Commit Graph

48 Commits

Author SHA1 Message Date
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware
Detects registry keys used by Azorult malware
2020-05-08 21:26:24 -04:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Bart
a5b4b276d4
Add scriptlets
Adds .sct and .vbe.
2019-11-14 22:26:22 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
booberry46
cfe7ddbe5b
Update av_exploiting.yml
Not sure if the '' affects.
2019-11-06 16:16:49 +08:00
Florian Roth
d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
Thomas Patzke
02239fa288
Changed registry root key
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
megan201296
34f9d17b26
Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Florian Roth
5645c75576 Rule: updated relevant AV signatures - exploiting
https://twitter.com/haroldogden/status/1085556071891173376
2019-01-16 18:43:28 +01:00
Florian Roth
d4a1fe786a Rule: Dridex pattern 2019-01-12 12:03:36 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Roberto Rodriguez
bff7ec52db Update av_relevant_files.yml
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection

This affetcs Elastalert integration
2018-12-05 07:53:53 +03:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth
4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
ntim
c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00
Florian Roth
6e4e857456 Improved Adwind Sigma rule 2017-11-10 12:39:08 +01:00
Florian Roth
57d56dddb7 Improved Adwind RAT rule 2017-11-09 18:53:46 +01:00
Florian Roth
b558f5914e Added reference to Tom Ueltschie's slides 2017-11-09 18:30:50 +01:00
Florian Roth
781db7404e Updated Adwind RAT rule 2017-11-09 18:28:27 +01:00
Florian Roth
970f01f9f2 Renamed file for consistency 2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1 Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder 2017-11-09 15:43:32 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Florian Roth
950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00