Commit Graph

486 Commits

Author SHA1 Message Date
yugoslavskiy
701e7f7cc6 oscd task #2 completed
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
2019-11-04 04:26:34 +03:00
Karneades
68fd20cb66 fix: bound windows event log rules to message field
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 11:25:29 +01:00
4A616D6573
013d862afd Create win_susp_local_anon_logon_created.yml 2019-10-31 21:56:30 +11:00
booberry46
36fe748c2e
Update win_rdp_reverse_tunnel.yml
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
2019-10-29 17:25:37 +08:00
Yugoslavskiy Daniil
fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil
4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Teimur Kheirkhabarov
32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov
fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
yugoslavskiy
4fb9821b49 added:
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
2019-10-24 15:48:38 +02:00
yugoslavskiy
3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
Yugoslavskiy Daniil
7cfd47be7c add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml 2019-10-24 02:40:11 +02:00
Florian Roth
98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth
ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke
60ef593a6f Fixed wrong backslash escaping of *
Fixes issue #466
2019-10-07 22:14:44 +02:00
Florian Roth
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck
fix FP : field null value can be '-'
2019-09-25 17:43:22 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
Ruler fix
2019-09-25 17:26:55 +02:00
ecco
a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76 add microsoft reference for events fields names 2019-09-23 05:21:30 -04:00
ecco
d48b63a235 ruler rule field name fix for eventID 4776 2019-09-23 05:17:35 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
ecco
fe93d84015 fix FP : field null value can be '-' 2019-09-06 05:14:58 -04:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Florian Roth
a47ec859a8
List for field 'AllowedToDelegateTo' 2019-06-19 08:20:41 +02:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
David Vassallo
41f5ebc403
Update win_alert_ad_user_backdoors.yml
the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
2019-06-07 13:29:45 +03:00
t0x1c-1
7b9a73fb1f Improved Rule
Removed complex CommandLine
2019-06-06 13:45:21 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
323a7313fd
FP adjustments
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
Thomas Patzke
80f45349ed
Modified rule
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Thomas Patzke
8e854b06f6 Specified source to prevent EventID collisions
Issue #263
2019-04-01 23:45:55 +02:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
yugoslavskiy
33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Florian Roth
95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master
adding rule win-susp-mshta-execution.yml
2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil
c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master
Fix rules
2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4
Update win_susp_failed_logon_reasons.yml
2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
2019-03-02 07:20:59 +01:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
2019-03-01 18:18:39 +03:00
Florian Roth
f560e83886
Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar
155e273a1c
adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth
8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth
f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
Keep Watcher
07dec06222
Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters
Duplicate Detections
2019-02-18 21:58:39 +01:00
Tareq AlKhatib
2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Thomas Patzke
01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master
new rule and updated false positive note
2019-02-09 23:57:39 +01:00
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
d2743351e7
Minor fix: indentation 2019-02-09 09:19:40 +01:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
2019-02-07 00:19:38 -05:00
Florian Roth
adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
neu5ron
35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Florian Roth
b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint
Fix yamllint config
2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
2019-01-10 09:51:39 +01:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master
Field-Index Mapping File & SIGMA Rules Field names fix
2018-12-19 00:38:06 +01:00
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue
Bugfix: wrong field for 4688 process creation events
2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
Roberto Rodriguez
a35f945c71 Update win_disable_event_logging.yml
Description value breaking SIGMA Elastalert Backend
2018-12-06 05:09:41 +03:00
Roberto Rodriguez
104ee6c33b Update win_susp_commands_recon_activity.yml
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
2018-12-05 05:55:36 +03:00
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml
Count(taskName) not being taken by elastalert integration with Sigmac
2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode
https://twitter.com/cyb3rops/status/1063072865992523776
2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel
Suspicious SYSVOL Domain Group Policy Access
2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
2018-09-07 20:23:11 -07:00
Florian Roth
3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth
9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1
afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth
d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth
9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth
b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth
2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name 2018-08-27 23:45:30 +02:00
Unknown
2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Florian Roth
5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
Florian Roth
f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml
Merged recon commands from @yt0ng's rule
2018-08-22 17:00:00 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
megan201296
a169723005
fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke
2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth
dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth
c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma
19ba5df207
False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule
EventID 4657 already implies the modification.
2018-06-21 23:59:55 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth
8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00