Florian Roth
09d1b00459
Changed level to ciritcal
2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml
2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware
...
Detects registry keys used by Azorult malware
2020-05-08 21:26:24 -04:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
...
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Bart
a5b4b276d4
Add scriptlets
...
Adds .sct and .vbe.
2019-11-14 22:26:22 +01:00
Thomas Patzke
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
booberry46
cfe7ddbe5b
Update av_exploiting.yml
...
Not sure if the '' affects.
2019-11-06 16:16:49 +08:00
Florian Roth
d096ab0e21
rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet
2019-10-04 16:17:34 +02:00
Florian Roth
f6fd1df6f4
Rule: separate Ryuk rule created for VBurovs strings
2019-08-06 10:33:46 +02:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml
...
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml ). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
Thomas Patzke
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master
...
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
Thomas Patzke
02239fa288
Changed registry root key
...
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete ) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it
...
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
megan201296
34f9d17b26
Create win_mal_ursnif.yml
2019-02-13 15:22:57 -06:00
Thomas Patzke
3ef930b094
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
Thomas Patzke
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
Florian Roth
5645c75576
Rule: updated relevant AV signatures - exploiting
...
https://twitter.com/haroldogden/status/1085556071891173376
2019-01-16 18:43:28 +01:00
Florian Roth
d4a1fe786a
Rule: Dridex pattern
2019-01-12 12:03:36 +01:00
Florian Roth
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
Roberto Rodriguez
bff7ec52db
Update av_relevant_files.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection
This affetcs Elastalert integration
2018-12-05 07:53:53 +03:00
Sherif Eldeeb
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
Thomas Patzke
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
Florian Roth
4e91462838
fix: Bugfix in Adwind rule
2018-08-15 12:33:03 +02:00
ntim
c99dc9f643
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
Thomas Patzke
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
84645f4e59
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
SherifEldeeb
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
Florian Roth
3a378f08ea
Bugfix in Adwind rule - typo in typo
2017-11-10 12:51:54 +01:00
Florian Roth
6e4e857456
Improved Adwind Sigma rule
2017-11-10 12:39:08 +01:00
Florian Roth
57d56dddb7
Improved Adwind RAT rule
2017-11-09 18:53:46 +01:00
Florian Roth
b558f5914e
Added reference to Tom Ueltschie's slides
2017-11-09 18:30:50 +01:00
Florian Roth
781db7404e
Updated Adwind RAT rule
2017-11-09 18:28:27 +01:00
Florian Roth
970f01f9f2
Renamed file for consistency
2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1
Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder
2017-11-09 15:43:32 +01:00
Thomas Patzke
5035c9c490
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections
2017-11-01 22:12:14 +01:00
Thomas Patzke
986c9ff9b7
Added field names to first rules
2017-09-12 23:54:04 +02:00
Florian Roth
950a00f33e
Updated Petya rule
2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8
Added perfc.dat keyword to NotPetya rule
2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163
NotPetya Title Fixed
2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970
NotPetya Sigma Rule for Sysmon Events
2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01
Wannacry Rules Reorg and Renaming
2017-06-28 09:08:53 +02:00