Commit Graph

1985 Commits

Author SHA1 Message Date
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline
Fix title error as in guideline and other cosmetic changes
2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation
Convert to process_creation
2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
2020-06-04 14:27:19 +03:00
Trent Liffick
6c8c0cd85d
Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick
3c89f46899
removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick
2af501c9f5
added rule for zLoader & Office
detects changes to Office macro settings & ZLoader malware
2020-06-03 17:40:05 -04:00
Trent Liffick
a2ca199e7d
added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
William Bruneau
84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
ecco
b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file
Fixed wrong field & Improve rule
2020-05-29 17:32:27 +02:00
Sander Wiebing
a00f7f19a1
Add tagg Endswith
Prevent the trigger of {}.exe.log
2020-05-29 16:25:54 +02:00
Sander Wiebing
38afd8b5de
Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
Florian Roth
39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth
76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth
ec313b6c8a
Merge pull request #801 from SanWieb/sysmon_creation_system_file
Rule: sysmon_creation_system_file
2020-05-27 08:49:20 +02:00
Sander Wiebing
d44fc43c54
Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing
f6ec724d51
Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth
5bb6770f53
Merge pull request #800 from SanWieb/win_system_exe_anomaly
Extended Windows processes: win_system_exe_anomaly
2020-05-26 14:28:47 +02:00
Florian Roth
4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing
3681b8cb56
Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth
c1f4787566
Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048
Changes to sysmon_cve-2020-1048
2020-05-26 13:21:04 +02:00
Florian Roth
ce1f46346f
Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access
Add 'Add-Content' to powershell_ntfs_ads_access
2020-05-26 13:20:40 +02:00
Florian Roth
e131f3476e
Merge pull request #796 from EccoTheFlintstone/fp
add more false positives
2020-05-26 13:20:23 +02:00
Sander Wiebing
f9f814f3b3
Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
Remco Hofman
48c5f2ed09 Update to sysmon_cve-2020-1048
Added .com executables to detection
Second TargetObject should have been Details
2020-05-26 11:20:21 +02:00
ecco
7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source
Fix 'source' value for win_susp_backup_delete
2020-05-25 10:48:36 +02:00
Florian Roth
0afe0623af
Merge pull request #757 from tliffick/master
added rule for Blue Mockingbird (cryptominer)
2020-05-25 10:47:23 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
Sander Wiebing
b8ee736f44
Remove AppData folder as suspicious folder
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
2020-05-24 15:16:07 +02:00
Florian Roth
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel
Esentutl rule and StrongPity Loader UA
2020-05-23 23:47:12 +02:00
ecco
f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
Florian Roth
3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth
df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
ecco
67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
ecco
10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco
d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco
78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco
75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco
9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco
cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco
ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573
879ad6f206
Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573
daa3c5e053
Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573
0f8f5fb29c
Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth
91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth
9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco
0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke
96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel
refactor: slightly improved Greenbug rule
2020-05-21 14:19:09 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel
Greenbug Rule
2020-05-21 09:55:46 +02:00
Florian Roth
e7980bb434
Merge pull request #782 from ZikyHD/patch-1
Remove duplicate 'CommandLine' in fields
2020-05-20 12:55:41 +02:00
ZikyHD
8963c0a65e
Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito
c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito
49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco
1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco
088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco
e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth
8154ca355a
Merge pull request #768 from maximelb/master
Remove "condition" from global rule in CVE-2020-1048.
2020-05-18 12:52:49 +02:00
Maxime Lamothe-Brassard
25d3a5a893
Remove "condition" from global rule.
