SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00

Author	SHA1	Message	Date
OpalSec	ffbcb402e3	Creation of Rules for Task 24 - Invoke-Obfuscation VAR+ Launcher	2020-10-15 21:36:27 +11:00
OpalSec	762840ec25	Creation of Rules for Task 25 - Invoke-Obfuscation STDIN+ Launcher	2020-10-15 17:59:36 +11:00
OpalSec	109fb4f493	Create win_invoke_obfuscation_clip+_services.yml	2020-10-15 17:53:16 +11:00
Thomas Patzke	e39ebe065a	Merge pull request #1037 from svch0stz/oscd5 [OSCD] Create win_susp_logon_explicit_credentials.yml	2020-10-14 00:23:08 +02:00
Roberto Rodriguez	6500c230cf	Update win_sysmon_channel_reference_deletion.yml	2020-10-13 03:49:48 -04:00
Roberto Rodriguez	2cb540f95e	13 Rules from THP - Backlog Rules (old)	2020-10-13 03:33:55 -04:00
cyb3rward0g	354b6a9822	update - GitHub Action / Test Sigma	2020-10-12 23:07:02 -04:00
cyb3rward0g	644f222079	update - GitHub Action / Test Sigma	2020-10-12 21:58:02 -04:00
cyb3rward0g	491049b92a	Updated - GitHub Action / Test Sigma	2020-10-12 21:34:07 -04:00
Timur Zinniatullin	946d84329e	Add win_invoke_obfuscation_via_var++_services.yml	2020-10-13 02:22:15 +03:00
Thomas Patzke	d6ceba3719	Merge pull request #1102 from svch0stz/oscd8 [OSCD] Create win_root_certificate_installed.yml	2020-10-13 01:00:23 +02:00
cyb3rward0g	104b40ce8f	10 rules from THP - contributing soon	2020-10-12 15:42:34 -04:00
Nikita P. Nazarov	9b17634aa4	Detects Obfuscated Powershell via Stdin in Scripts	2020-10-12 18:56:12 +03:00
nsaddler	07a4d11af7	Update win_powershell_script_installed_as_service.yml	2020-10-12 18:23:06 +03:00
svch0stz	2edd79a37f	Update win_root_certificate_installed.yml	2020-10-12 08:30:28 +11:00
Nikita P. Nazarov	021a2192eb	Detects Obfuscated Powershell via use Clip.exe in Scripts	2020-10-09 19:46:11 +03:00
Vasiliy Burov	e10771652b	Update win_disable_event_logging.yml	2020-10-09 18:27:04 +03:00
Nikita P. Nazarov	527d00c0b9	Detects Obfuscated Powershell via use MSHTA in Scripts	2020-10-09 16:57:09 +03:00
Nikita P. Nazarov	93e65a9042	Detects Obfuscated Powershell via use Rundll32 in Scripts	2020-10-09 16:52:35 +03:00
Vasiliy Burov	c77a190a6b	Update win_susp_eventlog_cleared.yml Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.	2020-10-09 16:51:18 +03:00
svch0stz	5d475ce16d	Update win_root_certificate_installed.yml	2020-10-09 13:00:17 +11:00
svch0stz	8d7152d489	Update win_root_certificate_installed.yml	2020-10-09 12:55:37 +11:00
svch0stz	ff8547efc5	Update win_root_certificate_installed.yml	2020-10-09 12:48:39 +11:00
svch0stz	a68d50a5d9	Create win_root_certificate_installed.yml	2020-10-09 12:29:53 +11:00
Наталья Шорникова	4bddfaac86	[OSCD] Powershell Script Installed as a Service Rule added	2020-10-07 16:18:38 +03:00
svch0stz	e68e212d23	Update win_susp_logon_explicit_credentials.yml	2020-10-07 08:26:43 +11:00
svch0stz	ca0f2146ab	Update win_net_use_admin_share.yml	2020-10-07 08:23:31 +11:00
svch0stz	a02f4840e5	Update win_susp_logon_explicit_credentials.yml	2020-10-05 15:31:30 +11:00
svch0stz	0249d330f5	Update win_susp_logon_explicit_credentials.yml	2020-10-05 15:23:23 +11:00
