yugoslavskiy
701e7f7cc6
oscd task #2 completed
...
- new rules:
+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml
- updated rules:
+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+ rules/windows/builtin/win_mal_creddumper.yml
+ rules/windows/builtin/win_mal_service_installs.yml
+ rules/windows/process_creation/win_susp_process_creations.yml
+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
- deprecated rules:
+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
2019-11-04 04:26:34 +03:00
Karneades
68fd20cb66
fix: bound windows event log rules to message field
...
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 11:25:29 +01:00
4A616D6573
013d862afd
Create win_susp_local_anon_logon_created.yml
2019-10-31 21:56:30 +11:00
booberry46
36fe748c2e
Update win_rdp_reverse_tunnel.yml
...
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.
Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
2019-10-29 17:25:37 +08:00
Yugoslavskiy Daniil
fd606cb376
spaces fix
2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil
4251d9f490
ilyas ochkov contribution
2019-10-29 03:44:22 +03:00
Teimur Kheirkhabarov
32b0a3987e
Several mistakes were fixed
2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov
fde949174d
OSCD Task 1 - Privilege Escalation
2019-10-27 20:54:07 +03:00
yugoslavskiy
4fb9821b49
added:
...
win_non_interactive_powershell.yml
win_remote_powershell_session.yml
win_wmiprvse_spawning_process.yml
powershell_alternate_powershell_hosts.yml
powershell_remote_powershell_session.yml
sysmon_alternate_powershell_hosts_moduleload.yml
sysmon_alternate_powershell_hosts_pipe.yml
sysmon_non_interactive_powershell_execution.yml
sysmon_powershell_execution_moduleload.yml
sysmon_powershell_execution_pipe.yml
sysmon_remote_powershell_session_network.yml
sysmon_remote_powershell_session_process.yml
sysmon_wmi_module_load.yml
sysmon_wmiprvse_spawning_process.yml
2019-10-24 15:48:38 +02:00
yugoslavskiy
3934f6c756
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml
2019-10-24 14:34:16 +02:00
Yugoslavskiy Daniil
7cfd47be7c
add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml
2019-10-24 02:40:11 +02:00
Florian Roth
98f0d01b2e
rule: mimikatz use extended
2019-10-11 18:50:33 +02:00
Florian Roth
ec5bb71049
fix: Mimikatz DC Sync rule FP description and level
2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c
fix: FPs with Mimikatz DC Sync rule
2019-10-08 17:44:00 +02:00
Thomas Patzke
60ef593a6f
Fixed wrong backslash escaping of *
...
Fixes issue #466
2019-10-07 22:14:44 +02:00
Florian Roth
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck
...
fix FP : field null value can be '-'
2019-09-25 17:43:22 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
...
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
...
Ruler fix
2019-09-25 17:26:55 +02:00
ecco
a644b938a0
fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)
2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76
add microsoft reference for events fields names
2019-09-23 05:21:30 -04:00
ecco
d48b63a235
ruler rule field name fix for eventID 4776
2019-09-23 05:17:35 -04:00
ecco
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
ecco
fe93d84015
fix FP : field null value can be '-'
2019-09-06 05:14:58 -04:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
...
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
...
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Florian Roth
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
Florian Roth
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
Thomas Patzke
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
Florian Roth
a47ec859a8
List for field 'AllowedToDelegateTo'
2019-06-19 08:20:41 +02:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
David Vassallo
41f5ebc403
Update win_alert_ad_user_backdoors.yml
...
the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
2019-06-07 13:29:45 +03:00
t0x1c-1
7b9a73fb1f
Improved Rule
...
Removed complex CommandLine
2019-06-06 13:45:21 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Florian Roth
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Lionel PRAT
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
Thomas Patzke
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Thomas Patzke
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
Thomas Patzke
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
patrick
8609fc7ece
New Sigma rule detecting local user creation
2019-04-18 19:59:43 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml
2019-04-04 18:22:50 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml
2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml
2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml
2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml
2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml
2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml
2019-04-03 21:40:59 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml
2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml
2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml
2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml
2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml
2019-04-03 14:41:11 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml
2019-04-03 13:58:20 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml
2019-04-03 13:22:42 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml
2019-04-03 13:08:12 +02:00
Thomas Patzke
8e854b06f6
Specified source to prevent EventID collisions
...
Issue #263
2019-04-01 23:45:55 +02:00
Thomas Patzke
be25aa2c37
Added CAR tags
2019-03-16 00:37:09 +01:00
yugoslavskiy
33db032a16
added missed service
2019-03-14 00:44:26 +01:00
Florian Roth
95b47972f0
fix: transformed rule to new proc_creation format
2019-03-12 09:03:30 +01:00
Florian Roth
c4003ff410
Merge pull request #264 from darkquasar/master
...
adding rule win-susp-mshta-execution.yml
2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil
c22265c655
updated detection logic
2019-03-11 16:58:57 +01:00
Florian Roth
83c0c71bc7
Reworked for process_creation rules
2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil
05cc7e455d
atc review
2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master
...
