SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
Florian Roth	3697186281	fix: fixed title	2020-06-06 14:04:40 +02:00
Florian Roth	246a95557b	fix: description over multiple lines	2020-06-06 13:56:48 +02:00
Florian Roth	d54209dcc5	rule: ETW disabled	2020-06-06 13:56:19 +02:00
Florian Roth	2e77e65285	rule: Covenant launchers	2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN	082696ee84	Added UUID	2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN	e958a6a939	Date added	2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN	5e373153eb	Title fix	2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN	0744107fbb	Deleted EventID part	2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN	1c677aa172	Fix title as in guideline Fix title error as in guideline and other cosmetic changes	2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN	bafd6bde5f	Convert to process_creation Convert to process_creation	2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN	09afae1e66	Create sysmon_apt_muddywater_dnstunnel.yml Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/	2020-06-04 14:27:19 +03:00
Trent Liffick	6c8c0cd85d	Removed incorrect technique	2020-06-03 17:51:57 -04:00
Trent Liffick	3c89f46899	removed unwanted file	2020-06-03 17:43:12 -04:00
Trent Liffick	2af501c9f5	added rule for zLoader & Office detects changes to Office macro settings & ZLoader malware	2020-06-03 17:40:05 -04:00
Trent Liffick	a2ca199e7d	added rules for Lazaurs and hhsgov	2020-06-03 17:38:03 -04:00
William Bruneau	84dd8c39c4	Move null values out from list in rules	2020-06-03 13:57:22 +02:00
Sven Scharmentke	4ed512011a	All Rules use 'TargetFilename' instead of 'TargetFileName'. This commit fixes the incorrect spelling.	2020-06-03 09:00:59 +02:00
Florian Roth	74e16fdccd	Merge pull request #803 from gamma37/clear_cmd_history Edit Clear Command History	2020-05-29 17:32:43 +02:00
Florian Roth	e20b58c421	Merge pull request #806 from SanWieb/sysmon_creation_system_file Fixed wrong field & Improve rule	2020-05-29 17:32:27 +02:00
Sander Wiebing	a00f7f19a1	Add tagg Endswith Prevent the trigger of {}.exe.log	2020-05-29 16:25:54 +02:00
Sander Wiebing	38afd8b5de	Fixed wrong field	2020-05-28 21:52:17 +02:00
Florian Roth	7f2fa05ed3	Merge pull request #802 from Neo23x0/rule-devel ComRAT and KazuarRAT	2020-05-28 11:16:44 +02:00
gamma37	537bda4417	Update lnx_shell_clear_cmd_history.yml	2020-05-28 10:56:35 +02:00
gamma37	5a48934822	Edit Clear Command History I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.	2020-05-28 10:52:17 +02:00
Florian Roth	39b41b5582	rule: moved DebugView rule to process creation category	2020-05-28 10:13:38 +02:00
Florian Roth	76dcc1a16f	rule: renamed debugview	2020-05-28 09:22:25 +02:00
Florian Roth	ec313b6c8a	Merge pull request #801 from SanWieb/sysmon_creation_system_file Rule: sysmon_creation_system_file	2020-05-27 08:49:20 +02:00
Sander Wiebing	d44fc43c54	Add extension	2020-05-26 19:10:11 +02:00
Sander Wiebing	f6ec724d51	Rule: sysmon_creation_system_file	2020-05-26 18:53:54 +02:00
Florian Roth	5bb6770f53	Merge pull request #800 from SanWieb/win_system_exe_anomaly Extended Windows processes: win_system_exe_anomaly	2020-05-26 14:28:47 +02:00
Florian Roth	4ca81b896d	rule: Turla ComRAT report	2020-05-26 14:19:22 +02:00
Sander Wiebing	3681b8cb56	Extended Windows processes	2020-05-26 13:56:51 +02:00
Florian Roth	0b398c5bf0	Merge pull request #798 from Neo23x0/rule-devel rule: confluence exploit CVE-2019-3398 & Turla ComRAT	2020-05-26 13:31:57 +02:00
Florian Roth	c1f4787566	Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 Changes to sysmon_cve-2020-1048	2020-05-26 13:21:04 +02:00
