Commit Graph

3390 Commits

Author SHA1 Message Date
Florian Roth
133b98ffcb
Merge pull request #1262 from invrep-de/oscd
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
2020-12-21 18:30:21 +01:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1
Adding 2 rules - Conhost & office test registry persistence
2020-12-21 18:28:59 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references
fix "references" field + add test for references in plural form
2020-12-21 18:25:35 +01:00
Florian Roth
377454cb31
Merge pull request #1299 from tjgeorgen/patch-1
ATT&CK subtechnique tag updates
2020-12-21 18:24:00 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master
Added rule for Impacket's PsExec execution
2020-12-21 18:23:41 +01:00
Bhabesh Rai
0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth
1b0aaf62c3
Merge pull request #1266 from omkar72/ryuk
modifying couple of rules
2020-12-13 19:05:54 +01:00
Florian Roth
e2ade077ed
Merge pull request #1275 from bczyz1/patch-3
update win_apt_slingshot.yml
2020-12-13 19:04:47 +01:00
Florian Roth
612008a4d8
fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu
edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth
b6d62b7a21
Merge pull request #1302 from Neo23x0/rule-devel
TA505 Dropper, minor fix in PowerShell Rule
2020-12-08 10:40:07 +01:00
Florian Roth
640470cefd TA505 Loader Rule 2020-12-08 10:15:30 +01:00
Florian Roth
540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
tjgeorgen
1c6c3a36fe
include updated RDP att&ck tag 2020-12-04 11:59:23 -05:00
tjgeorgen
0eda1ab462
also update tag for folder variant 2020-12-04 11:42:05 -05:00
tjgeorgen
5208bdd65a
add new version of ATT&CK T1500 tag 2020-12-04 11:19:16 -05:00
yugoslavskiy
a028cdf1ee
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00
yugoslavskiy
7309fb7d0e
Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00
yugoslavskiy
36754ae3d5
Update win_vul_cve_2020_0688.yml 2020-12-01 02:16:22 +01:00
yugoslavskiy
0188e45925
Update win_malware_script_dropper.yml 2020-12-01 02:12:53 +01:00
yugoslavskiy
30ecc8bd26
Update win_malware_script_dropper.yml 2020-12-01 02:08:52 +01:00
yugoslavskiy
6494103839
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:54:51 +01:00
yugoslavskiy
d1b625d080
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:51:47 +01:00
yugoslavskiy
3cbc2f0aec
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:47:23 +01:00
yugoslavskiy
816ce5937c
Update win_susp_crackmapexec_execution.yml 2020-12-01 01:29:35 +01:00
Vasiliy Burov
cf8d195c5c
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-30 11:49:42 +03:00
yugoslavskiy
56f94a19f7
Update win_regedit_export_keys.yml 2020-11-30 02:08:54 +01:00
yugoslavskiy
0414d7a498
Merge branch 'oscd' into master 2020-11-30 02:04:03 +01:00
Yugoslavskiy Daniil
d812a3e08e resolve conflict restoring rule win_susp_replace_lolbin.yml 2020-11-30 01:09:24 +01:00
Yugoslavskiy Daniil
98617609d6 Merge branch 'oscd' into HEAD 2020-11-30 01:07:26 +01:00
Yugoslavskiy Daniil
50623544a2 remove possible duplicate filter 2020-11-29 22:03:19 +01:00
OG
70fb078a56
Update sysmon_office_test_regadd.yml 2020-11-29 18:02:37 +05:30
OG
8e801ede32
Update win_susp_psexec_eula.yml 2020-11-29 17:45:29 +05:30
