valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,144 Commits 20 Branches 25 Tags 21 MiB
a5fe7af25f
Commit Graph

667 Commits

Author SHA1 Message Date
Jonhnathan
61ccdc598d
Update win_susp_local_anon_logon_created.yml 2020-10-27 22:00:42 -03:00
Jonhnathan
3eea825898
Update win_net_ntlm_downgrade.yml 2020-10-27 21:59:49 -03:00
Jonhnathan
53ff19f167
Update win_mmc20_lateral_movement.yml 2020-10-27 21:55:17 -03:00
Nikita Nazarov
654bd7bdba
Update win_software_discovery.yml 
Add edits
 2020-10-19 11:05:45 +03:00
Timur Zinniatullin
30f7dad901
Add win_invoke_obfuscation_via_compress_services.yml 2020-10-18 19:50:30 +03:00
Timur Zinniatullin
39bac712c3
Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 19:05:09 +03:00
Timur Zinniatullin
98febd2101
Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:54:06 +03:00
Timur Zinniatullin
1bde40a98d
Add win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:52:25 +03:00
OpalSec
ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
 2020-10-18 21:15:43 +11:00
yugoslavskiy
30970903bc
Update win_powershell_script_installed_as_service.yml 2020-10-18 01:32:07 +02:00
Наталья Шорникова
789e7227be Splitting into two 2020-10-18 02:16:11 +03:00
Alexander Akhremchik
451187bfbd fixed title capitalization 2020-10-17 01:26:02 +03:00
Alexander Akhremchik
860dc24e4b add zerologon rule 2020-10-17 01:13:57 +03:00
Alexander Akhremchik
dbb18b89dc add zerologon rule 2020-10-17 01:11:31 +03:00
Nikita P. Nazarov
30ce1ff268 Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00
Jonhnathan
9a5c166bb2
Fix filter 2020-10-16 07:35:59 -03:00
Jonhnathan
0666d21b06
Update win_dcsync.yml 2020-10-15 20:19:06 -03:00
yugoslavskiy
9e7789bb32
Update win_susp_logon_explicit_credentials.yml 2020-10-16 00:50:29 +02:00
Jonhnathan
1cd56f5dae
Update win_vul_cve_2020_0688.yml 2020-10-15 15:56:36 -03:00
Jonhnathan
ef3af551e9
Update win_user_driver_loaded.yml 2020-10-15 15:56:16 -03:00
Jonhnathan
4e70b2d797
Update win_user_added_to_local_administrators.yml 2020-10-15 15:55:21 -03:00
Jonhnathan
c0892c63c8
Update win_svcctl_remote_service.yml 2020-10-15 15:54:47 -03:00
Jonhnathan
d96bd0d9f3
Update win_susp_wmi_login.yml 2020-10-15 15:54:21 -03:00
Jonhnathan
496cfcb26a
Update win_susp_sdelete.yml 2020-10-15 15:53:51 -03:00
Jonhnathan
600c7057b1
Update win_susp_sam_dump.yml 2020-10-15 15:53:26 -03:00
Jonhnathan
754e67c0d9
Update win_susp_rc4_kerberos.yml 2020-10-15 15:52:48 -03:00
Jonhnathan
43a56b6759
Update win_susp_raccess_sensitive_fext.yml 2020-10-15 15:51:57 -03:00
Jonhnathan
054255fb17
Update win_susp_psexec.yml 2020-10-15 15:51:16 -03:00
Jonhnathan
dae1f3fa71
Update win_susp_ntlm_rdp.yml 2020-10-15 15:50:44 -03:00
Jonhnathan
9b8817f489
Update win_susp_msmpeng_crash.yml 2020-10-15 15:50:01 -03:00
Jonhnathan
c310d72e2b
Update win_susp_mshta_execution.yml 2020-10-15 15:49:39 -03:00
Jonhnathan
7419396351
Update win_susp_mshta_execution.yml 2020-10-15 15:49:26 -03:00
Jonhnathan
1eb0ccbf14
Update win_susp_local_anon_logon_created.yml 2020-10-15 15:48:36 -03:00
Jonhnathan
e089118718
Update win_possible_dc_shadow.yml 2020-10-15 15:45:55 -03:00
Jonhnathan
6961ee4986
Update win_net_ntlm_downgrade.yml 2020-10-15 15:44:24 -03:00
Jonhnathan
8261737728
Update win_mmc20_lateral_movement.yml 2020-10-15 15:42:07 -03:00