Florian Roth	ce1f46346f	Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access Add 'Add-Content' to powershell_ntfs_ads_access	2020-05-26 13:20:40 +02:00
Florian Roth	e131f3476e	Merge pull request #796 from EccoTheFlintstone/fp add more false positives	2020-05-26 13:20:23 +02:00
Florian Roth	b648998fd0	rule: Turla ComRAT	2020-05-26 13:18:50 +02:00
Sander Wiebing	f9f814f3b3	Shortened title	2020-05-26 13:06:27 +02:00
Sander Wiebing	a241792e10	Reduce FP of legitime processes A lot of Windows apps does not have any file characteristics. Some examples: - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company. Python 2.7, 3.3 and 3.7 does not have any file characteristics. So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml	2020-05-26 12:58:15 +02:00
Florian Roth	cdf1ade625	fix: typo in selection	2020-05-26 12:27:16 +02:00
Florian Roth	828484d7c6	rule: confluence exploit CVE-2019-3398	2020-05-26 12:09:41 +02:00
Remco Hofman	48c5f2ed09	Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details	2020-05-26 11:20:21 +02:00
ecco	7037e77569	add more FP	2020-05-25 04:50:22 -04:00
Florian Roth	a962bd1bc1	Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete	2020-05-25 10:48:36 +02:00
Florian Roth	0afe0623af	Merge pull request #757 from tliffick/master added rule for Blue Mockingbird (cryptominer)	2020-05-25 10:47:23 +02:00
Sander Wiebing	6fcf3f9ebf	Update win_netsh_fw_add.yml	2020-05-25 10:13:26 +02:00
Sander Wiebing	28652e4648	Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add`	2020-05-25 10:02:13 +02:00
Sander Wiebing	2678cd1d3e	Create win_netsh_fw_add_susp_image.yml More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. Combined the following rules for the suspicious locations: https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml	2020-05-25 09:50:47 +02:00
Sander Wiebing	b8ee736f44	Remove AppData folder as suspicious folder A lot of software is using the AppData folder for startup keys. Some examples: - Microsoft Teams (\AppData\Local\Microsoft\Teams) - Resilio (\AppData\Roaming\Resilio Sync\) - Discord ( (\AppData\Local\Discord\) - Spotify ( (\AppData\Roaming\Spotify\) Too many to whitelist them all	2020-05-24 15:16:07 +02:00
Florian Roth	6fbfa9dfdd	Merge pull request #793 from Neo23x0/rule-devel Esentutl rule and StrongPity Loader UA	2020-05-23 23:47:12 +02:00
ecco	f970d28f10	add more false positives	2020-05-23 15:06:15 -04:00
Florian Roth	3028a27055	fix: buggy rule	2020-05-23 18:32:02 +02:00
Florian Roth	df715386b6	rule: suspicious esentutl use	2020-05-23 18:27:36 +02:00
Florian Roth	d0da2810c1	Merge pull request #792 from EccoTheFlintstone/fff fix FP + remove powershell rule redundant with sysmon_in_memory_power…	2020-05-23 18:13:16 +02:00
Florian Roth	8321cc7ee1	Merge pull request #772 from gamma37/suspicious_activities Create a rule for "suspicious activities"	2020-05-23 18:11:32 +02:00
Florian Roth	d1a5471d21	rule: Strong Pity loader UA	2020-05-23 17:38:10 +02:00
ecco	67faf4bd41	fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml	2020-05-23 10:56:23 -04:00
Florian Roth	9cd9a301c2	Merge pull request #791 from SanWieb/master added rule for Netsh RDP port opening	2020-05-23 16:50:31 +02:00
Florian Roth	e1a05dfc1c	Update lnx_auditd_susp_C2_commands.yml	2020-05-23 16:49:03 +02:00
Florian Roth	ee1ca77fad	Merge pull request #771 from gamma37/new_rules Create a new rule to detect "Create Account"	2020-05-23 16:47:46 +02:00
ecco	10ca3006f5	move rule where needed	2020-05-23 10:07:55 -04:00
ecco	d9bc09c38c	fix test	2020-05-23 10:02:58 -04:00