Jonhnathan
a9fde0117b
Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
yugoslavskiy
7dc5233dd9
Update win_susp_commands_recon_activity.yml 2020-11-28 18:43:04 +01:00
yugoslavskiy
5196926d60
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 18:33:21 +01:00
yugoslavskiy
39c2258848
Update sysmon_registry_persistence_search_order.yml 2020-11-28 18:30:41 +01:00
yugoslavskiy
9f8ef95571
Update win_webshell_detection.yml 2020-11-28 18:25:09 +01:00
yugoslavskiy
c761d05a17
Update win_system_exe_anomaly.yml 2020-11-28 18:03:19 +01:00
yugoslavskiy
258334d6d1
Update win_susp_wmi_execution.yml 2020-11-28 18:01:06 +01:00
Jonhnathan
95eb7424aa
Update sysmon_susp_run_key_img_folder.yml 2020-11-28 13:54:59 -03:00
Jonhnathan
f504ccc33f
Update sysmon_susp_reg_persist_explorer_run.yml 2020-11-28 13:52:36 -03:00
Jonhnathan
986800056c
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 13:50:13 -03:00
yugoslavskiy
c0c74a05df
Update win_susp_sysvol_access.yml 2020-11-28 17:49:21 +01:00
Jonhnathan
ef34c94e6a
Update sysmon_registry_persistence_search_order.yml 2020-11-28 13:49:18 -03:00
yugoslavskiy
3c75bc922a
Update win_susp_squirrel_lolbin.yml 2020-11-28 17:47:16 +01:00
Jonhnathan
06cc5049a4
Update sysmon_dns_serverlevelplugindll.yml 2020-11-28 13:46:02 -03:00
yugoslavskiy
42f27a41cb
Update win_susp_rundll32_by_ordinal.yml 2020-11-28 17:44:30 +01:00
yugoslavskiy
ca0a6547fb
Update win_susp_run_locations.yml 2020-11-28 17:42:47 +01:00
Jonhnathan
f1455e0c38
Update win_win10_sched_task_0day.yml 2020-11-28 13:42:30 -03:00
Jonhnathan
fe3ed329ef
Update win_webshell_recon_detection.yml 2020-11-28 13:41:11 -03:00
yugoslavskiy
ea550cf551
Update win_susp_regsvr32_anomalies.yml 2020-11-28 17:40:40 +01:00
Jonhnathan
f0bf3d13b5
Update win_webshell_detection.yml 2020-11-28 13:38:34 -03:00
Jonhnathan
9f4bbb7e65
Update win_webshell_detection.yml 2020-11-28 13:35:50 -03:00
yugoslavskiy
bcf62fba72
Update win_susp_ps_appdata.yml 2020-11-28 17:34:34 +01:00
yugoslavskiy
2ed4b26291
Update win_susp_procdump.yml 2020-11-28 17:33:02 +01:00
Jonhnathan
0d0f58c830
Update win_system_exe_anomaly.yml 2020-11-28 13:32:44 -03:00
yugoslavskiy
a3e436363e
Update win_susp_powershell_parent_combo.yml 2020-11-28 17:31:37 +01:00
Jonhnathan
c9b5ba10f8
Update win_susp_wmi_execution.yml 2020-11-28 13:30:34 -03:00
yugoslavskiy
c01c05b826
Update win_susp_powershell_enc_cmd.yml 2020-11-28 17:29:15 +01:00
Jonhnathan
f6117eebc7
Update win_susp_sysvol_access.yml 2020-11-28 13:27:28 -03:00
Jonhnathan
88b4d4c4e5
Update win_susp_sysvol_access.yml 2020-11-28 13:26:22 -03:00
yugoslavskiy
66a504078b
Update win_susp_ping_hex_ip.yml 2020-11-28 17:25:52 +01:00
Jonhnathan
7aa831eac3
Remove additional backslash 2020-11-28 13:25:28 -03:00
Jonhnathan
0357472635
Update win_susp_squirrel_lolbin.yml 2020-11-28 13:24:38 -03:00
Jonhnathan
f70bd415a3
Update win_susp_run_locations.yml 2020-11-28 13:21:04 -03:00
Jonhnathan
5cbefe3737
Update win_susp_regsvr32_anomalies.yml 2020-11-28 13:18:38 -03:00
Jonhnathan
e99f63f811
Update win_susp_ps_appdata.yml 2020-11-28 13:15:24 -03:00
Jonhnathan
fc842c22b2
Update win_susp_prog_location_process_starts.yml 2020-11-28 13:11:15 -03:00
Jonhnathan
a78eb61d92