svch0stz	c34cde7938	Create win_susp_logon_explicit_credentials.yml ❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml (source="WinEventLog:Security" (EventCode="4648" (Image="\\cmd.exe" OR Image="\\powershell.exe" OR Image="\\pwsh.exe" OR Image="\\winrs.exe" OR Image="\\wmic.exe" OR Image="\\net.exe" OR Image="\\net1.exe" OR Image="\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost"))	2020-10-05 15:17:39 +11:00
svch0stz	c82d5ac08e	Create win_net_use_admin_share.yml	2020-10-05 14:43:45 +11:00
Steven	05d2de4c26	- Cleaned up some more rules where 'service: sysmon' was combined with category - Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml modified: rules/windows/malware/mal_azorult_reg.yml modified: rules/windows/powershell/powershell_suspicious_profile_create.yml modified: rules/windows/process_creation/sysmon_cmstp_execution.yml modified: rules/windows/process_creation/win_apt_chafer_mar18.yml modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml modified: rules/windows/process_creation/win_hktl_createminidump.yml modified: rules/windows/process_creation/win_mal_adwind.yml modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml	2020-10-02 10:45:29 +02:00
Remco Hofman	6cadfa5b2b	Added win_vul_cve_2020_1472 rule	2020-09-15 15:13:53 +02:00
Florian Roth	50db6dcc69	Merge pull request #1002 from scottdermott/master + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)	2020-09-15 08:17:02 +02:00
Yugoslavskiy Daniil	1fc202fe5d	fix typos, update tags	2020-09-13 15:46:45 +02:00
Dermott, Scott J	c72ac8f73e	Merge branch 'master' of https://github.com/scottdermott/sigma	2020-09-11 16:19:54 +01:00
Scott Dermott	1f50e0af35	+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC). https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028	2020-09-11 16:06:51 +01:00
Florian Roth	de5444a81e	Merge pull request #989 from oscd-initiative/master [OSCD Initiative][ATT&CK tags update]	2020-09-08 13:27:58 +02:00
Florian Roth	7ddb63ec1b	fix: FPs with McAfee and CyberReason	2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil	5026438524	fix modified field	2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil	42c4079ed8	att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other	2020-08-25 01:09:17 +02:00
Florian Roth	8970d03f6f	Merge pull request #952 from Neo23x0/devel feat: Detect duplicate rule tags	2020-07-28 10:21:59 +02:00
Florian Roth	80f4b4ec71	fix: rules with duplicate tags	2020-07-27 11:44:47 +02:00
Ryan Plas	aa548ba1a9	Add quotes due to a colon in the falsepositives string	2020-07-23 23:33:36 -04:00
Ryan Plas	e52489aaf6	Change production status to stable	2020-07-23 23:33:36 -04:00
Aidan Bracher	1fd73a23b2	Updated tags with sub-techniques	2020-07-18 03:01:34 +01:00
Aidan Bracher	4ac1058ab5	Updated tags	2020-07-18 03:01:11 +01:00
Ryan Plas	de53a08746	Merge branch 'master' of github.com:Neo23x0/sigma	2020-07-15 10:27:33 -04:00
Florian Roth	c7e412788a	Merge pull request #924 from Neo23x0/devel Live MITRE ATT&CK data from TAXI service in Test Scripts	2020-07-14 18:15:29 +02:00
Florian Roth	58b68758b4	fix: wrong MITRE ATT&CK ids used in the beta version	2020-07-14 17:53:32 +02:00
Ryan Plas	04fd598bcf	Update additional rules to have correct logsource attributes	2020-07-13 17:02:17 -04:00
