valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,956 Commits 20 Branches 25 Tags 21 MiB
47c22d0443
Commit Graph

1985 Commits

Author SHA1 Message Date
Florian Roth
d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00
Florian Roth
34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth
53620a0d2f
Merge pull request #879 from Neo23x0/rule-devel 
fix: missing copy command
 2020-07-03 10:18:21 +02:00
Florian Roth
0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth
248506be93
Merge pull request #878 from Neo23x0/rule-devel 
DesktopImgDownLdr Rules and extra rule
 2020-07-03 10:14:58 +02:00
Florian Roth
1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Thomas Patzke
de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Florian Roth
0022705373 fix: filter not functional 
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
 2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier 
Identifiers shared between global document and rule gets overwritten
 2020-06-15 20:20:23 +02:00
Florian Roth
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Florian Roth
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish
dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish
f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish
8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00
Brad Kish
f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Iveco
40f0fd989d - moved to "process_creation" folder instead of "sysmon" 
- renamed .yml file
 2020-06-11 19:21:17 +02:00
Iveco
34d7ea2974 removed one field 2020-06-11 16:23:15 +02:00
Iveco
2081baafe5 updated to process_creation 2020-06-11 15:58:05 +02:00
Iveco
f56e2599b1 Cmd.exe Path Traversal Detection 2020-06-11 15:48:48 +02:00
Florian Roth
a7136481f1
Update win_pcap_drivers.yml 2020-06-11 11:14:43 +02:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Cian Heasley
9835c6d67d
add win_pcap_drivers.yml 2020-06-10 15:53:22 +01:00
Florian Roth
96309d247b
fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth
6e4aa01baa
Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth
13c7d40a22
Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth
f553fb2e33
Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Steven Goossens
e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00
Remco Hofman
8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman
83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman
cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman
a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman
4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman
d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth
6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth
3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth
246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth
d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth
2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN
082696ee84
Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN
e958a6a939
Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN
5e373153eb
Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN
0744107fbb
Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick
6c8c0cd85d
Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick
3c89f46899
removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick
2af501c9f5
added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
Trent Liffick
a2ca199e7d
added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
William Bruneau
84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
ecco
b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing
a00f7f19a1
Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing
38afd8b5de
Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
Florian Roth
39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth
76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth
ec313b6c8a
Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing
d44fc43c54
Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing
f6ec724d51
Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth
5bb6770f53
Merge pull request #800 from SanWieb/win_system_exe_anomaly 
Extended Windows processes: win_system_exe_anomaly
 2020-05-26 14:28:47 +02:00
Florian Roth
4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing
3681b8cb56
Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth
c1f4787566
Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00
Florian Roth
ce1f46346f
Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access 
Add 'Add-Content' to powershell_ntfs_ads_access
 2020-05-26 13:20:40 +02:00
Florian Roth
e131f3476e
Merge pull request #796 from EccoTheFlintstone/fp 
add more false positives
 2020-05-26 13:20:23 +02:00
Sander Wiebing
f9f814f3b3
Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Remco Hofman
48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
ecco
7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth
0afe0623af
Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing
b8ee736f44
Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
ecco
f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
Florian Roth
3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth
df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
ecco
67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
ecco
10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco
d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco
78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco
75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco
9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco
cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco
ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573
879ad6f206
Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573
daa3c5e053
Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573
0f8f5fb29c
Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth
91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth
9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco
0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke
96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth
e7980bb434
Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
ZikyHD
8963c0a65e
Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito
c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito
49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco
1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco
088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco
e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth
8154ca355a
Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
Maxime Lamothe-Brassard
25d3a5a893
Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth
a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth
d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco
fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
ecco
0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth
cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth
8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth
beb62dc163
fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth
5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth
2282432b6f
Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth
28dc2a2267
Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick
40ab1b7247
added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick
56a2747a70
Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick
fb1d8d7a76
Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick
8aff6b412e
added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod
1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
zaphod
d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila
6ec74364f2
Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila
ccacedf621
Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
Florian Roth
24c0765694 Merge branch 'master' into devel 2020-05-08 12:17:14 +02:00
Florian Roth
7cc1b300d2 rule: maze ransomware patterns 2020-05-08 11:42:06 +02:00
Rettila
07a50edf89
Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman
123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Rettila
6aed82a039
Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila
2beb65076c
Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila
7371ce234b
Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Florian Roth
473c31232e
add additional reference 2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4 
Create powershell_create_local_user.yml
 2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing 2020-04-14 13:40:34 +02:00
Florian Roth
ecdec93800
Casing 2020-04-14 13:39:58 +02:00
Florian Roth
5cbe008350
Casing 2020-04-14 13:39:22 +02:00
Florian Roth
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence 
Update win_susp_netsh_dll_persistence.yml
 2020-04-14 13:37:53 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks 
Update win_GPO_scheduledtasks.yml
 2020-04-14 13:36:17 +02:00
Maxime Thiebaut
86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche
1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00