Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml
2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml
2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml
2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml
2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml
2020-05-05 16:40:52 +02:00
pdr9rc
31ad81874f
capitalized titles
...
corrected capitalization of titles and removed literals from config
2020-05-05 11:32:18 +01:00
neu5ron
a01a85cf9b
CI/CD check fixes (missing ID's)
2020-05-04 15:22:18 -04:00
neu5ron
a61b1da47a
fixed yaml space causing condition to not be found
2020-05-04 15:17:43 -04:00
pdr9rc
b32093e734
Merge remote-tracking branch 'upstream/master'
...
Keeping up with the sigmas.
2020-05-04 17:26:51 +01:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
...
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
...
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
neu5ron
d300027848
on behalf of @socprime [SOC Prime Inc.]( https://my.socprime.com/en/tdm/ )
...
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar ] which are Zeek (sensor) scripts.
2020-05-02 07:27:51 -04:00
neu5ron
c66540c029
on behalf of @socprime [SOC Prime Inc.]( https://my.socprime.com/en/tdm/ )
...
create `zeek` folder to store Zeek rules
2020-05-02 07:25:21 -04:00
Tiago Faria
dd85467a27
Update aws_ec2_vm_export_failure.yml
2020-05-02 00:13:55 +01:00
pdr9rc
9ce84a38e5
overrides section support + one example rule + cloudtrail config
...
ditto
2020-04-29 20:36:45 +01:00
Maxime Thiebaut
4600bf73dc
Update rules to follow the Sigma state specification
...
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional ) states the following:
> Declares the status of the rule:
> - stable: the rule is considered as stable and may be used in production systems or dashboards.
> - test: an almost stable rule that possibly could require some fine tuning.
> - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.
However the Sigma Rx YAML specification states the following:
> ```yaml
> status:
> type: //any
> of:
> - type: //str
> value: stable
> - type: //str
> value: testing
> - type: //str
> value: experimental
> ```
The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
- [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49)
)
- [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26)
)
- [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98)
)
Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
Andreas Hunkeler
7d437c2969
Add netsh to renamed binary rule
2020-04-20 17:12:25 +02:00
Andreas Hunkeler
d4e9606266
Improve netsh wifi rule another time due to arg shortcut
2020-04-20 16:40:03 +02:00
Andreas Hunkeler
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule
2020-04-20 16:32:25 +02:00
Andreas Hunkeler
ba541c3952
Fix title for new netsh wifi rule
2020-04-20 16:20:45 +02:00
Andreas Hunkeler
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4
...
Create powershell_create_local_user.yml
2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing
2020-04-14 13:40:34 +02:00
Florian Roth
ecdec93800
Casing
2020-04-14 13:39:58 +02:00
Florian Roth
5cbe008350
Casing
2020-04-14 13:39:22 +02:00
Florian Roth
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence
...
Update win_susp_netsh_dll_persistence.yml
2020-04-14 13:37:53 +02:00
Florian Roth
4f469c0e39
Adjusted level
2020-04-14 13:37:10 +02:00
Florian Roth
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks
...
Update win_GPO_scheduledtasks.yml
2020-04-14 13:36:17 +02:00
Maxime Thiebaut
86c6891427
Add Windows Registry Persistence COM Search Order Hijacking
2020-04-14 12:59:29 +02:00
vesche
1f918253e8
Add additional reference
2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64
Fix typo
2020-04-13 11:09:00 -05:00
teddy-ROxPin
1501331f77
Create powershell_create_local_user.yml
...
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
2020-04-11 02:51:05 -06:00
vesche
3889be6255
Replace reference link for win_susp_netsh_dll_persistence
2020-04-10 01:05:10 -05:00
vesche
82db80bee6
Remove wrong mitre technique
2020-04-10 01:02:43 -05:00
vesche
72b821e046
Update win_susp_netsh_dll_persistence.yml
2020-04-09 11:16:18 -05:00
Iveco
61b9234d7f
Update win_user_driver_loaded.yml
...
removed internal field
2020-04-09 11:28:19 +02:00
Thomas Patzke
551a94af04
Merge branch 'master' of https://github.com/tileo/sigma into pr-658
2020-04-08 22:43:48 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml
...
CI
2020-04-08 18:54:59 +02:00
Iveco
c5211eb94a
Update sysmon_susp_service_installed.yml
...