Pushkarev Dmitry	efe720d44e	Added new rule. AppLocker	2020-07-13 20:51:48 +00:00
Florian Roth	f12cb7309b	fix: references is not a list	2020-07-13 17:37:03 +02:00
Florian Roth	e3734aaa27	fix: missing upper tick	2020-07-08 15:53:04 +02:00
GelosSnake	efae210556	adding google chrome to FP list legitimate errors generated by Google Chrome are reported often. Official google standpoint on this: https://support.google.com/chrome/a/thread/15440066?hl=en	2020-07-08 16:44:41 +03:00
Thomas Patzke	3c760fabc1	Merge pull request #745 from Rettila/master Added new rules	2020-07-07 23:14:19 +02:00
Thomas Patzke	de0bb36c51	Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785	2020-07-02 23:04:59 +02:00
Florian Roth	77553e11e8	Update win_not_allowed_rdp_access.yml	2020-06-30 10:03:00 +02:00
Pushkarev Dmitry	502ec4b417	add win_not_allowed_rdp_access.yml rule	2020-06-26 22:15:53 +00:00
Brad Kish	d385cbfa69	Fix quoting for AD Object WriteDAC Access The AccessMask field needs to be quoted so that it is compared correctly.	2020-06-22 15:31:03 -04:00
Ivan Kirillov	5c0bb0e94f	Fixed indentation	2020-06-16 15:01:13 -06:00
Ivan Kirillov	0fbfcc6ba9	Initial round of subtechnique updates	2020-06-16 14:46:08 -06:00
Brad Kish	f5aa871e5d	Identifiers shared between global document and rule gets overwritten The global document defines a "selection" identifier which is also defined the individual rules. The rule identifier is getting overwritten by the global identifier. Fix by giving unique names to the global identifier.	2020-06-15 13:14:31 -04:00
Florian Roth	d3e261862d	merged Cyb3rWarD0g's rules	2020-06-06 15:42:22 +02:00
Florian Roth	a962bd1bc1	Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete	2020-05-25 10:48:36 +02:00
4A616D6573	879ad6f206	Update win_susp_ntlm_rdp.yml	2020-05-22 13:32:02 +10:00
4A616D6573	daa3c5e053	Update win_susp_ntlm_rdp.yml	2020-05-22 13:28:56 +10:00
4A616D6573	0f8f5fb29c	Create win_susp_ntlm_rdp.yml	2020-05-22 13:24:27 +10:00
Florian Roth	9ab65cd1c7	Update win_alert_ad_user_backdoors.yml	2020-05-19 14:50:22 +02:00
Tatsuya Ito	c815773b1a	enhancement rule	2020-05-19 18:05:51 +09:00
Tatsuya Ito	49f68a327a	enhancement rule	2020-05-19 18:00:50 +09:00
ecco	54cf535dbc	remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)	2020-05-15 04:45:25 -04:00
zaphod	d510e1aad4	Fix 'source' value for win_susp_backup_delete	2020-05-11 18:31:59 +02:00
Rettila	6ec74364f2	Create win_global_catalog_enumeration.yml	2020-05-11 17:40:47 +02:00
Rettila	ccacedf621	Merge pull request #3 from Neo23x0/master merge	2020-05-11 17:38:27 +02:00
Rettila	07a50edf89	Update win_metasploit_authentication.yml	2020-05-07 14:42:00 +02:00
Remco Hofman	123a23adae	win_susp_failed_logon_source rule	2020-05-06 22:24:02 +02:00
Rettila	6aed82a039	Update win_metasploit_authentication.yml	2020-05-06 17:04:47 +02:00
Rettila	2beb65076c	Update win_metasploit_authentication.yml	2020-05-06 16:44:19 +02:00
Rettila	7371ce234b	Create win_metasploit_authentication.yml	2020-05-06 16:42:27 +02:00
Florian Roth	473c31232e	add additional reference	2020-05-05 19:25:33 +02:00
Rettila	0e1fa5c135	Update win_possible_dc_shadow.yml	2020-05-05 18:14:32 +02:00