Fix rules
2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35
Merge branch 'master' of https://github.com/krakow2600/sigma
2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745
rules update
2019-03-06 00:43:42 +01:00
mikhail
be108d95cc
Merge branch 'master' of https://github.com/AverageS/sigma
2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf
Fix 4 rules
2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
Florian Roth
bd4e61acd8
Merge pull request #271 from vburov/patch-4
...
Update win_susp_failed_logon_reasons.yml
2019-03-02 07:21:28 +01:00
Florian Roth
f80cf52982
Expired happens too often
...
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
2019-03-02 07:20:59 +01:00
Thomas Patzke
56a1ed1eac
Merge branch 'project-1'
2019-03-02 00:26:10 +01:00
Vasiliy Burov
7bebedbac1
Update win_susp_failed_logon_reasons.yml
...
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
2019-03-01 18:18:39 +03:00
Florian Roth
f560e83886
Added modified date
2019-03-01 12:07:31 +01:00
Florian Roth
fc683ac7ee
Added error code for denied logon type
2019-03-01 12:06:54 +01:00
Thomas Patzke
6bdb4ab78a
Merge cleanup
2019-02-27 22:05:27 +01:00
darkquasar
155e273a1c
adding rule win-susp-mshta-execution.yml
2019-02-27 15:55:39 +11:00
Florian Roth
8ce4b1530d
Rule: added SAM export
2019-02-26 09:00:47 +01:00
Thomas Patzke
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
Florian Roth
f278a00174
Rule: certutil encode
2019-02-24 14:10:40 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters
2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml
2019-02-22 22:46:57 +03:00
Keep Watcher
07dec06222
Fixing yara condition
2019-02-20 10:57:24 -05:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters
...
Duplicate Detections
2019-02-18 21:58:39 +01:00
Tareq AlKhatib
2e3a2b9ba6
Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental'
2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24
Rule: RDP over Reverse SSH Tunnel
2019-02-16 19:36:13 +01:00
Tareq AlKhatib
cd3cdc9451
Removed unnecessary '1 of them' in condition
2019-02-13 21:26:02 +03:00
Thomas Patzke
01570f88db
YAML fixes
2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a
Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2
2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186
Merge branch 'yt0ng-development'
2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9
Fixed condition keyword
2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882
Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development
2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master
...
new rule and updated false positive note
2019-02-09 23:57:39 +01:00
Florian Roth
aab703a4b4
Suspicious calc.exe usage
2019-02-09 14:03:23 +01:00
Florian Roth
d2743351e7
Minor fix: indentation
2019-02-09 09:19:40 +01:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml
2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit
...
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
2019-02-07 00:19:38 -05:00
Florian Roth
adb6690c80
Rule: Suspicious GUP.exe usage
2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40
Rule: fixed date - wrong year
2019-02-06 19:21:16 +01:00
Unknown
a0bac993ed
adjusted spaces
2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171
added reverted base64 with dosfuscation
2019-02-06 10:59:09 +01:00
Unknown
c78ac9333c
adjusted formatting
2019-02-06 10:54:12 +01:00
neu5ron
35ebcff543
add new rule
2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba
added false positive possibility
2019-02-05 18:45:53 -05:00
Florian Roth
dfd4ce878f
Rule: limiting rule to DHCP log
2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
Thomas Patzke
6436cb3ae1
Added missing conditions
2019-02-01 23:02:03 +01:00
Florian Roth
a8d1e7c62b
Rule: Fixed ntdsutil rule field in 4688 events
2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e
Rule: Fixed field in RDP rule
2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8
Rule: Netsh port forwarding
2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495
Rule: Netsh RDP port forwarding rule
2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6
Rule: Adjusted RDP login from localhost rule level
2019-01-29 14:04:10 +01:00
Thomas Patzke
516bfc88ff
Added rule: RDP login from localhost
2019-01-28 22:43:22 +01:00
Florian Roth
b1ea976f66
fix: fixed bug inntdsutil rule that included a white space
2019-01-22 16:18:43 +01:00
Thomas Patzke
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint
...
Fix yamllint config
2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389
Rule: PowerShell script run in AppData folders
2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d
Fix YAML errors reported by yamllint
...
Especially the config for ArcSight, that was invalid:
tools/config/arcsight.yml
89:5 error duplication of key "product" in mapping (key-duplicates)
90:5 error duplication of key "conditions" in mapping (key-duplicates)
rules/windows/builtin/win_susp_commands_recon_activity.yml
10:9 error too many spaces after colon (colons)
2019-01-10 09:51:39 +01:00
Tareq AlKhatib
0a5e79b1e0
Fixed the RC section to use rc.exe instead of oleview.exe
2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6
Corrected reference to references as per Sigma's standard
2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205
Rule: Hacktool Rubeus
2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master
...
Field-Index Mapping File & SIGMA Rules Field names fix
2018-12-19 00:38:06 +01:00
Florian Roth
172236e130
Rule: updated ATT&CK tags in MavInject rule
2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8
Rule: docs: reference update in MavInject rule
2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue
...