Jonhnathan
8f3542a73e
Update win_mal_wceaux_dll.yml 2020-10-15 15:41:13 -03:00
Jonhnathan
9bfd63ec26
Update win_hack_smbexec.yml 2020-10-15 15:20:08 -03:00
Jonhnathan
e5789a2a52
Update win_dcsync.yml 2020-10-15 15:19:18 -03:00
Jonhnathan
777e49b76c
Update win_av_relevant_match.yml 2020-10-15 15:17:33 -03:00
Jonhnathan
b555628321
Update win_atsvc_task.yml 2020-10-15 15:15:01 -03:00
Jonhnathan
44735049b6
Update win_apt_stonedrill.yml 2020-10-15 15:14:27 -03:00
Jonhnathan
02a1ab4033
Update win_alert_mimikatz_keywords.yml 2020-10-15 15:11:10 -03:00
Jonhnathan
26b442ec48
Update win_alert_lsass_access.yml 
Getting rid of '*' use
 2020-10-15 15:09:35 -03:00
Jonhnathan
79c2b8d570
Update win_GPO_scheduledtasks.yml 
Getting rid of '*' use
 2020-10-15 15:07:16 -03:00
Jonhnathan
4aa96a2ac9
Update win_alert_enable_weak_encryption.yml 2020-10-15 15:05:49 -03:00
Jonhnathan
5765573907
Update win_alert_active_directory_user_control.yml 
Getting rid of '*' use
 2020-10-15 15:04:08 -03:00
Jonhnathan
1c06c9e166
Update win_admin_share_access.yml 
Getting rid of '*' use
 2020-10-15 15:03:31 -03:00
Jonhnathan
085dc21d25
Update win_admin_rdp_login.yml 
Getting rid of '*' use
 2020-10-15 15:02:40 -03:00
Jonhnathan
9c7a23e432
Update win_account_discovery.yml 
Getting rid of '*' use
 2020-10-15 15:01:31 -03:00
OpalSec
ffbcb402e3 Creation of Rules for Task 24 - Invoke-Obfuscation VAR+ Launcher 2020-10-15 21:36:27 +11:00
OpalSec
762840ec25 Creation of Rules for Task 25 - Invoke-Obfuscation STDIN+ Launcher 2020-10-15 17:59:36 +11:00
OpalSec
109fb4f493 Create win_invoke_obfuscation_clip+_services.yml 2020-10-15 17:53:16 +11:00
Thomas Patzke
e39ebe065a
Merge pull request #1037 from svch0stz/oscd5 
[OSCD] Create win_susp_logon_explicit_credentials.yml
 2020-10-14 00:23:08 +02:00
Roberto Rodriguez
6500c230cf Update win_sysmon_channel_reference_deletion.yml 2020-10-13 03:49:48 -04:00
Roberto Rodriguez
2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
cyb3rward0g
354b6a9822 update - GitHub Action / Test Sigma 2020-10-12 23:07:02 -04:00
cyb3rward0g
644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g
491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
Timur Zinniatullin
946d84329e
Add win_invoke_obfuscation_via_var++_services.yml 2020-10-13 02:22:15 +03:00
Thomas Patzke
d6ceba3719
Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
cyb3rward0g
104b40ce8f 10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00
Nikita P. Nazarov
9b17634aa4 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:56:12 +03:00
nsaddler
07a4d11af7
Update win_powershell_script_installed_as_service.yml 2020-10-12 18:23:06 +03:00
svch0stz
2edd79a37f
Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Nikita P. Nazarov
021a2192eb Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:46:11 +03:00
Vasiliy Burov
e10771652b
Update win_disable_event_logging.yml 2020-10-09 18:27:04 +03:00
Nikita P. Nazarov
527d00c0b9 Detects Obfuscated Powershell via use MSHTA in Scripts 2020-10-09 16:57:09 +03:00
Nikita P. Nazarov
93e65a9042 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-09 16:52:35 +03:00
Vasiliy Burov
c77a190a6b
Update win_susp_eventlog_cleared.yml 
Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.