Rettila	55d018255c	Update win_possible_dc_shadow.yml	2020-05-05 16:52:08 +02:00
Rettila	3302c63e0c	Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml	2020-05-05 16:51:35 +02:00
Rettila	f27aa4bfee	Update win_possible_dc_sync.yml	2020-05-05 16:50:13 +02:00
Rettila	db810b342f	Delete win_possible_dc_shadow.yml	2020-05-05 16:48:39 +02:00
Rettila	e3f21805f3	Update win_possible_dc_shadow.yml	2020-05-05 16:43:56 +02:00
Rettila	0f4cc9d365	Create win_possible_dc_shadow.yml	2020-05-05 16:40:52 +02:00
Florian Roth	514bd8657b	Merge pull request #704 from Iveco/master Detect Ghost-In-The-Logs (disabling/bypassing ETW)	2020-04-14 14:11:27 +02:00
Florian Roth	5cbe008350	Casing	2020-04-14 13:39:22 +02:00
vesche	1f918253e8	Add additional reference	2020-04-13 11:09:36 -05:00
vesche	9cdb3a4a64	Fix typo	2020-04-13 11:09:00 -05:00
Iveco	61b9234d7f	Update win_user_driver_loaded.yml removed internal field	2020-04-09 11:28:19 +02:00
Iveco	e913db0dca	Update win_user_driver_loaded.yml CI	2020-04-08 18:54:59 +02:00
Iveco	d0746b50f4	Update win_user_driver_loaded.yml Fixed author	2020-04-08 18:41:16 +02:00
Iveco	d1b9c0c34a	Update win_user_driver_loaded.yml Fixed CI	2020-04-08 18:21:59 +02:00
iveco	e87f2705a7	Detect Ghost-In-The-Logs (disabling/bypassing ETW)	2020-04-08 18:01:04 +02:00
Maxime Thiebaut	73a6428345	Update the NTLM downgrade registry paths Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.	2020-04-07 17:14:45 +02:00
Chris O'Brien	fe5dbece3d	Date typos...more than I thought...	2020-04-02 10:00:00 +02:00
Maxime Thiebaut	8dcbfd9aca	Add AD User Enumeration When the "Read all properties" permission of a user object is set to be audited in the AD, an event of ID 4662 (An operation was performed on an object) is triggered whenever a property is accessed. This rule detects these events by flagging any non-machine `SubjectUserName` (i.e. another user) which accesses an object of the `User` AD schema class. Advantages of this rule include the detection of insider-enumeration through automated tools such as BloodHound or manually through the usage of the PowerShell ActiveDirectory module. Although this rule qualifies as a medium severity one, this event could be qualified as high/critical one if flagged on non-used canary user-accounts. False positives may include administrators performing the initial configuration of new users.	2020-03-31 09:40:07 +02:00
Florian Roth	fe5b5a7782	Merge pull request #673 from j91321/rules-minor-fixes Minor fixes to several rules	2020-03-28 13:27:05 +01:00
Iveco	3f577c98e7	Title capalized	2020-03-26 17:03:33 +01:00
Iveco	39a3af04ce	Fixed title length	2020-03-26 16:56:06 +01:00
iveco	ddacde9e6b	add LDAPFragger detections	2020-03-26 15:13:36 +01:00
j91321	3c74d8b87d	Add correct Source to detection to avoid FP	2020-03-24 19:49:24 +01:00
neu5ron	4b572f3ccb	newline in description - typo	2020-03-14 14:58:58 -04:00
Florian Roth	07914c2783	Merge pull request #652 from 2XXE-SRA/patch-1 MMC Lateral Movement Rule 1	2020-03-07 11:02:16 +01:00
Florian Roth	2e184382f5	fix: eventid in process_creation rules	2020-03-07 10:43:47 +01:00
Florian Roth	b040c129be	fix: author field starting with an '@' symbol	2020-03-07 10:38:02 +01:00