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
2020-05-17 12:44:57 -07:00
Florian Roth
a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth
d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco
fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
ecco
0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth
cc26b26377 Merge branch 'master' into rule-devel
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
2020-05-15 12:09:47 +02:00
Florian Roth
8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel
Rule devel
2020-05-15 12:07:04 +02:00
Florian Roth
beb62dc163
fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth
5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth
2282432b6f
Merge pull request #753 from hieuttmmo/master
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
2020-05-15 11:35:12 +02:00
Florian Roth
28dc2a2267
Minor changes
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
2020-05-15 11:33:36 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick
40ab1b7247
added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick
56a2747a70
Corrected missing condition
learning! fail fast & forward
2020-05-14 23:18:33 -04:00
Trent Liffick
fb1d8d7a76
Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick
8aff6b412e
added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives
Widen the search as it gives too many false negatives
2020-05-13 21:02:12 +02:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6
Create win_advanced_ip_scanner.yml
2020-05-13 14:09:12 +02:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod
1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
2020-05-12 21:43:01 -06:00
zaphod
d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila
6ec74364f2
Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila
ccacedf621
Merge pull request #3 from Neo23x0/master
merge
2020-05-11 17:38:27 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
2020-05-11 10:44:19 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware
Detects registry keys used by Azorult malware
2020-05-08 21:26:24 -04:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source
New rule: Failed Logon From Public IP
2020-05-08 16:24:12 +02:00
Florian Roth
24c0765694 Merge branch 'master' into devel 2020-05-08 12:17:14 +02:00
Florian Roth
7cc1b300d2 rule: maze ransomware patterns 2020-05-08 11:42:06 +02:00
Rettila
07a50edf89
Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman
123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Rettila
6aed82a039
Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila
2beb65076c
Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila
7371ce234b
Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Florian Roth
473c31232e
add additional reference 2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4
Create powershell_create_local_user.yml
2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing 2020-04-14 13:40:34 +02:00
Florian Roth
ecdec93800
Casing 2020-04-14 13:39:58 +02:00
Florian Roth
5cbe008350
Casing 2020-04-14 13:39:22 +02:00
Florian Roth
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence
Update win_susp_netsh_dll_persistence.yml
2020-04-14 13:37:53 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks
Update win_GPO_scheduledtasks.yml
2020-04-14 13:36:17 +02:00
Maxime Thiebaut
86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche
1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
teddy-ROxPin
1501331f77
Create powershell_create_local_user.yml
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
2020-04-11 02:51:05 -06:00
vesche
3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche
82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche
72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Iveco
61b9234d7f
Update win_user_driver_loaded.yml
removed internal field
2020-04-09 11:28:19 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml
CI
2020-04-08 18:54:59 +02:00
Iveco
c5211eb94a
Update sysmon_susp_service_installed.yml
CI
2020-04-08 18:54:46 +02:00
Iveco
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
CI
2020-04-08 18:54:37 +02:00
Iveco
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
Fixed Author
2020-04-08 18:41:33 +02:00
Iveco
fc1febdebe
Update sysmon_susp_service_installed.yml
Fixed Author
2020-04-08 18:41:25 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml
Fixed author
2020-04-08 18:41:16 +02:00
Iveco
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
Fixed CI
2020-04-08 18:23:29 +02:00
Iveco
5e724a0a54
Update sysmon_susp_service_installed.yml
Fixed CI
2020-04-08 18:22:51 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml
Fixed CI
2020-04-08 18:21:59 +02:00
iveco
e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master
New sigma rules to detect new MITRE technique in last update (T1502)
2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1
Typo fix for powershell_suspicious_invocation_generic.yml
2020-04-03 09:30:32 +02:00
Florian Roth
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant
WMImplant detection rule
2020-04-02 11:54:09 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Clément Notin
18cdddb09e
Small typo 2020-03-31 15:22:00 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
Remco Hofman
b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml
' - windowstyle hidden ' changed to ' -windowstyle hidden '
2020-03-29 04:16:15 -06:00
Florian Roth
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini
Add "Suspicious desktop.ini Action" rule
2020-03-28 13:34:01 +01:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
e2b90220a2
Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Florian Roth
2426b39d83
