Commit Graph

292 Commits

Author SHA1 Message Date
Florian Roth
970f01f9f2 Renamed file for consistency 2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1 Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder 2017-11-09 15:43:32 +01:00
Florian Roth
a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Florian Roth
fd801a61a5 Bronze Butler Daserf malware User Agents in Proxy Logs 2017-11-08 12:52:11 +01:00
Florian Roth
e5383be163 Rule: Proxy suspicious downloads from Dyndns hosts 2017-11-08 11:32:30 +01:00
Florian Roth
4540088aa9 Rule: Extended proxy suspicious TLD white list rule 2017-11-08 00:38:26 +01:00
Florian Roth
ad53cc7cc2 Rule: Sysmon Turla Commands 2017-11-08 00:33:17 +01:00
Florian Roth
acc430c4b6 Rule: Proxy download from blacklisted TLDs 2017-11-07 14:03:16 +01:00
Florian Roth
58f20d3cfb Rule: Proxy download whitelist bugfix and improvements 2017-11-07 14:02:56 +01:00
Florian Roth
59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth
ea840632f3 Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 14:22:09 +01:00
Florian Roth
37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b
Admin user remote login
2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master
New rules
2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
2017-10-31 23:06:18 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573 Dropped within keyword
Covered by timeframe attribute.

Fixes issue #26.
2017-10-30 00:25:56 +01:00
Thomas Patzke
c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
Thomas Patzke
0df60fe004 Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b 2017-10-30 00:13:21 +01:00
Thomas Patzke
27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values
Fixes issue #25
2017-10-29 23:57:39 +01:00
juju4
4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4
07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4
19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4
ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4
9d968de337 Merge remote-tracking branch 'upstream/master' 2017-10-29 14:14:47 -04:00
Florian Roth
b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Florian Roth
e680da1b50 Suspicious flash player download location / BadRabbit 2017-10-25 08:40:30 +02:00
Florian Roth
801d739a3b US CERT TA17-293A report - renamed PsExec execution 2017-10-22 12:55:26 +02:00
Florian Roth
d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth
0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke
d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth
deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
juju4
e6661059c2 Merge remote-tracking branch 'upstream/master' 2017-10-15 11:58:01 -04:00
Florian Roth
00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
juju4
45aea1cc8a Merge remote-tracking branch 'upstream/master' 2017-10-07 15:00:23 -04:00
Florian Roth
f4720d5149 APT17 malware UA
https://twitter.com/cyb3rops/status/915135877709549568
2017-10-03 12:47:53 +02:00
Thomas Patzke
8ea18af5f9 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-09-17 00:33:47 +02:00
Thomas Patzke
9b65f250a8 Renamed rule file (typo) 2017-09-17 00:32:57 +02:00
Thomas Patzke
6b8a5aea4a Added vhost field to web rules 2017-09-17 00:20:17 +02:00
juju4
cbde0ee5e5 Merge remote-tracking branch 'upstream/master' 2017-09-16 10:03:18 -04:00
Florian Roth
20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
5c465129bd Fixed rules
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
2017-09-11 00:35:52 +02:00