2XXE (SRA)	ae56db97ff	mmc lateral movement detection 1 see https://github.com/Neo23x0/sigma/issues/576	2020-03-04 14:57:41 -05:00
Remco Hofman	d4b5dd5749	Exclude Azure AD sync accounts from AD Replication rule	2020-03-02 16:43:20 +01:00
Florian Roth	19d383989c	fix: keyword expression in rule	2020-02-29 16:03:31 +01:00
Florian Roth	fa6458b70f	rule: two rules to detect CVE-2020-0688 exploitation	2020-02-29 15:45:45 +01:00
Thomas Patzke	61d31c3f3a	Fixed tagging	2020-02-20 23:51:12 +01:00
Thomas Patzke	373424f145	Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test.	2020-02-20 23:00:16 +01:00
yugoslavskiy	7f3f1944d9	fix redundancy	2020-02-18 01:10:56 +03:00
Thomas Patzke	01d6c3b58d	Fixes	2020-02-16 23:24:00 +01:00
Thomas Patzke	f118839664	Further fixes and deduplications From suggestions of @yugoslavskiy in issue #554.	2020-02-16 14:03:07 +01:00
Thomas Patzke	d7bd90cb24	Merge branch 'master' into oscd	2020-02-03 23:13:16 +01:00
Thomas Patzke	593abb1cce	OSCD QA wave 3	2020-02-02 12:41:12 +01:00
Florian Roth	aa8a0f5e1f	Merge pull request #606 from Neo23x0/devel refactor: moved rues from 'apt' folder in respective folders	2020-02-01 18:25:19 +01:00
Florian Roth	03ecb3b8dc	refactor: moved rues from 'apt' folder in respective folders	2020-02-01 17:59:26 +01:00
Florian Roth	1213712978	Merge branch 'master' into patch-1	2020-01-31 14:32:27 +01:00
Florian Roth	afecca3c13	Merge pull request #511 from 4A616D6573/patch-3 Created win_susp_local_anon_logon_created.yml	2020-01-31 14:30:54 +01:00
Florian Roth	8c4aadb423	Merge branch 'master' into Renamed_Files	2020-01-31 08:49:10 +01:00
Florian Roth	e3d61d5579	Missing ID	2020-01-31 07:31:56 +01:00
Florian Roth	82cae6d63c	Merge pull request #604 from Neo23x0/devel New tests, colorized test output and rule cleanup	2020-01-31 07:07:13 +01:00
Florian Roth	d42e87edd7	fix: fixed casing and long rule titles	2020-01-30 17:26:09 +01:00
Florian Roth	e79e99c4aa	fix: fixed missing date fields in remaining files	2020-01-30 16:07:37 +01:00
Florian Roth	30d872f98f	Merge pull request #492 from booberry46/master Bypass Windows Defender	2020-01-30 14:27:30 +01:00
Florian Roth	8cef4b2941	fix: missing id	2020-01-30 10:14:18 +01:00
Florian Roth	bf81ff90a8	fix: using a specific field	2020-01-30 10:13:33 +01:00
Florian Roth	0207eeece4	fix: hyphen	2020-01-30 10:10:03 +01:00
Florian Roth	2f1890b5e8	Update win_rdp_reverse_tunnel.yml	2020-01-30 10:09:41 +01:00
Florian Roth	8ec0060938	fix: fixing bug	2020-01-30 10:09:22 +01:00
Florian Roth	6ca100cabf	reverted changes	2020-01-30 10:08:25 +01:00
Florian Roth	9828d7f81d	re-added old reference	2020-01-30 10:03:09 +01:00
Florian Roth	240b764660	rule: reduced level of system time mod rule	2020-01-27 14:30:09 +01:00
Florian Roth	4066ae6371	rule: added a reference	2020-01-24 15:31:06 +01:00
Florian Roth	11607a8621	rule: windows audit cve	2020-01-24 15:31:06 +01:00
sbousseaden	a4e62fcb1b	Update win_lm_namedpipe.yml	2020-01-24 15:31:06 +01:00
Thomas Patzke	9bb50f3d60	OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity	2020-01-17 15:46:28 +01:00
Thomas Patzke	ae6fcefbcd	Removed ATT&CK technique ids from titles and added tags	2020-01-11 00:33:50 +01:00
