Rettila
6ec74364f2
Create win_global_catalog_enumeration.yml
2020-05-11 17:40:47 +02:00
Rettila
ccacedf621
Merge pull request #3 from Neo23x0/master
...
merge
2020-05-11 17:38:27 +02:00
Florian Roth
37c33cb6d9
Merge pull request #743 from tliffick/master
...
Registry entry for Azorult malware
2020-05-11 16:37:15 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal
2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml
2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware
...
Detects registry keys used by Azorult malware
2020-05-08 21:26:24 -04:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source
...
New rule: Failed Logon From Public IP
2020-05-08 16:24:12 +02:00
Florian Roth
64a5ad0d07
Merge pull request #735 from nl5887/master
...
fix incorrect use of action global
2020-05-08 12:20:33 +02:00
Rettila
07a50edf89
Update win_metasploit_authentication.yml
2020-05-07 14:42:00 +02:00
Thomas Patzke
3b96b5e497
Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight
...
sigmacs for Zeek and Corelight(Zeek)
2020-05-06 23:22:14 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global
2020-05-06 23:00:45 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global
2020-05-06 22:53:02 +02:00
Remco Hofman
123a23adae
win_susp_failed_logon_source rule
2020-05-06 22:24:02 +02:00
Thomas Patzke
1797a1e56b
Merge pull request #733 from NVISO-BE/fix-732
...
Fix for broken endswith modifier
2020-05-06 22:17:08 +02:00
Remco Hofman
24029a8f27
Fix for broken endswith modifier
2020-05-06 17:10:54 +02:00
Rettila
6aed82a039
Update win_metasploit_authentication.yml
2020-05-06 17:04:47 +02:00
Rettila
2beb65076c
Update win_metasploit_authentication.yml
2020-05-06 16:44:19 +02:00
Rettila
7371ce234b
Create win_metasploit_authentication.yml
2020-05-06 16:42:27 +02:00
Rettila
ddb02c6820
Merge pull request #1 from Neo23x0/master
2020-05-06 11:24:26 +02:00
Florian Roth
1ce527c9be
Merge pull request #729 from Rettila/master
...
Rule correction and enhancement
2020-05-05 19:25:49 +02:00
Florian Roth
473c31232e
add additional reference
2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml
2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml
2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml
2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml
2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml
2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml
2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml
2020-05-05 16:40:52 +02:00
neu5ron
a01a85cf9b
CI/CD check fixes (missing ID's)
2020-05-04 15:22:18 -04:00
neu5ron
90730508f0
Merge remote-tracking branch 'neu5ron-sigma/socprime_add_zeek_and_corelight' into socprime_add_zeek_and_corelight
2020-05-04 15:17:54 -04:00
neu5ron
a61b1da47a
fixed yaml space causing condition to not be found
2020-05-04 15:17:43 -04:00
neu5ron
98f163e752
fixed yaml space causing condition to not be found
2020-05-04 15:10:48 -04:00
Florian Roth
d298bb5714
Merge pull request #480 from hillu/override-coverage
...
Make coverage binary overridable
2020-05-02 18:50:58 +02:00
Florian Roth
030898ba9c
Merge branch 'master' into override-coverage
2020-05-02 14:22:03 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
...
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
...
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
Florian Roth
7f8baee10d
Merge pull request #720 from 0xThiebaut/specification
...
Update rules to follow the Sigma state specification
2020-05-02 14:11:45 +02:00
neu5ron
d300027848
on behalf of @socprime [SOC Prime Inc.]( https://my.socprime.com/en/tdm/ )
...
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar ] which are Zeek (sensor) scripts.
2020-05-02 07:27:51 -04:00
neu5ron
c66540c029
on behalf of @socprime [SOC Prime Inc.]( https://my.socprime.com/en/tdm/ )
...
create `zeek` folder to store Zeek rules
2020-05-02 07:25:21 -04:00
neu5ron
cbe5af01a1
on behalf of @socprime [SOC Prime Inc.]( https://my.socprime.com/en/tdm/ )
...
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
2020-05-02 07:23:11 -04:00
Thomas Patzke
2fafff3278
Fixed: escaping of backslashes before added *
...
Fixes issue #722 .
2020-05-02 00:13:15 +02:00
Maxime Thiebaut
4600bf73dc
Update rules to follow the Sigma state specification
...
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional ) states the following:
> Declares the status of the rule:
> - stable: the rule is considered as stable and may be used in production systems or dashboards.
> - test: an almost stable rule that possibly could require some fine tuning.
> - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.
However the Sigma Rx YAML specification states the following:
> ```yaml
> status:
> type: //any
> of:
> - type: //str
> value: stable
> - type: //str
> value: testing
> - type: //str
> value: experimental
> ```
The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
- [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49)
)
- [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26)
)
- [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98)
)
Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule
2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut
2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule
2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule
2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4
...
Create powershell_create_local_user.yml
2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing
2020-04-14 13:40:34 +02:00