:00
Florian Roth
33e490e4fa
Titles in Examples
2019-03-02 12:23:44 +01:00
Florian Roth
7b3d67ae66
fix: bugfix in new proc creation rule
2019-03-02 11:28:13 +01:00
Florian Roth
9a3ceb8421
Sigmac Usage Examples
2019-03-02 10:58:02 +01:00
Florian Roth
1a583c158d
fixed typo as in pull request by @m0jtaba
2019-03-02 08:16:25 +01:00
Florian Roth
2188001f98
Extended filter list provided by @Ov3rflow
2019-03-02 08:13:29 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4
...
Update win_susp_failed_logon_reasons.yml
2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often
...
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
2019-03-02 07:20:59 +01:00
Thomas Patzke
99b15edf8a
Sigma tools release 0.9
2019-03-02 00:47:03 +01:00
Thomas Patzke
56a1ed1eac
Merge branch 'project-1'
2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138
Increased indentation to 4
...
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00
Florian Roth
1aac9baaed
Merge pull request #270 from LiamSennitt/master
...
fix bug in chafer activity rule #269
2019-03-01 17:13:04 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml
...
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
2019-03-01 18:18:39 +03:00
Florian Roth
af6a1ff26a
Extended rule, modified timestamp
2019-03-01 13:36:54 +01:00
Florian Roth
f560e83886
Added modified date
2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type
2019-03-01 12:06:54 +01:00
Liam Sennitt
2345cbf7bd
fix bug in chafer activity rule #269
2019-03-01 10:23:02 +00:00
Thomas Patzke
690807c846
Sigma tools release 0.8
2019-02-28 09:08:22 +01:00
Thomas Patzke
6bdb4ab78a
Merge cleanup
2019-02-27 22:05:27 +01:00
Florian Roth
8ce4b1530d
Rule: added SAM export
2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
Thomas Patzke
58a32f35d9
Merge pull request #246 from james0d0a/master
...
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
2019-02-24 16:53:49 +01:00
Florian Roth
f278a00174
Rule: certutil encode
2019-02-24 14:10:40 +01:00
Florian Roth
e7f5cbc22a
Rule: BabyShark activity
2019-02-24 14:04:44 +01:00
Florian Roth
a60b53a7df
fix: bugfix in BEAR activity rule
2019-02-24 14:04:44 +01:00
Florian Roth
8b7f0508a7
Merge pull request #262 from TareqAlKhatib/sysinternals
...
Added a detection path through process spawn
2019-02-24 09:19:00 +01:00
Tareq AlKhatib
7d3d819ea5
Added a detection path through process spawn
2019-02-24 10:29:58 +03:00
Florian Roth
bdf0dd8e21
Merge pull request #260 from TareqAlKhatib/malware_backconnect
...
Added private IP filter to reduce FPs
2019-02-23 22:47:14 +01:00
Tareq AlKhatib
a022333382
Added private IP filter to reduce FPs
2019-02-23 21:15:03 +03:00
Florian Roth
f25416bd65
chore: workaround Travis Python 3.5 problems
2019-02-23 07:43:41 +01:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master
...
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
Thomas Patzke
c17f9d172f
Merge pull request #248 from megan201296/patch-17
...
Create win_mal_ursnif.yml
2019-02-22 21:30:49 +01:00
Thomas Patzke
02239fa288
Changed registry root key
...
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete ) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
Thomas Patzke
18d012cc2e
Merge pull request #255 from vburov/patch-1
...
Update win_susp_process_creations.yml
2019-02-22 21:15:52 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters
2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml
2019-02-22 22:46:57 +03:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it
...
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
Florian Roth
d3b623e92a
Rule: suspicious pipes extended
...
https://github.com/Neo23x0/sigma/issues/253
2019-02-21 13:26:48 +01:00
Florian Roth
343a40ced7
Rule: extended exec location rule to support 4688 events
2019-02-21 13:26:48 +01:00
Florian Roth
c8701ac6e9
Merge pull request #252 from keepwatch/patch-1
...
Fixing yara condition
2019-02-21 10:17:09 +01:00
Florian Roth
8ae37f5d64
BEAR activity - CrowdStrike GTR 2019
...
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:54:01 +01:00
Florian Roth
3a994d0d63
fix: bugfix in Judgement Panda rule
2019-02-21 09:50:49 +01:00
Florian Roth
5935eaa572
fix: added MITRE ATT&CK tags to APT rule
2019-02-21 09:27:59 +01:00
Florian Roth
aca470961a
fix: bugfix in Judgement Panda rule
2019-02-21 09:20:52 +01:00
Florian Roth
c474bfcae5
Judgement Panda - Crowdstrike GTR 2019
...
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:20:52 +01:00
Keep Watcher
07dec06222
Fixing yara condition
2019-02-20 10:57:24 -05:00