Commit Graph

667 Commits

Author SHA1 Message Date
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp
add WMI module load false positives
2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2
ATT&CK subtechniques v2
2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Florian Roth
0022705373 fix: filter not functional
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id
Rule lists extra Sysmon ID (11). Should just match registry events (1…
2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match
Rule needs endwith, not exact match.
2020-06-15 20:19:12 +02:00
Brad Kish
dfae2a6df6 Rule needs endwith, not exact match.
Fix ImageLoaded filter to match with endswith, rather than exact match.
2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14)
Remove extraneous event ID 11. It will never match.
2020-06-15 13:52:12 -04:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master
added new rules for malware
2020-06-10 17:37:19 +02:00
Florian Roth
f553fb2e33
Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll
Fax Service DLL search order hijacking detection
2020-06-10 16:33:12 +02:00
Florian Roth
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence
Office persistence by addin detection
2020-06-10 16:32:50 +02:00
Remco Hofman
8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman
83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman
cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1
Create sysmon_apt_muddywater_dnstunnel.yml
2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth
6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel
merged Cyb3rWarD0g's rules
2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel
Rule devel
2020-06-06 14:19:37 +02:00
Florian Roth
3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth
246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth
d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Furkan ÇALIŞKAN
082696ee84
Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN
e958a6a939
Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN
5e373153eb
Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN
0744107fbb
Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline
Fix title error as in guideline and other cosmetic changes
2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation
Convert to process_creation
2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
2020-06-04 14:27:19 +03:00
Trent Liffick
3c89f46899
removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick
2af501c9f5
added rule for zLoader & Office
detects changes to Office macro settings & ZLoader malware
2020-06-03 17:40:05 -04:00
William Bruneau
84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
ecco
b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file
Fixed wrong field & Improve rule
2020-05-29 17:32:27 +02:00