Bugfix: wrong field for 4688 process creation events
2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8
Rule: MavInject process injection
2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
Roberto Rodriguez
a0486edeea
Field-Index Mapping File & SIGMA Rules Field names fix
...
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
Roberto Rodriguez
a35f945c71
Update win_disable_event_logging.yml
...
Description value breaking SIGMA Elastalert Backend
2018-12-06 05:09:41 +03:00
Roberto Rodriguez
104ee6c33b
Update win_susp_commands_recon_activity.yml
...
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
2018-12-05 05:55:36 +03:00
Roberto Rodriguez
6dc36c8749
Update win_eventlog_cleared.yml
...
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml
. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2
Update win_rare_service_installs.yml
...
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d
Update win_rare_schtasks_creations.yml
...
Count(taskName) not being taken by elastalert integration with Sigmac
2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557
Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master
2018-12-04 23:35:23 +01:00
Thomas Patzke
f6ad36f530
Fixed rule
2018-11-29 00:00:18 +01:00
Florian Roth
a31acd6571
fix: fixed procdump rule
2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641
Rule: Detect base64 encoded PowerShell shellcode
...
https://twitter.com/cyb3rops/status/1063072865992523776
2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml
...
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f
Suspicious svchost.exe executions
2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4
Improved procdump on lsass rule
2018-10-30 09:37:40 +01:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
Karneades
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel
...
Suspicious SYSVOL Domain Group Policy Access
2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml
...
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
2018-09-07 20:23:11 -07:00
Florian Roth
3c240be8a8
fix: more duplicate 'tag' keys in rules
2018-09-04 16:15:02 +02:00
Florian Roth
9c878bef79
fix: duplicate 'tag' key in rule
2018-09-04 16:05:21 +02:00
t0x1c-1
afadda8c04
Suspicious SYSVOL Domain Group Policy Access
2018-09-04 15:52:25 +02:00
Florian Roth
d94c1d2046
fix: duplicate 'tag' key in rule
2018-09-04 14:56:55 +02:00
Florian Roth
9cb78558d3
Rule: excluded false positives in rule
2018-09-03 12:02:42 +02:00
Florian Roth
b57f3ded64
Rule: GRR false positives
2018-09-03 11:50:34 +02:00
Florian Roth
2a0fcf6bea
Rule: PowerShell encoded command JAB
2018-09-03 10:08:29 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name
2018-08-27 23:45:30 +02:00
Unknown
2f256aa1ef
Adding LSASS Access Detected via Attack Surface Reduction
2018-08-27 10:38:45 +02:00
Florian Roth
5b3175d1d6
Rule: Suspicious procdump use on lsass process
2018-08-26 19:53:57 +02:00
Florian Roth
f47a5c2206
fix: Author list to string
2018-08-23 09:40:28 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml
...
Merged recon commands from @yt0ng's rule
2018-08-22 17:00:00 +02:00
Florian Roth
92dc08a304
rule: Added recon command
2018-08-15 12:33:03 +02:00
Florian Roth
acfdb591d0
fiox: Typo in description fixed
2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9
fix: Changed suspicious process creation rule to avoid FPs
2018-07-29 16:22:09 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master
2018-07-24 08:23:37 +02:00
David Spautz
e275d44462
Add tags to windows builtin rules
2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267
windows builtin mitre attack tags
2018-07-23 21:34:20 -07:00
megan201296
a169723005
fixed typo
2018-07-13 13:53:21 -05:00
Thomas Patzke
2dc5295abf
Removed redundant attribute from rule
2018-07-10 22:50:02 +02:00
Florian Roth
dea019f89d
fix: some threat levels adjusted
2018-07-07 13:00:23 -06:00
Florian Roth
c3bf968462
High FP Rule
2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426
Trying to fix rule
2018-06-28 16:39:47 +02:00
Florian Roth
9e0abc5f0b
Adjusted rules to the new specs reg "not null" usage
2018-06-28 09:30:31 +02:00
scherma
19ba5df207
False positive circumstance
2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764
Changed (any) statements to (not null) to comply with the newest specs
2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a
Rule fixes
2018-06-27 18:47:52 +02:00
Florian Roth
9705366060
Adjusted some rules
2018-06-27 16:54:44 +02:00
Florian Roth
28a7e64212
Rule: Sysprep on AppData folder
2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858
Merge branch 'devel-sigmac-wdatp'
2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770
Removed redundant attribute from rule
...
EventID 4657 already implies the modification.
2018-06-21 23:59:55 +02:00
Florian Roth
946c946366
Rule: NTLM logon
2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85
Rule: Fixed missing description
2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b
Rule: DCSync
2018-06-03 16:00:57 +02:00
Florian Roth
8e500d2caa
Bugfix in rule
2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559
Rule: whoami execution
2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d
Fixed rule scope
2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c
Unified 0x values with other rules
2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0
Moved and renamed rule
2018-04-18 16:53:11 +02:00
Florian Roth
8420d3174a
Reordered
2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format
...
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule
2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http
2018-04-18 08:19:47 +02:00