Remove additional backslash 2020-11-28 13:08:51 -03:00
Jonhnathan
27f47a8ffc
Update win_susp_procdump.yml 2020-11-28 13:08:21 -03:00
Jonhnathan
b61707e7f3
Remove additional backslash 2020-11-28 13:07:06 -03:00
Jonhnathan
c9461506f2
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:06:10 -03:00
Jonhnathan
2364e9870d
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:05:47 -03:00
Jonhnathan
f4f8174199
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:04:36 -03:00
Jonhnathan
53e1201bea
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:42 -03:00
Jonhnathan
b24945999e
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:24 -03:00
Jonhnathan
1c56dc463a
Remove additional backslash 2020-11-28 12:38:19 -03:00
Jonhnathan
198bdb9659
Remove Additional backslash 2020-11-28 12:34:06 -03:00
Jonhnathan
63adc6fc09
Update win_susp_direct_asep_reg_keys_modification.yml 2020-11-28 12:32:35 -03:00
Jonhnathan
3481b0dd9e
Update win_susp_curl_start_combo.yml 2020-11-28 12:31:55 -03:00
yugoslavskiy
245a0d3438
Update win_susp_outlook.yml 2020-11-28 13:34:57 +01:00
yugoslavskiy
36299f5139
Update win_susp_net_execution.yml 2020-11-28 13:33:30 +01:00
yugoslavskiy
501791945f
Update win_susp_msiexec_web_install.yml 2020-11-28 13:32:01 +01:00
yugoslavskiy
8293fd8e5b
Update win_susp_iss_module_install.yml 2020-11-28 13:30:27 +01:00
yugoslavskiy
1896a45572
Update win_susp_ntdsutil.yml 2020-11-28 13:28:00 +01:00
Jonhnathan
4411fc5b0e
Update win_susp_commands_recon_activity.yml 2020-11-28 09:14:56 -03:00
Jonhnathan
2bf4644b48
Update win_renamed_paexec.yml 2020-11-28 09:08:48 -03:00
Jonhnathan
4e59fc0dfd
Update win_renamed_binary_highly_relevant.yml 2020-11-28 09:08:09 -03:00
yugoslavskiy
4354303174
Update win_susp_execution_path.yml 2020-11-28 13:07:22 +01:00
yugoslavskiy
77cf5d2563
Update win_susp_exec_folder.yml 2020-11-28 13:04:05 +01:00
yugoslavskiy
201377fa29
Update win_susp_csc_folder.yml 2020-11-28 13:01:03 +01:00
yugoslavskiy
c4a35036a0
Update win_susp_csc.yml 2020-11-28 12:54:18 +01:00
yugoslavskiy
5d7f42a4a6
Update win_susp_crackmapexec_execution.yml 2020-11-28 12:53:00 +01:00
yugoslavskiy
38e7853891
Update win_susp_copy_lateral_movement.yml 2020-11-28 12:44:54 +01:00
yugoslavskiy
34e64a6570
Update win_susp_codepage_switch.yml 2020-11-28 12:42:27 +01:00
yugoslavskiy
5278fcd476
Update win_susp_cmd_http_appdata.yml 2020-11-28 12:34:28 +01:00
yugoslavskiy
fd102c1b5f
Update win_susp_certutil_encode.yml 2020-11-28 12:31:40 +01:00
yugoslavskiy
68365f29c2
Update win_susp_certutil_command.yml 2020-11-28 12:29:30 +01:00
yugoslavskiy
c9596d7e30
Update win_susp_adfind.yml 2020-11-28 12:11:53 +01:00
yugoslavskiy
331a177f69
Update win_proc_wrong_parent.yml 2020-11-28 12:10:37 +01:00
yugoslavskiy
dbb054777a
Update win_plugx_susp_exe_locations.yml 2020-11-28 12:02:16 +01:00
yugoslavskiy
0fdd8e7128
Update win_netsh_port_fwd_3389.yml 2020-11-28 11:32:35 +01:00
yugoslavskiy
5d457f4f79
Update win_netsh_port_fwd.yml 2020-11-28 11:31:27 +01:00
yugoslavskiy
78193d3e3a
Update win_mal_adwind.yml 2020-11-28 11:25:28 +01:00
yugoslavskiy
de41e34d53
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00
yugoslavskiy
fe499d8838
Update win_apt_judgement_panda_gtr19.yml 2020-11-28 11:14:23 +01:00