ecco	78a7852a43	renamed dbghelp rule with new ID and comment and removed a false positive	2020-05-23 09:16:40 -04:00
Sander Wiebing	d310805ed9	rule: Netsh RDP port opening	2020-05-23 14:19:52 +02:00
ecco	75ba5f989c	add 1 more FP to wmi load	2020-05-23 07:44:45 -04:00
ecco	9a7f462d79	move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)	2020-05-23 07:17:56 -04:00
ecco	cfde0625f5	fix false positive matching on every powershell process not run by SYSTEM account	2020-05-23 07:05:09 -04:00
Florian Roth	12e1aeaf9f	Merge pull request #788 from Neo23x0/rule-devel refactor: split up rule for CVE-2020-1048 into 2 rules	2020-05-23 09:54:43 +02:00
Florian Roth	34006d0794	refactor: simplified and extended expression in CVE-2020-1048 rule	2020-05-23 09:16:19 +02:00
Florian Roth	57c8e63acd	refactore: split up rule for CVE-2020-1048 into 2 rules	2020-05-23 09:09:58 +02:00
ecco	ec17c2ab56	filter on createkey only when needed	2020-05-22 10:37:00 -04:00
Florian Roth	91c4c4ecc5	refactor: slightly improved Greenbug rule	2020-05-21 13:38:11 +02:00
Florian Roth	9a3b6c1c77	docs: added MITRE ATT&CK group tag	2020-05-21 09:44:11 +02:00
Florian Roth	344eb713c5	rule: Greenbug campaign	2020-05-21 09:39:57 +02:00
ecco	0dd089db47	various rules cleaning	2020-05-18 20:29:53 -04:00
Thomas Patzke	96fae4be68	Added CrachMapExec rules	2020-05-22 00:50:37 +02:00
Florian Roth	64e0e7ca72	Merge pull request #784 from Neo23x0/rule-devel refactor: slightly improved Greenbug rule	2020-05-21 14:19:09 +02:00
Florian Roth	bbf78374b6	Merge pull request #783 from Neo23x0/rule-devel Greenbug Rule	2020-05-21 09:55:46 +02:00
Thomas Patzke	8d9b706d6a	Merge pull request #727 from 3CORESec/master Override Features	2020-05-20 19:11:56 +02:00
Florian Roth	e7980bb434	Merge pull request #782 from ZikyHD/patch-1 Remove duplicate 'CommandLine' in fields	2020-05-20 12:55:41 +02:00
Florian Roth	af92a5bd2c	Merge pull request #780 from tatsu-i/master Null field check to eliminate false positives	2020-05-20 12:55:29 +02:00
ZikyHD	8963c0a65e	Remove duplicate 'CommandLine' in fields	2020-05-20 11:54:47 +02:00
Florian Roth	9ab65cd1c7	Update win_alert_ad_user_backdoors.yml	2020-05-19 14:50:22 +02:00
neu5ron	7c3dea22b8	small T, big T	2020-05-19 05:13:48 -04:00
neu5ron	602c8917ef	domain user enumeration via zeek rpc (dce_rpc) log.	2020-05-19 05:08:26 -04:00
Tatsuya Ito	c815773b1a	enhancement rule	2020-05-19 18:05:51 +09:00
Tatsuya Ito	49f68a327a	enhancement rule	2020-05-19 18:00:50 +09:00
neu5ron	effb2a8337	add exe webdav download	2020-05-19 04:41:00 -04:00
neu5ron	858ebcd3d3	author typo update	2020-05-19 04:35:47 -04:00
neu5ron	2fc8d513d6	zeek, swap `path` and `name`	2020-05-19 04:35:30 -04:00
ecco	1aa97fe577	flake 8	2020-05-18 10:03:18 -04:00
ecco	088800cd18	fix rule due to sigmac bug?	2020-05-18 09:39:48 -04:00
ecco	e89613aee0	add some false positives checks	2020-05-18 07:19:06 -04:00
Florian Roth	8154ca355a	Merge pull request #768 from maximelb/master Remove "condition" from global rule in CVE-2020-1048.	2020-05-18 12:52:49 +02:00
gamma37	71c507d8a9	remove space bedore colon	2020-05-18 11:34:53 +02:00
gamma37	55eec46932	Create a rule for "suspicious activities"	2020-05-18 11:25:18 +02:00
gamma37	cbf06b1e43	lowercased tag	2020-05-18 10:11:32 +02:00
gamma37	904716771a	Create a new rule to detect "Create Account"	2020-05-18 10:03:34 +02:00
Maxime Lamothe-Brassard	25d3a5a893	Remove "condition" from global rule. The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".	2020-05-17 12:44:57 -07:00
Florian Roth	a46e357874	Merge branch 'master' into rule-devel	2020-05-16 08:59:34 +02:00

1 2 3 4 5 ...

2179 Commits