Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel
...
New Empire Rules and Updates
2020-07-13 16:37:59 +02:00
Florian Roth
557e8b0faf
rule: improved Empire detection
2020-07-13 15:47:53 +02:00
Florian Roth
7e8aa7b12b
Merge pull request #915 from Neo23x0/rule-devel
...
rule: regsvr32 flags anomaly
2020-07-13 12:16:05 +02:00
Florian Roth
7a63fd56da
rule: regsvr32 flags anomaly
2020-07-13 11:59:44 +02:00
Ryan Plas
25d978d9bd
Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values
2020-07-11 22:17:06 -04:00
Florian Roth
3ab5eb97d8
Merge pull request #901 from brachera/master
...
rule: Leviathan registry key
2020-07-10 16:42:02 +02:00
Florian Roth
49aa0b4621
Merge pull request #909 from EccoTheFlintstone/fp2
...
add WMI module load false positive
2020-07-10 15:45:53 +02:00
Florian Roth
5de82628fa
Update sysmon_apt_leviathan.yml
2020-07-10 15:41:55 +02:00
Florian Roth
168952840b
Merge pull request #910 from Neo23x0/rule-devel
...
Rule devel
2020-07-10 14:17:22 +02:00
Florian Roth
268a28daed
rule: Evilnum Golden Chicken rule OCX
2020-07-10 13:02:52 +02:00
ecco
e30eaa0202
be more specific about file location
2020-07-09 13:33:59 -04:00
ecco
94e3bd9e6b
add WMI module load false positive
2020-07-09 13:32:21 -04:00
ecco
905f1b3823
add WMI and powershell false positives
2020-07-09 10:26:54 -04:00
Florian Roth
7949729fa4
rule: PowerShell encoded character syntax
2020-07-09 08:52:32 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick
2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list
...
legitimate errors generated by Google Chrome are reported often.
Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
2020-07-08 16:44:41 +03:00
Thomas Patzke
205b584e80
Merge branch 'pr-829'
2020-07-07 23:42:57 +02:00
Thomas Patzke
3e17cc1900
Merge pull request #894 from caliskanfurkan/master
...
ditsnap, a credential access tool used in ransomware attacks
2020-07-07 23:21:36 +02:00
Thomas Patzke
28013a15e1
Improved rule
2020-07-07 23:18:07 +02:00
Thomas Patzke
90f09f7b12
Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829
2020-07-07 23:15:39 +02:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master
...
Added new rules
2020-07-07 23:14:19 +02:00
Thomas Patzke
7eb499ad85
Added rule id
2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8
Splitted and improved new rule
2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75
Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483
2020-07-07 22:37:11 +02:00
Thomas Patzke
4762a59b89
Merge pull request #891 from rtkbkish/image-load-fixes
...
Fix typo for rule in image_load category
2020-07-07 22:31:32 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry
...
Proposed fix for sysmon_uac_bypass_eventvwr
2020-07-07 22:29:39 +02:00
Thomas Patzke
9e85731253
Merge pull request #899 from rtkbkish/refix-rules
...
Re-fix sysmon rules that lost changes with category refactoring.
2020-07-07 22:28:37 +02:00
Aidan Bracher
90983dcc4b
add level field to rule
2020-07-07 14:28:18 +01:00
Aidan Bracher
f549a14d9a
rule: Leviathan registry key
2020-07-07 13:27:57 +01:00
Florian Roth
99ac4f1f3d
fix: FPs with RedMimicry rule
2020-07-07 10:11:58 +02:00
Brad Kish
c758ca0eb9
Re-fix sysmon rules that are lost changes with category refactoring.
...
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.
Re-add the fixes.
38afd8b5de
422b2bffd7
dfae2a6df6
2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd
Proposed fix for sysmon_uac_bypass_eventvwr
...
Issue: https://github.com/Neo23x0/sigma/issues/888
The rules were not merged correctly with the transition to sysmon categories.
Split the rule into separate documents: one for the registry_event and one for
the process_creation
2020-07-06 09:20:34 -04:00
Thomas Patzke
939156fa6d
Introduced dns_query log source category
2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0
Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893
2020-07-05 23:24:56 +02:00
Florian Roth
c51b4d0524
Merge pull request #890 from rtkbkish/file-event-fixes
...
Fixes for rules in the sysmon file_event category
2020-07-05 13:13:24 +02:00
Florian Roth
4a810dd136
Merge pull request #886 from Neo23x0/rule-devel
...
Windows Curl Rules
2020-07-05 13:12:41 +02:00
Furkan CALISKAN
8ef82e48eb
ditsnap
2020-07-04 23:21:52 +03:00
Brad Kish
8b3b312c4e
Proposed fix for https://github.com/Neo23x0/sigma/issues/889
...
