valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,252 Commits 20 Branches 25 Tags 21 MiB
4fa928866f
Commit Graph

1064 Commits

Author SHA1 Message Date
alexpetrov12
8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
Florian Roth
3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
zinint
49f9b797a7
Update sysmon_xsl_script_processing.yml 2019-10-22 15:20:15 +03:00
zinint
a8bd2c8e78
Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00
zinint
74d1fef8b8
Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint
cc6d4b05ac
OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
Florian Roth
b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth
0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
root
00a757959e add rule win_susp_capture_screenshots.yml 2019-10-22 06:06:07 +02:00
root
2bd9d8a9d8 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:56:37 +02:00
root
fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
zinint
daf1034621
Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
zinint
789782ef59
Update sysmon_xsl_script_processing.yml 2019-10-22 00:08:46 +03:00
zinint
56f807cb44
Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:54 +03:00
zinint
0d8eff0d86
Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:10 +03:00
zinint
a1d72f20c8
Update sysmon_xsl_script_processing.yml 2019-10-21 23:51:39 +03:00
zinint
5248f83fb3
Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00
zinint
a685c9c3be
Update sysmon_xsl_script_processing.yml 2019-10-21 23:39:33 +03:00
zinint
784d7138ca
OSCD Task 7 ART T1220 
OSCD Task 7 ART T1220 rule add
 2019-10-21 22:22:55 +03:00
Florian Roth
deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth
ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth
c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth
5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth
d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth
4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth
e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth
312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth
7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth
5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth
98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth
60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth
ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke
60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth
d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth
3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth
6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth
7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth
e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth
4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
Florian Roth
e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth
d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth
c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth
52df9e9f44 rule: execution in Outlook temp folder 2019-10-01 16:07:43 +02:00
Florian Roth
9a7ef0e3c2 fix: fixed rule warning 2019-09-30 19:38:40 +02:00
Florian Roth
2fbd35053e rule: improved formbook detection rule 2019-09-30 19:01:40 +02:00
Florian Roth
38831a05ae rule: formbook malware process creation 2019-09-30 18:57:58 +02:00
Florian Roth
05ca684962 rule: improved emotet rule 2019-09-30 17:17:23 +02:00
Florian Roth
66cbdbfff5 rule: emotet process creation 2019-09-30 15:53:29 +02:00
Florian Roth
93227e1eec
Merge pull request #436 from EccoTheFlintstone/master 
rule: impacket framework lateralization detection
 2019-09-28 11:37:07 +02:00
Florian Roth
ad59c90b29
Capitalization in Title 2019-09-28 10:30:16 +02:00
Florian Roth
0eb5fd75e1
Merge pull request #446 from EccoTheFlintstone/eventclear 
move wevtutil / fsutil events from ransomware to dedicated rules
 2019-09-28 10:29:03 +02:00
Florian Roth
de3a843bea
Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3 
sysmon eventid 3: filter on outgoing connections (initiated: true) to…
 2019-09-28 10:16:02 +02:00
Florian Roth
29c5a9dc8e
Merge pull request #458 from EccoTheFlintstone/psexec 
fix: PsExec false positives
 2019-09-28 10:15:23 +02:00
ecco
5a15687c6c fix rule: task manager as parent: task manager can be run with higher privileges (show processes from all users --> UAC) and its parent is still the old taskmgr 2019-09-27 11:06:21 -04:00
ecco
7a1d48cccd fix: PsExec false positives 2019-09-26 04:50:43 -04:00
Florian Roth
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck 
fix FP : field null value can be '-'
 2019-09-25 17:43:22 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin 
rule: user added to local administrator: handle non english systems b…
 2019-09-25 17:29:41 +02:00
Florian Roth
e77657db2f
Merge pull request #451 from EccoTheFlintstone/sysmon_clean 
sysmon rules cleanup and move to process_creation
 2019-09-25 17:28:23 +02:00
Florian Roth
365a46e27e
Merge pull request #454 from EccoTheFlintstone/no_tab 
remove TAB from cli escape as it's currently unsupported in sigmac
 2019-09-25 17:27:56 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix 
Ruler fix
 2019-09-25 17:26:55 +02:00
ecco
4c54e8322a sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00
ecco
a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76 add microsoft reference for events fields names 2019-09-23 05:21:30 -04:00
ecco
d48b63a235 ruler rule field name fix for eventID 4776 2019-09-23 05:17:35 -04:00
ecco
c2868f6e03 remove TAB from cli escape as it's currently unsupported in sigmac 2019-09-23 04:46:10 -04:00
ecco
0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
Florian Roth
038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
ecco
b410710338 move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
ecco
fe93d84015 fix FP : field null value can be '-' 2019-09-06 05:14:58 -04:00
Florian Roth
7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
ecco
01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master 
Escaped '\*' to '\*' where required
 2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim 
Fixed commandline to detect any shim install from any location
 2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb fix typo 2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
ecco
fc89804f34 rule: impacket framework lateralization detection 2019-09-03 10:28:59 -04:00
ecco
8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco
5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes 2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Florian Roth
70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
ecco
d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Tareq AlKhatib
d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke
dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00
mgreen27
1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
Patryk
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml 
Deleted tab character (\t)
 2019-05-20 13:22:36 +02:00
Patryk
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml 
Detects usage of mimikatz through WinRM protocol
 2019-05-20 12:25:58 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Codehardt
1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Codehardt
6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Karneades
b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00