CI
2020-04-08 18:54:46 +02:00
Iveco
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
CI
2020-04-08 18:54:37 +02:00
Iveco
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
Fixed Author
2020-04-08 18:41:33 +02:00
Iveco
fc1febdebe
Update sysmon_susp_service_installed.yml
...
Fixed Author
2020-04-08 18:41:25 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
Iveco
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
Fixed CI
2020-04-08 18:23:29 +02:00
Iveco
5e724a0a54
Update sysmon_susp_service_installed.yml
...
Fixed CI
2020-04-08 18:22:51 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
iveco
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
Maxime Thiebaut
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223
...
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master
...
New sigma rules to detect new MITRE technique in last update (T1502)
2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml
2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
...
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1
...
Typo fix for powershell_suspicious_invocation_generic.yml
2020-04-03 09:30:32 +02:00
Florian Roth
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant
...
WMImplant detection rule
2020-04-02 11:54:09 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo.
2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped.
2020-04-01 18:18:13 +02:00
Clément Notin
18cdddb09e
Small typo
2020-03-31 15:22:00 +02:00
Maxime Thiebaut
8dcbfd9aca
Add AD User Enumeration
...
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.
This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.
Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.
False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
Remco Hofman
b791d599ee
Disabled keywords that could cause FPs
2020-03-30 08:53:52 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml
...
' - windowstyle hidden ' changed to ' -windowstyle hidden '
2020-03-29 04:16:15 -06:00
Florian Roth
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini
...
Add "Suspicious desktop.ini Action" rule
2020-03-28 13:34:01 +01:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
Florian Roth
e2b90220a2
Update sysmon_susp_desktop_ini.yml
2020-03-28 13:19:10 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml
2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml
2020-03-28 13:12:07 +01:00
Florian Roth
2426b39d83
Merge pull request #678 from justintime/title_collision
...
Eliminate title collision
2020-03-28 12:57:55 +01:00
Remco Hofman
f52ed4150d
WMImplant parameter detection
2020-03-27 15:08:35 +01:00
Iveco
55258e1799
Title capitalized
2020-03-26 17:04:08 +01:00
Iveco
3f577c98e7
Title capalized
2020-03-26 17:03:33 +01:00
Iveco
68c20dca20
Fixed title length
2020-03-26 16:56:46 +01:00
Iveco
39a3af04ce
Fixed title length
2020-03-26 16:56:06 +01:00
Justin Ellison
dabc759136
Eliminate title collision
...
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
iveco
ddacde9e6b
add LDAPFragger detections
2020-03-26 15:13:36 +01:00
Florian Roth
28953a2942
fix: MITRE tags in rule
2020-03-25 18:11:04 +01:00
Florian Roth
6584729a0d
rule: powershell downloadfile
2020-03-25 14:58:14 +01:00
Florian Roth
35e43db7a7
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
Florian Roth
17297193c7
Merge branch 'master' into devel
2020-03-25 14:18:11 +01:00
Florian Roth
50b0d04ee8
rule: Exploited CVE-2020-10189 Zoho ManageEngine
2020-03-25 14:02:53 +01:00
Florian Roth
28d8b87a0f
rule: extended web shell spawn rule
2020-03-25 14:02:39 +01:00
j91321
1d86e0b4a5
Change falsepositives to array
2020-03-24 19:59:54 +01:00
j91321
c784adb10b
Wrong indentation falsepositives
2020-03-24 19:55:41 +01:00
j91321
98a633e54c
Add missing status and falsepositives
2020-03-24 19:53:41 +01:00
j91321
3c74d8b87d
Add correct Source to detection to avoid FP
2020-03-24 19:49:24 +01:00
j91321
bc442d3021
Add path with lowercase system32
2020-03-24 19:48:24 +01:00
j91321
78bfa950d7
Add WinPrvSE.exe to detection
2020-03-24 19:47:10 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
...
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Harish SEGAR
a88b22a1bd
Fix namefield.
2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7
Restructure new improvement to process_creation folder.
2020-03-20 23:29:32 +01:00
Harish SEGAR
b9a916ceb4
Removed useless condition.
2020-03-20 22:50:26 +01:00
Harish SEGAR
30fac9545a
Fixed author field.
2020-03-20 22:49:07 +01:00
Harish SEGAR
1f251cec07
Added missing action field
2020-03-20 22:46:19 +01:00
Harish SEGAR
293018a9e7
Added conditions...
2020-03-20 22:33:14 +01:00
Harish SEGAR
74b81120e4
Usage of value modifiers...