 2020-10-09 16:51:18 +03:00
svch0stz
5d475ce16d
Update win_root_certificate_installed.yml 2020-10-09 13:00:17 +11:00
svch0stz
8d7152d489
Update win_root_certificate_installed.yml 2020-10-09 12:55:37 +11:00
svch0stz
ff8547efc5
Update win_root_certificate_installed.yml 2020-10-09 12:48:39 +11:00
svch0stz
a68d50a5d9
Create win_root_certificate_installed.yml 2020-10-09 12:29:53 +11:00
Наталья Шорникова
4bddfaac86 [OSCD] Powershell Script Installed as a Service Rule added 2020-10-07 16:18:38 +03:00
svch0stz
e68e212d23
Update win_susp_logon_explicit_credentials.yml 2020-10-07 08:26:43 +11:00
svch0stz
ca0f2146ab
Update win_net_use_admin_share.yml 2020-10-07 08:23:31 +11:00
svch0stz
a02f4840e5
Update win_susp_logon_explicit_credentials.yml 2020-10-05 15:31:30 +11:00
svch0stz
0249d330f5
Update win_susp_logon_explicit_credentials.yml 2020-10-05 15:23:23 +11:00
svch0stz
c34cde7938
Create win_susp_logon_explicit_credentials.yml 
❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml
(source="WinEventLog:Security" (EventCode="4648" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\winrs.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost"))
 2020-10-05 15:17:39 +11:00
svch0stz
c82d5ac08e
Create win_net_use_admin_share.yml 2020-10-05 14:43:45 +11:00
Steven
05d2de4c26 - Cleaned up some more rules where 'service: sysmon' was combined with category 
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent

       modified:   rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
       modified:   rules/windows/malware/mal_azorult_reg.yml
       modified:   rules/windows/powershell/powershell_suspicious_profile_create.yml
       modified:   rules/windows/process_creation/sysmon_cmstp_execution.yml
       modified:   rules/windows/process_creation/win_apt_chafer_mar18.yml
       modified:   rules/windows/process_creation/win_apt_unidentified_nov_18.yml
       modified:   rules/windows/process_creation/win_hktl_createminidump.yml
       modified:   rules/windows/process_creation/win_mal_adwind.yml
       modified:   rules/windows/process_creation/win_silenttrinity_stage_use.yml
 2020-10-02 10:45:29 +02:00
Remco Hofman
6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00
Yugoslavskiy Daniil
1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J
c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) 
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
 2020-09-11 16:06:51 +01:00
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil
5026438524 fix modified field 2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Ryan Plas
aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas
e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Aidan Bracher
1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher
4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Pushkarev Dmitry
efe720d44e Added new rule. AppLocker 2020-07-13 20:51:48 +00:00
Florian Roth
f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke
de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Brad Kish
f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
4A616D6573
879ad6f206
Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573
daa3c5e053
Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573
0f8f5fb29c
Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito
c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito
49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
zaphod
d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila
6ec74364f2
Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila
ccacedf621
Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Rettila
07a50edf89
Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Remco Hofman
123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Rettila
6aed82a039
Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila
2beb65076c
Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila
7371ce234b
Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Florian Roth
473c31232e
add additional reference 2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth
5cbe008350
Casing 2020-04-14 13:39:22 +02:00
vesche
1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
Iveco
61b9234d7f
Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco
e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00