root
aa9a22e662
add win_susp_odbcconf.yml
2019-10-25 19:02:17 +02:00
root
edcbc49ce8
add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml
2019-10-23 13:00:21 +02:00
root
00a757959e
add rule win_susp_capture_screenshots.yml
2019-10-22 06:06:07 +02:00
root
2bd9d8a9d8
add rule sysmon_webshell_creation_detect.yml
2019-10-22 05:56:37 +02:00
root
fb53855ae5
add rule sysmon_webshell_creation_detect.yml
2019-10-22 05:50:49 +02:00
root
e47caf4749
add rule lnx_auditd_web_rce.yml
2019-10-21 11:54:21 +02:00
root
a499141483
modified rule lnx_auditd_web_rce.yml
2019-10-21 11:28:59 +02:00
root
ac8308dfc9
add rule lnx_auditd_web_rce.yml
2019-10-21 11:14:24 +02:00
Florian Roth
96d77447d2
rule: added reference and mitre tags
2019-10-15 09:44:17 +02:00
Florian Roth
49ed76004c
rule: sudo priv esc vuln CVE-2019-14287
2019-10-15 09:39:08 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe
...
remove .exe from lsass
2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910
fix: made rule compatible with event id 4688
2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176
rule: modified the default
2019-10-14 17:50:48 +02:00
Florian Roth
312311494d
rule: suspicious code page switch using chcp
2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad
remove .exe from lsass
2019-10-14 17:26:33 +02:00
Florian Roth
7ee3974428
rule: suspicious keyboard layout load
2019-10-14 16:25:27 +02:00
Florian Roth
5583684efd
rule: extended suspicious procdump rule
2019-10-14 16:21:37 +02:00
Florian Roth
98f0d01b2e
rule: mimikatz use extended
2019-10-11 18:50:33 +02:00
Florian Roth
60af1f5a4b
rule: WMI Backdoor Exchange Transport Agent
2019-10-11 12:12:44 +02:00
Thomas Patzke
849a5a520d
Conditional field mapping resolve_fieldname now functional
...
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
2019-10-09 23:57:41 +02:00
Florian Roth
ec5bb71049
fix: Mimikatz DC Sync rule FP description and level
2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c
fix: FPs with Mimikatz DC Sync rule
2019-10-08 17:44:00 +02:00
Thomas Patzke
95c8d25858
Improved --backend-config help text
2019-10-07 22:30:57 +02:00
Thomas Patzke
60ef593a6f
Fixed wrong backslash escaping of *
...
Fixes issue #466
2019-10-07 22:14:44 +02:00
Thomas Patzke
4711d4cad6
Merge pull request #464 from neu5ron/updates-to-sigma-main
...
update HELK and add winlogbeat module enabled taxonomy
2019-10-07 21:36:40 +02:00
Florian Roth
d096ab0e21
rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet
2019-10-04 16:17:34 +02:00
Florian Roth
3eaf4d6e94
fix: fixed typo in bluemashroom rule
2019-10-02 15:45:55 +02:00
Florian Roth
6d78a5fede
rule: extended the command line in bluemashroom rule
2019-10-02 14:03:34 +02:00
Florian Roth
7423fe2072
fix: fixed typo in APT group name
2019-10-02 14:02:07 +02:00
Florian Roth
e993ef46f0
rule: APT blue mushroom
2019-10-02 13:57:14 +02:00
Florian Roth
4bc7f6ea52
rule: QBot process creation
2019-10-01 17:25:04 +02:00
neu5ron
a729cc7905
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon]( https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion
2019-10-01 10:16:42 -04:00
neu5ron
f7fd936433
update HELK config taxonomy/mapping for sigmac conversion
2019-10-01 10:14:54 -04:00
Florian Roth
e0009bfb4a
fix: merged duplicate rules
2019-10-01 16:14:38 +02:00
Florian Roth
d8af435827
rule: RUN key pointing to suspicious folders
2019-10-01 16:08:31 +02:00
Florian Roth
c44f940fb6
rule: suspicious RUN key created by exe in temp/download folders
2019-10-01 16:08:13 +02:00
Florian Roth
52df9e9f44
rule: execution in Outlook temp folder
2019-10-01 16:07:43 +02:00
Florian Roth
9a7ef0e3c2
fix: fixed rule warning
2019-09-30 19:38:40 +02:00
Florian Roth
2fbd35053e
rule: improved formbook detection rule
2019-09-30 19:01:40 +02:00
Florian Roth
38831a05ae
rule: formbook malware process creation
2019-09-30 18:57:58 +02:00
Florian Roth
05ca684962
rule: improved emotet rule
2019-09-30 17:17:23 +02:00
Florian Roth
66cbdbfff5
rule: emotet process creation
2019-09-30 15:53:29 +02:00
Thomas Patzke
d4f89ebc1c
Aggregation on keyword field in es-dsl backend
...
* Fixes #452
* Further fixed reference to count in restriction of results
2019-09-29 23:18:17 +02:00
Florian Roth
93227e1eec
Merge pull request #436 from EccoTheFlintstone/master
...
rule: impacket framework lateralization detection
2019-09-28 11:37:07 +02:00
Florian Roth
ad59c90b29
Capitalization in Title
2019-09-28 10:30:16 +02:00
Florian Roth
0eb5fd75e1
Merge pull request #446 from EccoTheFlintstone/eventclear
...
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-28 10:29:03 +02:00
Florian Roth
de3a843bea
Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3
...
sysmon eventid 3: filter on outgoing connections (initiated: true) to…
2019-09-28 10:16:02 +02:00
Florian Roth
29c5a9dc8e
Merge pull request #458 from EccoTheFlintstone/psexec
...
fix: PsExec false positives
2019-09-28 10:15:23 +02:00
Florian Roth
d44f89454e
Merge pull request #462 from EccoTheFlintstone/taskmgr
...
Sysmon rules cleanup and move to process_creation
2019-09-28 09:54:26 +02:00
ecco
5a15687c6c
fix rule: task manager as parent: task manager can be run with higher privileges (show processes from all users --> UAC) and its parent is still the old taskmgr
2019-09-27 11:06:21 -04:00