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
2020-07-03 16:28:19 -04:00
Brad Kish
7031d9e2b8
Fix typo for rule in image_load category
...
image_load not image_loaded.
2020-07-03 16:23:17 -04:00
Brad Kish
1e9d0e9653
Fixes for rules in the sysmon file_event category
...
Fix a couple of typos
For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
2020-07-03 16:22:29 -04:00
Brad Kish
4b31633355
Fixes for rules in new sysmon registry_event category
...
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
2020-07-03 16:20:37 -04:00
Florian Roth
11517edbd7
rule: suspicious curl usage
2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614
rule: suspicious curl file upload
2020-07-03 18:20:44 +02:00
Florian Roth
80f15a1e50
Merge pull request #885 from Neo23x0/rule-devel
...
fix: trailing whitespace
2020-07-03 18:00:19 +02:00
Florian Roth
4d9e2e8c16
fix: trailing white space
2020-07-03 17:59:50 +02:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel
...
Rule devel
2020-07-03 15:33:55 +02:00
Florian Roth
4dc818aafd
fix: rar flags rule caused too many FPs
2020-07-03 13:20:24 +02:00
Florian Roth
abf5f799d6
docs: more references
2020-07-03 13:19:44 +02:00
Florian Roth
5f04fcccf5
fix: broken links
2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396
refactor: new way to write that rule
2020-07-03 11:20:36 +02:00
Florian Roth
d12b8347dc
fix: bug in cmstp rule
...
https://github.com/Neo23x0/sigma/issues/876
2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14
refactor: include xcopy
2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc
refactor: copy from/to system32 rule
2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel
...
fix: typo in systemroot
2020-07-03 10:25:31 +02:00
Florian Roth
34ea706e4f
fix: typo in systemroot
2020-07-03 10:24:58 +02:00
Florian Roth
53620a0d2f
Merge pull request #879 from Neo23x0/rule-devel
...
fix: missing copy command
2020-07-03 10:18:21 +02:00
Florian Roth
0fa1c1525b
fix: missing copy command
2020-07-03 10:17:34 +02:00
Florian Roth
248506be93
Merge pull request #878 from Neo23x0/rule-devel
...
DesktopImgDownLdr Rules and extra rule
2020-07-03 10:14:58 +02:00
Florian Roth
1f0b1e58a9
fix: bugs in rule and title
2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f
Copy From System Root rule
2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5
DesktopImgDownLdr rules
2020-07-03 09:45:48 +02:00
Thomas Patzke
de0bb36c51
Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785
2020-07-02 23:04:59 +02:00
Florian Roth
4c4ed1a4a2
fix: duplicate IDs and rule titles
2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc
fix: remove duplicate rules in sysmon (generic rule cleanup)
2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8
fix: renamed files and lien break change
2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c
rule: RedMimicry rules (modified)
2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97
style: removed new lines
2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab
Merge branch 'master' into rule-devel
2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2
rule: suspicious rar flags
2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature
...
add win_not_allowed_rdp_access.yml rule
2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml
2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules
...
Windows Defender logsource and rules
2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
...
New Rule: Suspicious powershell parent process
2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12
Added new rule for pwsh_xor_cmd (sysmon)
2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2
Added new rule for pwsh_xor_cmd (sysmon)
2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63
Added new rule for pwsh_xor_cmd
2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized
2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9
Fix rules.
2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832
rule: Explorer Root Flag Process Tree Break
2020-06-29 12:07:15 +02:00
j91321
24029d998a
FIX: lint error for title
2020-06-28 11:05:19 +02:00
j91321
ae842a65cb
Windows Defender rules and logsource
2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master
...
Split rules based on Sysmon event ID
2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417
add win_not_allowed_rdp_access.yml rule
2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba
fix: bugfix and cosmetics
2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5
Changed category names and remove sysmon log source
2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel
...
fix: duplicate IDs
2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3
fix: duplicate IDs
2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69
Fix quoting for AD Object WriteDAC Access
...
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method
...
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7
fix: fixed indentation
2020-06-19 09:54:08 +02:00
Florian Roth
62632db818
refactor: added variant to IE rule
2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d
fix: title adjusted
2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787
Disabled IE Security Features
2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90
Ke3chang rule
2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706
Merge branch 'master' into rule-devel
2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp
...
add WMI module load false positives
2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2
...
ATT&CK subtechniques v2
2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225
Further subtechnique updates
2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0
add 1 more FP
2020-06-17 12:49:27 -04:00
Florian Roth
0022705373
fix: filter not functional
...
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f
Fixed indentation
2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
Florian Roth
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier
...
Identifiers shared between global document and rule gets overwritten
2020-06-15 20:20:23 +02:00
Florian Roth
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash
...