Merge pull request #678 from justintime/title_collision
Eliminate title collision
2020-03-28 12:57:55 +01:00
Remco Hofman
f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Iveco
55258e1799
Title capitalized 2020-03-26 17:04:08 +01:00
Iveco
3f577c98e7
Title capalized 2020-03-26 17:03:33 +01:00
Iveco
68c20dca20
Fixed title length 2020-03-26 16:56:46 +01:00
Iveco
39a3af04ce
Fixed title length 2020-03-26 16:56:06 +01:00
Justin Ellison
dabc759136
Eliminate title collision
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
iveco
ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth
28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321
78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR
81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR
a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR
b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR
30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR
1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR
293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR
74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR
b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Maxime Thiebaut
dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron
4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron
4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili
0947538228 MDATP schema changes
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
ecco
2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1
MMC Lateral Movement Rule 1
2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth
7e8b59abe6
Merge pull request #643 from grumo35/patch-2
Update sysmon_cred_dump_tools_dropped_files.yml
2020-03-07 10:39:35 +01:00
Florian Roth
c609de4f27
Merge pull request #648 from NVISO-BE/patch-azure-ad-replication
Exclude Azure AD sync accounts from AD Replication rule
2020-03-07 10:39:04 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1
see https://github.com/Neo23x0/sigma/issues/576
2020-03-04 14:57:41 -05:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb fix: avoiding FPs with Citrix software
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
2020-03-03 11:01:42 +01:00
Remco Hofman
d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth
fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth
fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35
0d932810b5
Update sysmon_cred_dump_tools_dropped_files.yml
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
2020-02-28 15:16:18 +01:00
Florian Roth
f88225dd2a
Merge pull request #640 from Neo23x0/devel
fix: broader exclusion for rule - OneDrive false positives
2020-02-26 18:41:52 +01:00
Florian Roth
6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased 2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
031e6d3ee6
Merge pull request #635 from EccoTheFlintstone/fix_fp4
wmiprvse subprocess: add fallback check on username instead of only l…
2020-02-26 09:40:34 +01:00
Florian Roth
4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Florian Roth
82d2b1e6f0 Merge branch 'master' into devel
# Conflicts:
#	rules/windows/process_creation/win_susp_squirrel_lolbin.yml
2020-02-26 09:27:48 +01:00
Florian Roth
e7aff17e72 FP: OneDrive setup 2020-02-26 09:26:19 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field 2020-02-25 16:30:41 -05:00
Florian Roth
a152853ac3
Merge pull request #624 from Antonlovesdnb/master
New rules for Macro Detections
2020-02-25 15:44:31 +01:00
Antonlovesdnb
e8b861bff4
Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb
4c5d489428
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00
Antonlovesdnb
f92e2f2b18
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:23:22 -05:00
Antonlovesdnb
8141b1ae90
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-25 09:22:56 -05:00
Antonlovesdnb
45e4a585bf
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-25 09:22:37 -05:00
Antonlovesdnb
c5b42aeaed
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-25 09:19:03 -05:00
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Florian Roth
ab1dda7685 fix: non-ascii rule 2020-02-21 16:21:39 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth
6413730810 fix: fixing too restrictive rule
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Wagga
b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications
From suggestions of @yugoslavskiy in issue #554.
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported"
This reverts commit ba83b8862a.
2020-02-15 22:52:06 +01:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel
fix: dumpert rule with wrong sysmon event id
2020-02-08 20:03:28 +01:00
Florian Roth
080532d20c
logsource change
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel
rule: dumpert process dump tool
2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
7a222920df
added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3
Created win_susp_local_anon_logon_created.yml
2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth
190afcac88
Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth
e3d61d5579
Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth
033ab26d5e
Added date 2020-01-31 07:21:02 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
8cef4b2941
fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth
0a4d32c7c7
fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth
9828d7f81d
re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth
d90ea6d267
improved rule 2020-01-30 09:58:32 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
376092cfd3
Merge pull request #565 from RiccardoAncarani/master
Add Covenant default named pipe
2020-01-29 20:28:00 +01:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00