yugoslavskiy
11c18e14d8
Update win_hack_koadic.yml 2020-11-28 11:12:06 +01:00
yugoslavskiy
eaf2fde6eb
Update win_netsh_fw_add_susp_image.yml 2020-11-28 11:05:04 +01:00
yugoslavskiy
5eec5d485b
Update sysmon_in_memory_assembly_execution.yml 2020-11-28 10:55:18 +01:00
yugoslavskiy
9445d18474
Update win_netsh_wifi_credential_harvesting.yml 2020-11-28 10:39:37 +01:00
yugoslavskiy
687f6d8946
Update win_powershell_download.yml 2020-11-28 10:37:30 +01:00
yugoslavskiy
fe0029e738
Update win_powersploit_empire_schtasks.yml 2020-11-28 10:29:07 +01:00
yugoslavskiy
de5cac99d9
Update win_malware_wannacry.yml 2020-11-28 10:28:04 +01:00
yugoslavskiy
5a4b01662e
Update win_netsh_fw_add.yml 2020-11-28 10:22:24 +01:00
yugoslavskiy
9ae26e2674
Update win_apt_cloudhopper.yml 2020-11-28 10:20:12 +01:00
yugoslavskiy
4a2cce0b40
Update win_apt_chafer_mar18.yml 2020-11-28 10:15:39 +01:00
Florian Roth
1ea4bb0b87
wrong field name 2020-11-28 10:10:00 +01:00
yugoslavskiy
17813c947c
Update win_apt_bluemashroom.yml 2020-11-28 09:48:30 +01:00
yugoslavskiy
26fa500e21
Update win_control_panel_item.yml 2020-11-28 09:38:49 +01:00
yugoslavskiy
2e5e4a20d2
Update powershell_clear_powershell_history.yml 2020-11-28 09:26:18 +01:00
yugoslavskiy
016a89c186
Update win_susp_net_recon_activity.yml 2020-11-28 08:00:07 +01:00
Jonhnathan
702f697168
Update win_powershell_download.yml 2020-11-27 16:10:10 -03:00
Jonhnathan
fb119d6112
Remove additional backslash 2020-11-27 16:06:15 -03:00
Jonhnathan
bf5aa947e3
Update win_office_spawn_exe_from_users_directory.yml 2020-11-27 16:04:55 -03:00
Jonhnathan
f6aaa957ff
Update win_netsh_wifi_credential_harvesting.yml 2020-11-27 16:01:25 -03:00
Jonhnathan
d996e97fdd
Update win_netsh_port_fwd_3389.yml 2020-11-27 16:00:04 -03:00
Jonhnathan
b816754018
Update win_netsh_port_fwd_3389.yml 2020-11-27 15:59:25 -03:00
Jonhnathan
5acd8d622b
Update win_netsh_port_fwd.yml 2020-11-27 15:57:53 -03:00
Jonhnathan
9171d8913c
Remove Additional backslash 2020-11-27 15:45:08 -03:00
Jonhnathan
0bf996d66e
Update win_netsh_fw_add.yml 2020-11-27 15:44:22 -03:00
Jonhnathan
3f5a2af2db
Update win_mshta_spawn_shell.yml 2020-11-27 15:43:29 -03:00
Jonhnathan
345c6627a8
Update win_mmc_spawn_shell.yml 2020-11-27 15:42:22 -03:00
Jonhnathan
3854a0ed8d
Update Logic 2020-11-27 15:38:16 -03:00
Jonhnathan
84b35dd6b8
Update win_malware_script_dropper.yml 2020-11-27 15:30:53 -03:00
Jonhnathan
217dd53c62
Update win_malware_notpetya.yml 2020-11-27 15:29:29 -03:00
Jonhnathan
3410a1eece
Update win_malware_formbook.yml 2020-11-27 15:26:15 -03:00
Jonhnathan
253c0839ec
Update logic 2020-11-27 15:25:38 -03:00
Jonhnathan
5f5af0bd36
Update win_malware_dridex.yml 2020-11-27 15:10:31 -03:00
Jonhnathan
7672db2aeb
Update Logic 2020-11-27 12:37:04 -03:00
Jonhnathan
22ae395e4a
Update win_impacket_lateralization.yml 2020-11-27 12:35:27 -03:00
Jonhnathan
e18829697f
Update Logic 2020-11-27 12:33:31 -03:00
Jonhnathan
9331686368
Update Logic 2020-11-27 12:27:23 -03:00
Jonhnathan
dbd97647f6
Remove Additional backslash and update logic 2020-11-27 12:22:04 -03:00
Jonhnathan
421ab4dc5f
Update win_exploit_cve_2017_0261.yml 2020-11-27 12:18:06 -03:00
Jonhnathan
3f9edf19a9
