yugoslavskiy
5827165c2d
event id deleted
2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720
changed to process_creation category
2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41
date added
2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596
rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing
2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Florian Roth
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
Unknown
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
Unknown
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
Codehardt
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
Codehardt
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
Thomas Patzke
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
Thomas Patzke
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f
Transformed rule
...
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs
Fixed Typo
Changes to title and description
2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402
Windows processes with wrong parent
...
Detect scenarios when malicious program is disguised as legitimate process
2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e
Rule changes
...
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799
Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2
2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500
Merge improved pull request #322
2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
Karneades
b47900fbee
Add default path to filter for explorer in exe anomaly rule
2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation"
2019-04-21 09:09:25 +02:00
Thomas Patzke
49beb5d1a8
Integrated PR from @P4T12ICK in existing rule
...
PR #321
2019-04-21 00:28:40 +02:00
Thomas Patzke
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation
...
New Sigma rule detecting local user creation
2019-04-21 00:20:15 +02:00
Thomas Patzke
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00