Thomas Patzke	8d6a507ec4	OSCD QA wave 1 * Checked all rules against Mordor and EVTX samples datasets * Added field names * Some severity adjustments * Fixes	2020-01-11 00:11:27 +01:00
Thomas Patzke	9ca52259dd	Fixed identifier	2019-12-20 00:11:34 +01:00
Thomas Patzke	924e1feb54	UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.	2019-12-19 23:56:36 +01:00
Thomas Patzke	694d666539	Merge branch 'master' into oscd	2019-12-19 23:15:15 +01:00
Thomas Patzke	1369b3a2dc	Merge pull request #537 from webhead404/webhead404-contrib-sigma Added sigma rule to detect external devices or USB drive	2019-12-13 21:50:01 +01:00
Rob Rankin	b771dd3d3b	Rule name conflicts in Elastalert output	2019-12-09 16:14:28 +00:00
Yugoslavskiy Daniil	185a634bd9	update authors for 2 rules	2019-12-07 02:10:06 +01:00
Thomas Patzke	ad7d5d2a39	Added WMI login rule	2019-12-04 11:13:04 +01:00
Thomas Patzke	e8c1c97f3e	Added rule for failed code integrity checks	2019-12-03 15:08:26 +01:00
Thomas Patzke	c47af5169c	Increased SID history rule severity	2019-12-03 14:28:46 +01:00
Thomas Patzke	76578927e8	Added domain trust rule	2019-12-03 14:28:20 +01:00
yugoslavskiy	d5722979ea	add rules by Daniel Bohannon	2019-11-27 00:02:45 +01:00
webhead404	21ef152e3a	Update win_external_device.yml	2019-11-20 16:19:45 -06:00
webhead404	2bfd4ea654	Added MITRE tags	2019-11-20 16:18:03 -06:00
webhead404	5c5d28acdc	Create win_external_device	2019-11-20 16:07:29 -06:00
yugoslavskiy	efc404fbae	resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml	2019-11-19 02:11:19 +01:00
Florian Roth	04288771a1	fix: bugfix in RottenPotato rule - wrong identifier	2019-11-15 11:50:03 +01:00
Florian Roth	7e6031705e	rule: RottenPotato attack pattern	2019-11-15 11:44:18 +01:00
yugoslavskiy	ac21810d7a	Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping oscd task #2 completed	2019-11-14 01:03:27 +03:00
yugoslavskiy	c7c29a39b6	Update win_susp_lsass_dump_generic.yml	2019-11-14 00:45:47 +03:00
yugoslavskiy	633c6db254	Update win_remote_registry_management_using_reg_utility.yml	2019-11-14 00:44:47 +03:00
yugoslavskiy	cd31354df2	Update win_quarkspwdump_clearing_hive_access_history.yml	2019-11-14 00:43:56 +03:00
yugoslavskiy	334626168c	Update win_mal_service_installs.yml	2019-11-14 00:43:03 +03:00
yugoslavskiy	c8ee6e9631	Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov [OSCD] Ilyas Ochkov contribution	2019-11-14 00:22:48 +03:00
yugoslavskiy	d8447946d6	Update win_suspicious_outbound_kerberos_connection.yml	2019-11-13 23:37:25 +03:00
yugoslavskiy	7f01a5b1bb	Update win_new_or_renamed_user_account_with_dollar_sign.yml	2019-11-13 23:35:59 +03:00
yugoslavskiy	26479485e6	Update win_new_or_renamed_user_account_with_dollar_sign.yml	2019-11-13 23:34:46 +03:00
Thomas Patzke	0592cbb67a	Added UUIDs to rules	2019-11-12 23:12:27 +01:00
Thomas Patzke	5f6a4225ec	Unified line terminators of rules to Unix	2019-11-12 23:05:36 +01:00
yugoslavskiy	385ebac502	Merge pull request #497 from Heirhabarov/master OSCD Task 1 - Privilege Escalation	2019-11-11 01:33:28 +03:00
yugoslavskiy	a69d9d9980	Update win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml	2019-11-11 01:04:01 +03:00
yugoslavskiy	0db5436778	add tieto dns exfil rules	2019-11-10 20:27:21 +03:00