Update win_control_panel_item.yml 2020-11-27 12:15:12 -03:00
Jonhnathan
bde2b95cdc
Remove Additional backslash 2020-11-27 12:14:34 -03:00
Jonhnathan
e58333f808
Update win_commandline_path_traversal.yml 2020-11-27 12:13:45 -03:00
mat
b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Jonhnathan
a403082631
Update win_bypass_squiblytwo.yml 2020-11-26 23:33:00 -03:00
Jonhnathan
d5803b89ef
Update win_apt_zxshell.yml 2020-11-26 23:31:10 -03:00
Jonhnathan
89a4aa84bf
Update win_apt_winnti_pipemon.yml 2020-11-26 23:29:10 -03:00
Jonhnathan
df93846117
Update win_apt_unidentified_nov_18.yml 2020-11-26 23:26:18 -03:00
Jonhnathan
b234d577d6
Update win_apt_sofacy.yml 2020-11-26 23:21:53 -03:00
Jonhnathan
77bae30bef
Update win_apt_slingshot.yml 2020-11-26 23:18:32 -03:00
Jonhnathan
f2dd516b7c
Fix logic 2020-11-26 23:16:03 -03:00
Jonhnathan
127607c5e7
Remove Additional backslash 2020-11-26 23:14:51 -03:00
Jonhnathan
bce74198ab
Remove Additional backslash 2020-11-26 23:14:24 -03:00
Jonhnathan
fda266adb6
Update win_apt_hurricane_panda.yml 2020-11-26 23:12:26 -03:00
Jonhnathan
d0b6694767
Update win_apt_greenbug_may20.yml 2020-11-26 23:05:44 -03:00
Jonhnathan
707fbe048e
Update win_apt_evilnum_jul20.yml 2020-11-26 23:05:08 -03:00
Jonhnathan
a113c0f3b4
Remove Additional backslash 2020-11-26 23:00:05 -03:00
Jonhnathan
d57d7c1e5b
Remove Additional backslash 2020-11-26 22:59:35 -03:00
Jonhnathan
f61317b2f9
Update sysmon_in_memory_assembly_execution.yml 2020-11-26 22:50:48 -03:00
Jonhnathan
784cab1dfe
Fix missing logic and Field 2020-11-26 22:46:17 -03:00
Jonhnathan
48f16a0ca8
Update win_susp_net_recon_activity.yml 2020-11-26 22:39:49 -03:00
Florian Roth
c6fc9de144 New Trickbot wermgr rule 2020-11-26 09:54:27 +01:00
Florian Roth
c111ab3141 Improved Trickbot recon rule 2020-11-26 09:54:13 +01:00
Florian Roth
b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
bczyz1
05398ae95e
change field newprocessname -> image 2020-11-23 13:43:19 +01:00
bczyz1
193021eff8
Update win_apt_slingshot.yml
fix condition
2020-11-20 09:19:03 +01:00
Jonhnathan
31e0cfb13f
Update win_susp_covenant.yml 2020-11-20 02:36:20 -03:00
Jonhnathan
ec1944e2d7
Update win_susp_copy_system32.yml 2020-11-20 02:31:26 -03:00
Jonhnathan
5d7131bbf2
Update win_susp_compression_params.yml 2020-11-20 02:29:41 -03:00
Jonhnathan
32ed588adb
Update detection Logic 2020-11-20 02:27:58 -03:00
Jonhnathan
b274be8d4e
Update detection Logic 2020-11-20 02:25:32 -03:00
Jonhnathan
c31c0d981a
Update detection logic 2020-11-20 02:23:18 -03:00
Jonhnathan
23edcc6dc6
Update win_susp_certutil_command.yml 2020-11-20 02:21:55 -03:00
Jonhnathan
8af17dda5b
Update win_spn_enum.yml 2020-11-20 02:17:31 -03:00
Jonhnathan
d5cb4246c2
Remove additional backlash 2020-11-20 02:16:51 -03:00
Jonhnathan
0606cd3dde
Update detection Logic 2020-11-20 02:10:27 -03:00
Jonhnathan
ebb4580378
Remove additional backlash 2020-11-20 02:04:28 -03:00
Jonhnathan
2ba146be07
Remove additional backlash 2020-11-20 02:03:06 -03:00
Jonhnathan
493fa3d5ee
Update sysmon_susp_mic_cam_access.yml 2020-11-20 02:02:26 -03:00
Jonhnathan
9e3a612953
Remove additional backlash 2020-11-20 02:01:43 -03:00
Jonhnathan
6c88dd700e
Update sysmon_stickykey_like_backdoor.yml 2020-11-20 02:00:53 -03:00