Fix match for double-backslash
2020-06-15 20:19:56 +02:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id
...
Rule lists extra Sysmon ID (11). Should just match registry events (1…
2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match
...
Rule needs endwith, not exact match.
2020-06-15 20:19:12 +02:00
Florian Roth
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation
...
Fix logsource field name from service->category
2020-06-15 20:18:53 +02:00
Brad Kish
dfae2a6df6
Rule needs endwith, not exact match.
...
Fix ImageLoaded filter to match with endswith, rather than exact match.
2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f
Rule lists extra Sysmon ID (11). Should just match registry events (12-14)
...
Remove extraneous event ID 11. It will never match.
2020-06-15 13:52:12 -04:00
Brad Kish
f196046b3d
Fix match for double-backslash
...
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
2020-06-15 13:39:50 -04:00
Brad Kish
422b2bffd7
Fix rules with incorrect escaping of wildcars
...
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
Brad Kish
8d58c8f5c8
Fix logsource field name from service->category
...
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
2020-06-15 13:18:05 -04:00
Brad Kish
f5aa871e5d
Identifiers shared between global document and rule gets overwritten
...
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
2020-06-15 13:14:31 -04:00
Iveco
40f0fd989d
- moved to "process_creation" folder instead of "sysmon"
...
- renamed .yml file
2020-06-11 19:21:17 +02:00
Iveco
34d7ea2974
removed one field
2020-06-11 16:23:15 +02:00
Iveco
2081baafe5
updated to process_creation
2020-06-11 15:58:05 +02:00
Iveco
f56e2599b1
Cmd.exe Path Traversal Detection
2020-06-11 15:48:48 +02:00
Florian Roth
a7136481f1
Update win_pcap_drivers.yml
2020-06-11 11:14:43 +02:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master
...
added new rules for malware
2020-06-10 17:37:19 +02:00
Cian Heasley
9835c6d67d
add win_pcap_drivers.yml
2020-06-10 15:53:22 +01:00
Florian Roth
96309d247b
fix: cosmetic fault
2020-06-10 16:41:03 +02:00
Florian Roth
6e4aa01baa
Cosmetics
2020-06-10 16:36:17 +02:00
Florian Roth
13c7d40a22
Cosmetics
2020-06-10 16:35:41 +02:00
Florian Roth
f553fb2e33
Cosmetics
2020-06-10 16:35:14 +02:00
Florian Roth
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll
...
Fax Service DLL search order hijacking detection
2020-06-10 16:33:12 +02:00
Florian Roth
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence
...
Office persistence by addin detection
2020-06-10 16:32:50 +02:00
Steven Goossens
e5f36dd146
Added rules files split into folders
2020-06-10 16:32:30 +02:00
Remco Hofman
8adaa2d672
Fixed bad indentation
2020-06-10 15:02:41 +02:00
Remco Hofman
83a6e25bcb
Fax Service DLL search order hijacking
2020-06-10 15:01:07 +02:00
Remco Hofman
cb8e478ac1
Sigma rule to detect Office persistence via addin.
2020-06-10 14:52:13 +02:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1
...
Create sysmon_apt_muddywater_dnstunnel.yml
2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line
2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation
2020-06-09 17:20:25 +02:00
Florian Roth
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud
...
TA410 FlowCloud malware detection
2020-06-09 17:18:39 +02:00
Remco Hofman
a9bf22750a
Fixed bad indentation
2020-06-09 16:30:17 +02:00
Remco Hofman
4ce3ea735e
TA410 FlowCloud malware detection
2020-06-09 16:21:46 +02:00
Remco Hofman
d14d391761
Octopus Scanner malware rule
2020-06-09 16:12:05 +02:00
Florian Roth
6e349030d9
rule: suspicious camera and mic access
2020-06-08 10:18:44 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel
...
merged Cyb3rWarD0g's rules
2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel
...
Rule devel
2020-06-06 14:19:37 +02:00
Florian Roth
3697186281
fix: fixed title
2020-06-06 14:04:40 +02:00
Florian Roth
246a95557b
fix: description over multiple lines
2020-06-06 13:56:48 +02:00
Florian Roth
d54209dcc5
rule: ETW disabled
2020-06-06 13:56:19 +02:00
Florian Roth
2e77e65285
rule: Covenant launchers
2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN
082696ee84
Added UUID
2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN
e958a6a939
Date added
2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN
5e373153eb
Title fix
2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN
0744107fbb
Deleted EventID part
2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline
...
Fix title error as in guideline and other cosmetic changes
2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation
...
Convert to process_creation
2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml
...
