valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,144 Commits 20 Branches 25 Tags 21 MiB
a5fe7af25f
Commit Graph

667 Commits

Author SHA1 Message Date
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Iveco
3f577c98e7
Title capalized 2020-03-26 17:03:33 +01:00
Iveco
39a3af04ce
Fixed title length 2020-03-26 16:56:06 +01:00
iveco
ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
j91321
3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
neu5ron
4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
Remco Hofman
d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Florian Roth
19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth
fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Thomas Patzke
f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth
e3d61d5579
Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth
8cef4b2941
fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth
9828d7f81d
re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke
9ca52259dd Fixed identifier 2019-12-20 00:11:34 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Rob Rankin
b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Yugoslavskiy Daniil
185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
yugoslavskiy
d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
webhead404
21ef152e3a
Update win_external_device.yml 2019-11-20 16:19:45 -06:00
webhead404
2bfd4ea654
Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404
5c5d28acdc
Create win_external_device 2019-11-20 16:07:29 -06:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Florian Roth
04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth
7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
yugoslavskiy
ac21810d7a
Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping 
oscd task #2 completed
 2019-11-14 01:03:27 +03:00
yugoslavskiy
c7c29a39b6
Update win_susp_lsass_dump_generic.yml 2019-11-14 00:45:47 +03:00
yugoslavskiy
633c6db254
Update win_remote_registry_management_using_reg_utility.yml 2019-11-14 00:44:47 +03:00
yugoslavskiy
cd31354df2
Update win_quarkspwdump_clearing_hive_access_history.yml 2019-11-14 00:43:56 +03:00
yugoslavskiy
334626168c
Update win_mal_service_installs.yml 2019-11-14 00:43:03 +03:00
yugoslavskiy
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
yugoslavskiy
d8447946d6
Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 23:37:25 +03:00
yugoslavskiy
7f01a5b1bb
Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:35:59 +03:00
yugoslavskiy
26479485e6
Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:34:46 +03:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
yugoslavskiy
385ebac502
Merge pull request #497 from Heirhabarov/master 
OSCD Task 1 - Privilege Escalation
 2019-11-11 01:33:28 +03:00
yugoslavskiy
a69d9d9980
Update win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml 2019-11-11 01:04:01 +03:00
yugoslavskiy
0db5436778 add tieto dns exfil rules 2019-11-10 20:27:21 +03:00
yugoslavskiy
4fa928866f oscd task #6 done. 
add 25 new rules:

- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml

improve 1 rule:

- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
 2019-11-10 18:43:41 +03:00
yugoslavskiy
c0ac9b8fb9 fix conflict 2019-11-10 17:31:33 +03:00
yugoslavskiy
127335a0ec
Merge pull request #482 from yugoslavskiy/master 
[OSCD][The ThreatHunter-Playbook] Task 6: DONE
 2019-11-10 17:27:54 +03:00
Florian Roth
9835950f04 rule: SID to AD object rule level adjusted 2019-11-09 12:49:54 +01:00
yugoslavskiy
92e09db9ab
Update win_susp_lsass_dump_generic.yml 2019-11-07 04:27:53 +03:00
yugoslavskiy
1f7b3bc9a2 add rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml 2019-11-04 05:05:57 +03:00
yugoslavskiy
701e7f7cc6 oscd task #2 completed 
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
 2019-11-04 04:26:34 +03:00
Karneades
68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
4A616D6573
013d862afd Create win_susp_local_anon_logon_created.yml 2019-10-31 21:56:30 +11:00
booberry46
36fe748c2e
Update win_rdp_reverse_tunnel.yml 
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
 2019-10-29 17:25:37 +08:00
Yugoslavskiy Daniil
fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil
4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Teimur Kheirkhabarov
32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov
fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
yugoslavskiy
4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
yugoslavskiy
3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
Yugoslavskiy Daniil
7cfd47be7c add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml 2019-10-24 02:40:11 +02:00
Florian Roth
98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth
ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke
60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck 
fix FP : field null value can be '-'
 2019-09-25 17:43:22 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin 
rule: user added to local administrator: handle non english systems b…
 2019-09-25 17:29:41 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix 
Ruler fix
 2019-09-25 17:26:55 +02:00
ecco
a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76 add microsoft reference for events fields names 2019-09-23 05:21:30 -04:00
ecco
d48b63a235 ruler rule field name fix for eventID 4776 2019-09-23 05:17:35 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
ecco
fe93d84015 fix FP : field null value can be '-' 2019-09-06 05:14:58 -04:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Florian Roth
a47ec859a8
List for field 'AllowedToDelegateTo' 2019-06-19 08:20:41 +02:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
David Vassallo
41f5ebc403
Update win_alert_ad_user_backdoors.yml 
the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
 2019-06-07 13:29:45 +03:00
t0x1c-1
7b9a73fb1f Improved Rule 
Removed complex CommandLine
 2019-06-06 13:45:21 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Thomas Patzke
80f45349ed
Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Thomas Patzke
8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
yugoslavskiy
33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Florian Roth
95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil
c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth
f560e83886
Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar
155e273a1c
adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth
8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth
f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
Keep Watcher
07dec06222
Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib
2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Thomas Patzke
01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
d2743351e7
Minor fix: indentation 2019-02-09 09:19:40 +01:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Florian Roth
adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
neu5ron
35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Florian Roth
b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Roberto Rodriguez
a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00
Roberto Rodriguez
104ee6c33b Update win_susp_commands_recon_activity.yml 
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
 2018-12-05 05:55:36 +03:00
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Florian Roth
3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth
9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1
afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth
d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth
9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth
b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth
2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name 2018-08-27 23:45:30 +02:00
Unknown
2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Florian Roth
5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
Florian Roth
f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
megan201296
a169723005
fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke
2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth
dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth
c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma
19ba5df207
False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth
8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00