2020-03-20 22:03:48 +01:00
Harish SEGAR
b129f09fee
Improvement detection on downgrade of powershell
2020-03-20 21:48:19 +01:00
Maxime Thiebaut
dce18b23b7
Add "Suspicious desktop.ini Action" rule
2020-03-19 21:43:03 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
...
Devel
2020-03-19 18:36:31 +01:00
Florian Roth
8454f60a8e
fix: reduced level due to false positives
2020-03-17 20:40:28 +01:00
neu5ron
b575df8cd7
use the taxonomy for http response which is sc-status
2020-03-14 15:02:33 -04:00
neu5ron
4cd99e71bf
use the taxonomy which states to use c-uri
instead of c-uri-path
2020-03-14 15:02:06 -04:00
neu5ron
4c94906d53
rule should be wildcard AND had a prepended ^
in one of the CommandLine conditions that would have caused to not trigger
2020-03-14 15:00:42 -04:00
neu5ron
4b572f3ccb
newline in description - typo
2020-03-14 14:58:58 -04:00
neu5ron
d212d43acf
spelling
2020-03-14 14:58:25 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
...
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues
2020-03-09 17:43:16 +01:00
David Szili
0947538228
MDATP schema changes
...
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
2020-03-09 17:12:41 +01:00
ecco
2489b8534c
sysmon registry events fix
2020-03-09 12:02:04 -04:00
Florian Roth
ddefb3bc58
Merge branch 'master' into devel
2020-03-07 11:06:25 +01:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1
...
MMC Lateral Movement Rule 1
2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules
2020-03-07 10:43:47 +01:00
Florian Roth
60279c7501
Merge pull request #610 from axi0m/patch-1
...
Update proxy_raw_paste_service_access.yml
2020-03-07 10:39:56 +01:00
Florian Roth
7e8b59abe6
Merge pull request #643 from grumo35/patch-2
...
Update sysmon_cred_dump_tools_dropped_files.yml
2020-03-07 10:39:35 +01:00
Florian Roth
c609de4f27
Merge pull request #648 from NVISO-BE/patch-azure-ad-replication
...
Exclude Azure AD sync accounts from AD Replication rule
2020-03-07 10:39:04 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol
2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1
...
see https://github.com/Neo23x0/sigma/issues/576
2020-03-04 14:57:41 -05:00
ecco
b9e4734087
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d
rule: extended webshell rule with tomcat.exe
2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
...
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df
fix: wrong identifier
2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8
fix avoiding FPs with MpCmdRun
...
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb
fix: avoiding FPs with Citrix software
...
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
2020-03-03 11:01:42 +01:00
Remco Hofman
d4b5dd5749
Exclude Azure AD sync accounts from AD Replication rule
2020-03-02 16:43:20 +01:00
Thomas Patzke
b63889af75
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3
...
Rule: restore initial behaviour matching single word with spaces on each side
2020-03-01 22:40:24 +01:00
Florian Roth
19d383989c
fix: keyword expression in rule
2020-02-29 16:03:31 +01:00
Florian Roth
15a400ac51
fix: fixing bug in rule
2020-02-29 15:51:00 +01:00
Florian Roth
fa6458b70f
rule: two rules to detect CVE-2020-0688 exploitation
2020-02-29 15:45:45 +01:00
Florian Roth
fdcba84fc8
fix: escaped backslash
2020-02-29 10:12:59 +01:00
grumo35
0d932810b5
Update sysmon_cred_dump_tools_dropped_files.yml
...
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
2020-02-28 15:16:18 +01:00
Remco Hofman
4f45e14a56
Match on c-uri instead of c-uri-path
2020-02-27 13:23:25 +01:00
Remco Hofman
ff35eb0052
Title capitalization
2020-02-27 12:56:56 +01:00
Remco Hofman
72e34d2aa5
CVE 2020-0688 Exploit attempt rule
2020-02-27 12:51:10 +01:00
Florian Roth
f88225dd2a
Merge pull request #640 from Neo23x0/devel
...
fix: broader exclusion for rule - OneDrive false positives
2020-02-26 18:41:52 +01:00
Florian Roth
6bbd80a8ee
fix: broader exclusion for rule - OneDrive false positives
2020-02-26 18:31:58 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule
...
New Koadic detection rule
2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel
...