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
2020-06-04 14:27:19 +03:00
Trent Liffick
6c8c0cd85d
Removed incorrect technique
2020-06-03 17:51:57 -04:00
Trent Liffick
3c89f46899
removed unwanted file
2020-06-03 17:43:12 -04:00
Trent Liffick
2af501c9f5
added rule for zLoader & Office
...
detects changes to Office macro settings & ZLoader malware
2020-06-03 17:40:05 -04:00
Trent Liffick
a2ca199e7d
added rules for Lazaurs and hhsgov
2020-06-03 17:38:03 -04:00
William Bruneau
84dd8c39c4
Move null values out from list in rules
2020-06-03 13:57:22 +02:00
Sven Scharmentke
4ed512011a
All Rules use 'TargetFilename' instead of 'TargetFileName'.
...
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
ecco
b1c11cc345
add WMI module load false positive
2020-06-01 03:30:27 -04:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file
...
Fixed wrong field & Improve rule
2020-05-29 17:32:27 +02:00
Sander Wiebing
a00f7f19a1
Add tagg Endswith
...
Prevent the trigger of {}.exe.log
2020-05-29 16:25:54 +02:00
Sander Wiebing
38afd8b5de
Fixed wrong field
2020-05-28 21:52:17 +02:00
Florian Roth
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
...
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
Florian Roth
39b41b5582
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
Florian Roth
76dcc1a16f
rule: renamed debugview
2020-05-28 09:22:25 +02:00
Florian Roth
ec313b6c8a
Merge pull request #801 from SanWieb/sysmon_creation_system_file
...
Rule: sysmon_creation_system_file
2020-05-27 08:49:20 +02:00
Sander Wiebing
d44fc43c54
Add extension
2020-05-26 19:10:11 +02:00
Sander Wiebing
f6ec724d51
Rule: sysmon_creation_system_file
2020-05-26 18:53:54 +02:00
Florian Roth
5bb6770f53
Merge pull request #800 from SanWieb/win_system_exe_anomaly
...
Extended Windows processes: win_system_exe_anomaly
2020-05-26 14:28:47 +02:00
Florian Roth
4ca81b896d
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
Sander Wiebing
3681b8cb56
Extended Windows processes
2020-05-26 13:56:51 +02:00
Florian Roth
c1f4787566
Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048
...
Changes to sysmon_cve-2020-1048
2020-05-26 13:21:04 +02:00
Florian Roth
ce1f46346f
Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access
...
Add 'Add-Content' to powershell_ntfs_ads_access
2020-05-26 13:20:40 +02:00
Florian Roth
e131f3476e
Merge pull request #796 from EccoTheFlintstone/fp
...
add more false positives
2020-05-26 13:20:23 +02:00
Sander Wiebing
f9f814f3b3
Shortened title
2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes
...
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe
All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.
Python 2.7, 3.3 and 3.7 does not have any file characteristics.
So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
Remco Hofman
48c5f2ed09
Update to sysmon_cve-2020-1048
...
Added .com executables to detection
Second TargetObject should have been Details
2020-05-26 11:20:21 +02:00
ecco
7037e77569
add more FP
2020-05-25 04:50:22 -04:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source
...
Fix 'source' value for win_susp_backup_delete
2020-05-25 10:48:36 +02:00
Florian Roth
0afe0623af
Merge pull request #757 from tliffick/master
...
added rule for Blue Mockingbird (cryptominer)
2020-05-25 10:47:23 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support
...
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
...
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.
Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
Sander Wiebing
b8ee736f44
Remove AppData folder as suspicious folder
...
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)
Too many to whitelist them all
2020-05-24 15:16:07 +02:00
Florian Roth
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel
...
Esentutl rule and StrongPity Loader UA
2020-05-23 23:47:12 +02:00
ecco
f970d28f10
add more false positives
2020-05-23 15:06:15 -04:00
Florian Roth
3028a27055
fix: buggy rule
2020-05-23 18:32:02 +02:00
Florian Roth
df715386b6
rule: suspicious esentutl use
2020-05-23 18:27:36 +02:00
ecco
67faf4bd41
fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml
2020-05-23 10:56:23 -04:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master
...
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
ecco
10ca3006f5
move rule where needed
2020-05-23 10:07:55 -04:00
ecco
d9bc09c38c
fix test
2020-05-23 10:02:58 -04:00
ecco
78a7852a43
renamed dbghelp rule with new ID and comment and removed a false positive
2020-05-23 09:16:40 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
ecco
75ba5f989c
add 1 more FP to wmi load
2020-05-23 07:44:45 -04:00
ecco
9a7f462d79
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
ecco
cfde0625f5
fix false positive matching on every powershell process not run by SYSTEM account
2020-05-23 07:05:09 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
...
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
Florian Roth
34006d0794
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00