Jonhnathan
1e640b50f9
Remove additional backlash 2020-11-20 01:58:20 -03:00
Jonhnathan
acff5ef4f9
Update sysmon_registry_persistence_key_linking.yml 2020-11-20 01:57:34 -03:00
Jonhnathan
e35b09e1a6
Remove out of context falsepositive 2020-11-20 01:55:48 -03:00
Jonhnathan
d595df2879
Fix 2020-11-20 01:53:15 -03:00
Jonhnathan
6f3daad053
Update sysmon_apt_oceanlotus_registry.yml 2020-11-20 01:51:53 -03:00
Jonhnathan
9967bd1fe5
Update sysmon_apt_oceanlotus_registry.yml 2020-11-20 01:51:01 -03:00
Jonhnathan
1af9e9ed48
Update sysmon_win_reg_persistence.yml 2020-11-20 01:47:19 -03:00
Jonhnathan
8d8c29e0fe
Update sysmon_uac_bypass_sdclt.yml 2020-11-20 01:42:17 -03:00
Jonhnathan
372f000b7f
Update sysmon_uac_bypass_eventvwr.yml 2020-11-20 01:41:20 -03:00
Jonhnathan
e8aa9a854a
Update sysmon_uac_bypass_eventvwr.yml 2020-11-20 01:40:29 -03:00
Jonhnathan
57e98e3957
Remove additional backlash 2020-11-20 01:38:57 -03:00
Jonhnathan
9cf2ea5862
Update sysmon_susp_service_installed.yml 2020-11-20 01:38:17 -03:00
Jonhnathan
1acc19a8d5
Remove additional backlash 2020-11-20 01:37:24 -03:00
Jonhnathan
ab2edd1ff0
Update sysmon_malware_verclsid_shellcode.yml 2020-11-20 01:34:43 -03:00
Jonhnathan
240a8b9aa0
Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:33:04 -03:00
Jonhnathan
ebd9973dcb
Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:32:41 -03:00
Jonhnathan
2194744803
Update sysmon_invoke_phantom.yml 2020-11-20 01:30:58 -03:00
Jonhnathan
4af7f00f4a
Improve logic 2020-11-20 01:30:01 -03:00
Jonhnathan
728276ef13
Improve Logic 2020-11-20 01:22:20 -03:00
Jonhnathan
ee43919eec
Change detection logic 2020-11-20 01:05:06 -03:00
Jonhnathan
c42911cb47
Update win_wmi_persistence.yml 2020-11-20 00:58:49 -03:00
Jonhnathan
718792e0ba
Update win_tool_psexec.yml 2020-11-20 00:57:16 -03:00
Jonhnathan
b3e0b55250
Remove additional backslash 2020-11-20 00:53:13 -03:00
Jonhnathan
813afd4f4c
Remove additional backslash 2020-11-20 00:52:54 -03:00
Jonhnathan
f6a89e9707
Fix Detection Logic 2020-11-20 00:51:22 -03:00
Jonhnathan
0ffd1ef47f
Remove additional backslash 2020-11-19 23:15:38 -03:00
Jonhnathan
351a9920ed
Update win_mal_flowcloud.yml 2020-11-19 23:14:44 -03:00
Jonhnathan
43ffb80d94
Remove additional backslash 2020-11-19 23:09:50 -03:00
Jonhnathan
44652c4ffd
Remove additional backslash 2020-11-19 23:08:40 -03:00
Jonhnathan
9a5b17f2bb
Remove additional backslash 2020-11-19 23:04:26 -03:00
Jonhnathan
f79caba72a
Remove additional backslash 2020-11-19 22:58:50 -03:00
Jonhnathan
6ecafac619
Update sysmon_susp_driver_load.yml 2020-11-19 22:56:34 -03:00
Jonhnathan
f42ef96140
Fix Reference 2020-11-19 22:50:27 -03:00
Jonhnathan
fdd28556cf
Fix ref 2020-11-19 22:48:20 -03:00
Jonhnathan
4f4fcbc576
Update win_susp_wmi_login.yml 2020-11-19 22:47:20 -03:00
Jonhnathan
ea385767b9
Update win_susp_ntlm_auth.yml 2020-11-19 22:40:43 -03:00
Jonhnathan
5d85bbba56
Improve detection logic 2020-11-19 22:37:13 -03:00
Jonhnathan
c20bce4a77
Update win_susp_msmpeng_crash.yml 2020-11-19 22:30:48 -03:00
Jonhnathan
7fe2c00ac1
Update win_net_ntlm_downgrade.yml 2020-11-19 22:14:37 -03:00
Jonhnathan
371c112143
Fix the detection logic
ObjectName = admin was included in the query using AND, not OR.