Several false positives with new rules
2020-02-26 09:46:02 +01:00
Florian Roth
ca2cc87f0c
fixed regex syntax to wildcard syntax
2020-02-26 09:43:29 +01:00
Florian Roth
1c90d6badd
level increased
2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1
...
fix missing status & description in status field
2020-02-26 09:40:55 +01:00
Florian Roth
031e6d3ee6
Merge pull request #635 from EccoTheFlintstone/fix_fp4
...
wmiprvse subprocess: add fallback check on username instead of only l…
2020-02-26 09:40:34 +01:00
Florian Roth
4f3e3166d3
fixing false positives
2020-02-26 09:33:55 +01:00
Florian Roth
82d2b1e6f0
Merge branch 'master' into devel
...
# Conflicts:
# rules/windows/process_creation/win_susp_squirrel_lolbin.yml
2020-02-26 09:27:48 +01:00
Florian Roth
e7aff17e72
FP: OneDrive setup
2020-02-26 09:26:19 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field
2020-02-25 16:30:41 -05:00
Florian Roth
a152853ac3
Merge pull request #624 from Antonlovesdnb/master
...
New rules for Macro Detections
2020-02-25 15:44:31 +01:00
Antonlovesdnb
e8b861bff4
Update sysmon_susp_winword_vbadll_load.yml
2020-02-25 09:24:29 -05:00
Antonlovesdnb
4c5d489428
Update sysmon_susp_office_kerberos_dll_load.yml
2020-02-25 09:23:52 -05:00
Antonlovesdnb
f92e2f2b18
Update sysmon_susp_office_dotnet_assembly_dll_load.yml
2020-02-25 09:23:22 -05:00
Antonlovesdnb
8141b1ae90
Update sysmon_susp_office_dsparse_dll_load.yml
2020-02-25 09:22:56 -05:00
Antonlovesdnb
45e4a585bf
Update sysmon_susp_office_dotnet_gac_dll_load.yml
2020-02-25 09:22:37 -05:00
Antonlovesdnb
c5b42aeaed
Update sysmon_susp_office_dotnet_clr_dll_load.yml
2020-02-25 09:19:03 -05:00
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml
2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c
docs: more false positive conditions
2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418
fix: changed titles to avoid duplicates
2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84
fix: lowered level due to false positives
2020-02-25 11:12:11 +01:00
ecco
3247d5692a
wmiprvse subprocess: add fallback check on username instead of only logonid
2020-02-24 09:25:20 -05:00
ecco
df7356e829
Rule: restore initial behaviour matching single word with spaces on each side
2020-02-24 08:00:06 -05:00
ecco
aa1eff5419
fix FP on rmdir matching dir
2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix
...
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 09:58:33 +01:00
ecco
f807dae69a
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 03:03:46 -05:00
ecco
1703b725d3
fix non ascii character in rule
2020-02-24 02:58:34 -05:00
Florian Roth
ab1dda7685
fix: non-ascii rule
2020-02-21 16:21:39 +01:00
Thomas Patzke
61d31c3f3a
Fixed tagging
2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c
Merge branch 'oscd'
2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml
2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml
2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml
2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml
2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml
2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml
2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml
2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques
...
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload
2020-02-19 10:13:44 -05:00
Florian Roth
a9403b70d5
Merge pull request #623 from Neo23x0/devel
...
fix: fixing too restrictive rule
2020-02-18 11:14:51 +01:00
Florian Roth
6413730810
fix: fixing too restrictive rule
...
https://twitter.com/Hexacorn/status/1229702521679118336
2020-02-18 10:43:22 +01:00
Florian Roth
f7a6ffa121
Merge pull request #622 from Neo23x0/devel
...
Minor changes, process dump via rundll32 comsvcs.dll
2020-02-18 10:26:28 +01:00
Florian Roth
04b97bd84c
fix: character in filename
2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed
rule: process dump via rundll32 and comsvcs.dll's MiniDumpW
2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc
rule: changed lsass process dump to level high
2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9
fix redundancy
2020-02-18 01:10:56 +03:00
Thomas Patzke
01d6c3b58d
Fixes
2020-02-16 23:24:00 +01:00
Wagga
b9c745a1b2
New Koadic detection rule
2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18
fix typo (duplicates)
2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664
Further fixes and deduplications
...
From suggestions of @yugoslavskiy in issue #554 .
2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14
Revert "Moved rules with enrichments into unsupported"
...
This reverts commit ba83b8862a
.