yugoslavskiy	4fa928866f	oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml	2019-11-10 18:43:41 +03:00
yugoslavskiy	c0ac9b8fb9	fix conflict	2019-11-10 17:31:33 +03:00
yugoslavskiy	127335a0ec	Merge pull request #482 from yugoslavskiy/master [OSCD][The ThreatHunter-Playbook] Task 6: DONE	2019-11-10 17:27:54 +03:00
Florian Roth	9835950f04	rule: SID to AD object rule level adjusted	2019-11-09 12:49:54 +01:00
yugoslavskiy	92e09db9ab	Update win_susp_lsass_dump_generic.yml	2019-11-07 04:27:53 +03:00
yugoslavskiy	1f7b3bc9a2	add rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml	2019-11-04 05:05:57 +03:00
yugoslavskiy	701e7f7cc6	oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml	2019-11-04 04:26:34 +03:00
Karneades	68fd20cb66	fix: bound windows event log rules to message field Fixed rules - rules/windows/builtin/win_susp_msmpeng_crash.yml - rules/windows/builtin/win_alert_active_directory_user_control.yml - rules/windows/builtin/win_av_relevant_match.yml - rules/windows/builtin/win_mal_creddumper.yml - rules/windows/builtin/win_susp_sam_dump.yml - rules/windows/builtin/win_alert_mimikatz_keywords.yml - rules/windows/builtin/win_alert_enable_weak_encryption.yml	2019-11-02 11:25:29 +01:00
4A616D6573	013d862afd	Create win_susp_local_anon_logon_created.yml	2019-10-31 21:56:30 +11:00
booberry46	36fe748c2e	Update win_rdp_reverse_tunnel.yml With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general. Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden	2019-10-29 17:25:37 +08:00
Yugoslavskiy Daniil	fd606cb376	spaces fix	2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil	4251d9f490	ilyas ochkov contribution	2019-10-29 03:44:22 +03:00
Teimur Kheirkhabarov	32b0a3987e	Several mistakes were fixed	2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov	fde949174d	OSCD Task 1 - Privilege Escalation	2019-10-27 20:54:07 +03:00
yugoslavskiy	4fb9821b49	added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml	2019-10-24 15:48:38 +02:00
yugoslavskiy	3934f6c756	add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml	2019-10-24 14:34:16 +02:00
Yugoslavskiy Daniil	7cfd47be7c	add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml	2019-10-24 02:40:11 +02:00
Florian Roth	98f0d01b2e	rule: mimikatz use extended	2019-10-11 18:50:33 +02:00
Florian Roth	ec5bb71049	fix: Mimikatz DC Sync rule FP description and level	2019-10-08 17:45:10 +02:00
Florian Roth	14971a7b9c	fix: FPs with Mimikatz DC Sync rule	2019-10-08 17:44:00 +02:00
Thomas Patzke	60ef593a6f	Fixed wrong backslash escaping of * Fixes issue #466	2019-10-07 22:14:44 +02:00
Florian Roth	36bcd1c54e	Merge pull request #443 from EccoTheFlintstone/aduserbck fix FP : field null value can be '-'	2019-09-25 17:43:22 +02:00
Florian Roth	3d333290a9	Merge pull request #445 from EccoTheFlintstone/localadmin rule: user added to local administrator: handle non english systems b…	2019-09-25 17:29:41 +02:00
Florian Roth	596140543d	Merge pull request #455 from EccoTheFlintstone/ruler_fix Ruler fix	2019-09-25 17:26:55 +02:00
ecco	a644b938a0	fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)	2019-09-23 05:44:26 -04:00

... 2 3 4 5 6 ...

667 Commits