2020-11-19 21:45:19 -03:00
v3t0
3d206b08d8 [OSCD] Added a rule to detect potential persistence using registry keys 2020-11-15 19:04:12 -05:00
stvetro
19eb8306d3 Removed unnessary antifalse positive 2020-11-14 09:50:29 +04:00
Ryan Plas
d4d694b4da Logic fix for sysmon_non_priv_program_files_move 2020-11-10 10:01:47 -05:00
Florian Roth
af4d546408
Merge pull request #1282 from Neo23x0/rule-devel
fix: FPs with notepad++ GUP rule
2020-11-10 13:39:28 +01:00
Florian Roth
2e9d7951a6
Merge pull request #1272 from bczyz1/patch-2
Fix typo in win_apt_lazarus_session_hijack.yml
2020-11-10 13:35:08 +01:00
Florian Roth
f6c0fb2d33 fix: FPs with notepad++ GUP rule 2020-11-09 16:34:12 +01:00
Florian Roth
c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
bczyz1
c554aaea8f
update win_apt_slingshot.yml
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)
2020-11-05 15:51:22 +01:00
yugoslavskiy
efc3f298b8
simplify syntax 2020-11-04 23:03:34 +01:00
yugoslavskiy
2f789c45dc
change a syntax a bit to re-run the tests 2020-11-04 22:30:27 +01:00
bczyz1
4a5b2d642e
Fix typo in win_apt_lazarus_session_hijack.yml 2020-11-03 14:46:29 +01:00
GlebSukhodolskiy
8068487340
test trigger 2020-11-03 12:04:03 +03:00
GlebSukhodolskiy
544876951f
fixed duplication v2 2020-11-03 02:34:34 +03:00
GlebSukhodolskiy
48e46c279a
fixed duplication 2020-11-03 02:25:22 +03:00
GlebSukhodolskiy
cf8c721662
fixed optimization and references 2020-11-03 02:16:13 +03:00
GlebSukhodolskiy
e2c4af012b
Changed to Placeholders Usage
A query was too big to pass a test, so I changed logic to placeholders usage.
2020-11-03 00:56:42 +03:00
feedb
e93dd7fe61 fix 2020-11-01 15:25:12 +03:00
Vasiliy Burov
903ce08277
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-01 14:21:27 +03:00
yugoslavskiy
ea71828d34
change syntax a bit to re-run the test 2020-10-31 23:57:13 +01:00
stvetro
8dc8fdc44b Added antifalsepositive condition
4688 always has non empty cmd
2020-10-31 12:46:30 +04:00
omkargudhate22
f1bb9726ca
updated mitre tag 2020-10-30 13:35:40 +05:30
omkar72
86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
Roberto Rodriguez
972326f761 A few more - 7 Rules 2020-10-29 21:11:41 -04:00
Roberto Rodriguez
25b92d4a2e Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-29 21:04:45 -04:00
Vasiliy Burov
ab60fdcef4
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 23:38:22 +03:00
Vasiliy Burov
683824ee46
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:44:45 +03:00
Vasiliy Burov
d743cbbe4b
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:14:43 +03:00
Semanur Guneysu
46c52b4347 Update sysmon_abusing_debug_privilege.yml 2020-10-28 20:11:29 +03:00
nsaddler
07f777d1b5
Update powershell_CL_Mutexverifiers_LOLScript_v2.yml 2020-10-28 19:32:18 +03:00
nsaddler
7ee644eac0
Update powershell_CL_Invocation_LOLScript_v2.yml 2020-10-28 19:30:21 +03:00
nsaddler
d0a796439b
Update powershell_CL_Invocation_LOLScript.yml 2020-10-28 19:25:43 +03:00
Наталья Шорникова
a4a3e01f25 Splitting into two rules 2020-10-28 19:13:29 +03:00
Наталья Шорникова
55a7fe6b9d Splitting into two rules 2020-10-28 19:08:23 +03:00
Vasiliy Burov
d90ec67cce
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:44:21 +03:00
Vasiliy Burov
744c637125
Delete win_rdp_session_hijacking.yml 2020-10-28 11:38:39 +03:00
Vasiliy Burov
931ccde3e6 Merge branch 'patch-15' of https://github.com/vburov/sigma into patch-15 2020-10-28 11:27:48 +03:00
Vasiliy Burov
eec398ea0e Merge branch 'master' into patch-15 2020-10-28 11:27:28 +03:00
Vasiliy Burov
2d2464ba22
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:20:26 +03:00
Vasiliy Burov
fdbd8de219 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml"
This reverts commit eb166222bd.