2020-02-15 22:52:06 +01:00
Florian Roth
eb36150e6b
rule: UserAgent used by PowerTon malware
2020-02-15 19:06:49 +01:00
Florian Roth
d909fefa82
Merge pull request #620 from james0d0a/master
...
rule: Zeek Suspicious kerberos network traffic RC4
2020-02-13 09:34:06 +01:00
Florian Roth
94bb7dd77f
fix: issues
2020-02-13 09:17:21 +01:00
james dickenson
21e4aa33dc
rule modification: fixed filter condition on zeek suspicious rc4 traffic
2020-02-12 21:27:36 -08:00
james dickenson
93367d725d
rule: zeek suspicious kerberos RC4 traffic
2020-02-12 21:21:46 -08:00
faloker
6d9c8e44d7
Update rules titles
2020-02-12 23:09:16 +02:00
faloker
1b15dba712
Correct the indentation
2020-02-12 22:48:46 +02:00
faloker
f387cf0c37
Add the rule to detect changes to startup scripts
2020-02-12 22:23:18 +02:00
faloker
01d2f9f99d
Add the rule to detect backdooring of users keys
2020-02-12 22:22:38 +02:00
faloker
b26c5d8c51
Add rules to detect AWS RDS exfiltration
2020-02-12 22:21:52 +02:00
faloker
ddf5f8ec23
Update conditions
2020-02-12 22:20:15 +02:00
faloker
aacab37f84
Add a rule for guardduty trusted IPs manipulation
2020-02-11 23:28:23 +02:00
faloker
b6c834195e
Add a rule for ec2 userdata exfil
2020-02-11 23:25:54 +02:00
Florian Roth
a4c210ed16
rule: remove keywords in powershell rule prone to FPs
2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel
...
fix: dumpert rule with wrong sysmon event id
2020-02-08 20:03:28 +01:00
Florian Roth
d9645af840
rule: added Emotet UA
...
https://twitter.com/webbthewombat/status/1225827092132179968
2020-02-08 10:37:56 +01:00
Florian Roth
080532d20c
logsource change
...
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524
additional gallium ttp
...
sha1 process creation only makes sense for sysmon
2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab
fix: dumpert rule with wrong sysmon event id
2020-02-07 13:14:18 +01:00
Thomas Patzke
7fdd6f7bce
Swapped accidental deletion of older rule duplicate
2020-02-06 23:41:05 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel
...
rule: dumpert process dump tool
2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee
rule: reworked dumpert rule
2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd
rule: avoiding build issues with sysmon event id 1
2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b
rule: improved dumpert rule
2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85
rule: dumpert process dump tool
2020-02-04 22:38:06 +01:00
Thomas Patzke
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0
Deduplication
2020-02-03 22:41:55 +01:00
Kevin Dienst
98471bc53c
Update proxy_raw_paste_service_access.yml
...
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw `
Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
2020-02-03 07:29:42 -06:00
Thomas Patzke
815c562a17
Merge branch 'master' into oscd
2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891
Fixed rule
2020-02-02 12:54:56 +01:00
Thomas Patzke
ba83b8862a
Moved rules with enrichments into unsupported
2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c
additional execution observed
2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
...
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel
...
Winnti rule and helpful message in test script
2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f
rule: winnti group campaign against HK universities
2020-02-01 15:43:30 +01:00
Florian Roth
7a222920df
added 'date'
2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id'
2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master
2020-01-31 14:45:29 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1
2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3
...
Created win_susp_local_anon_logon_created.yml
2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files
2020-01-31 08:49:10 +01:00
Florian Roth
190afcac88
Missing ID, wrong tag
2020-01-31 07:32:28 +01:00
Florian Roth
e3d61d5579
Missing ID
2020-01-31 07:31:56 +01:00
Florian Roth
033ab26d5e
Added date
2020-01-31 07:21:02 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel
...
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872
rule: wsreset.exe UAC bypass
2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
Florian Roth
efd3af0812
fix: fixed missing date fields in other files
2020-01-30 15:32:39 +01:00
Florian Roth
617ece1aa2
fix: fixed missing date fields in proxy rules
2020-01-30 15:20:52 +01:00
Florian Roth
4ad71c44bc
chore: moved network device rules to the 'network' folder
2020-01-30 14:30:26 +01:00
Florian Roth
5130072b04
Merge pull request #529 from c2defense/master
...
Network Device Analytics
2020-01-30 14:28:44 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master
...
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
Florian Roth
598b750f48
Minor change
2020-01-30 10:31:16 +01:00
Florian Roth
8cef4b2941
fix: missing id
2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field
2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen
2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml
2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug
2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes
2020-01-30 10:08:25 +01:00