2020-10-28 10:51:18 +03:00
Vasiliy Burov
00f1326ae6 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml"
This reverts commit 64e48ed94d.
2020-10-28 10:50:53 +03:00
Jonhnathan
28febe5dd2
Update win_apt_chafer_mar18.yml 2020-10-27 23:28:04 -03:00
Jonhnathan
0860978412
Update win_apt_bear_activity_gtr19.yml 2020-10-27 23:26:34 -03:00
Jonhnathan
e24e6da3b5
Update win_apt_apt29_thinktanks.yml 2020-10-27 23:24:04 -03:00
Jonhnathan
467af2ebb5
Update sysmon_susp_prog_location_network_connection.yml 2020-10-27 22:56:32 -03:00
Jonhnathan
266109f3d8
Update win_mal_ryuk.yml 2020-10-27 22:47:41 -03:00
Jonhnathan
514f9ccd28
Update win_mal_ryuk.yml 2020-10-27 22:42:15 -03:00
Jonhnathan
187d1d3e3b
Update win_user_driver_loaded.yml 2020-10-27 22:37:50 -03:00
Jonhnathan
dbad6c637f
Update av_webshell.yml 2020-10-27 22:35:45 -03:00
Jonhnathan
0afe48a0a0
Update av_relevant_files.yml 2020-10-27 22:34:57 -03:00
Jonhnathan
95da1ec500
Update av_relevant_files.yml 2020-10-27 22:32:16 -03:00
Jonhnathan
d3c6d9df31
Update win_mal_ryuk.yml 2020-10-27 22:21:16 -03:00
Jonhnathan
98c7639db7
Update mal_azorult_reg.yml 2020-10-27 22:19:04 -03:00
Jonhnathan
8f4d6f802b
Update mal_azorult_reg.yml 2020-10-27 22:18:41 -03:00
Jonhnathan
bfb50a3d42
Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-27 22:13:02 -03:00
Jonhnathan
3477866451
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 2020-10-27 22:10:17 -03:00
Jonhnathan
9fd203e2a3
Update mal_azorult_reg.yml 2020-10-27 22:07:45 -03:00
Jonhnathan
ebb84486f5
Update sysmon_susp_adsi_cache_usage.yml 2020-10-27 22:04:31 -03:00
Jonhnathan
182b12614b
Update sysmon_quarkspw_filedump.yml 2020-10-27 22:02:47 -03:00
Jonhnathan
dde5b46726
Update win_susp_sam_dump.yml 2020-10-27 22:01:31 -03:00
Jonhnathan
61ccdc598d
Update win_susp_local_anon_logon_created.yml 2020-10-27 22:00:42 -03:00
Jonhnathan
3eea825898
Update win_net_ntlm_downgrade.yml 2020-10-27 21:59:49 -03:00
Jonhnathan
53ff19f167
Update win_mmc20_lateral_movement.yml 2020-10-27 21:55:17 -03:00
Vasiliy Burov
64e48ed94d
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:33:56 +03:00
Vasiliy Burov
eb166222bd
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:15:28 +03:00
Vasiliy Burov
172c619719
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:50:09 +03:00
Vasiliy Burov
edede617cf
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:36:12 +03:00
Vasiliy Burov
515c4dd9cd
Added some false positives issues 2020-10-27 20:35:22 +03:00
Vasiliy Burov
66965cec33
Added some false positives issues 2020-10-27 17:31:46 +03:00
Semanur Guneysu
1e32391e59 Merge branch 'master' of https://github.com/semanurguneysu/sigma into oscd 2020-10-26 19:49:56 +03:00
Semanur Guneysu
27dbf73c0d Update sysmon_abusing_debug_privilege.yml
comment added
2020-10-26 19:25:36 +03:00
invrep-de
8a9db12d30
Enhanced to improve specificity
Enhanced to improve specificity per feedback received;
2020-10-26 12:05:16 -04:00
invrep-de
dc41f64023
[OSCD] Bad Opsec Defaults Sacrificial Processes
Incorporate feedback from @yugoslavskiy;
2020-10-26 11:52:16 -04:00
Semanur Guneysu
1b3cb8a64b
Delete .DS_Store 2020-10-26 18:15:57 +03:00