valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,172 Commits 20 Branches 25 Tags 21 MiB
aaeb72a2b6
Commit Graph

814 Commits

Author SHA1 Message Date
yugoslavskiy
c18fa0940d
Update win_susp_msoffice.yml 2019-11-04 18:44:07 +03:00
yugoslavskiy
bd0ebf0604
Update win_susp_dxcap.yml 2019-11-04 18:43:42 +03:00
yugoslavskiy
df07291e53
Update win_susp_cdb.yml 2019-11-04 18:43:03 +03:00
yugoslavskiy
a66539c771
Update win_susp_msoffice.yml 2019-11-04 18:42:26 +03:00
yugoslavskiy
56b7402e62
Update win_susp_dxcap.yml 2019-11-04 18:38:37 +03:00
yugoslavskiy
a9fdfee5c2
Update win_susp_dnx.yml 2019-11-04 18:34:25 +03:00
yugoslavskiy
dc23e566a0
Update win_susp_devtoolslauncher_execution.yml 2019-11-04 18:30:04 +03:00
yugoslavskiy
989d75033a
Update win_susp_cdb.yml 2019-11-04 18:25:30 +03:00
yugoslavskiy
43c20d203d
Update and rename win_susp_capture_screenshots.yml to win_susp_psr_capture_screenshots.yml 2019-11-04 18:16:39 +03:00
yugoslavskiy
a800093aaf
Update win_susp_bginfo.yml 2019-11-04 18:14:44 +03:00
Florian Roth
5786688f97 rule: Firewall disabled via Netsh 2019-11-04 16:10:10 +01:00
yugoslavskiy
2697b829b0 fix logic 2019-11-04 14:57:58 +03:00
yugoslavskiy
701e7f7cc6 oscd task #2 completed 
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
 2019-11-04 04:26:34 +03:00
Florian Roth
3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
zinint
60bf34e220
T1042 2019-10-30 23:30:56 +03:00
zinint
b3b203e5b1
t1040 2019-10-30 23:15:19 +03:00
Florian Roth
4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth
d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth
3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke
219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke
b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
zinint
c243c4e210
T1035 2019-10-29 20:58:52 +03:00
Florian Roth
1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
RRRabbit
becfca6b41 Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00
Teimur Kheirkhabarov
32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov
3125b39239 Change incorrect MITRE Tags for some rules 2019-10-28 07:56:15 +03:00
zinint
87c8326133
T1033 2019-10-27 23:49:07 +03:00
zinint
55eaae1cea
Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml 2019-10-27 23:15:10 +03:00
zinint
93b867024c
T1012 2019-10-27 23:13:03 +03:00
Teimur Kheirkhabarov
fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
4A616D6573
ca819d8707
Update win_susp_net_execution.yml 
Updated tags to pass Travis CI checks.
 2019-10-27 14:06:52 +11:00
root
717e40e8ed modified win_susp_dxcap.yml 2019-10-26 20:27:32 +02:00
root
9bf0150100 modified win_susp_dnx.yml 2019-10-26 20:20:21 +02:00
root
3b70f2edd6 modified win_susp_dnx.yml 2019-10-26 20:16:40 +02:00
root
3528afeef7 modified win_susp_dnx.yml 2019-10-26 20:13:53 +02:00
root
1dca0456ee modified win_susp_dxcap.yml 2019-10-26 20:09:25 +02:00
root
cbe0d73ce8 add win_susp_dxcap.yml 2019-10-26 20:06:02 +02:00
root
aaf63d2238 add win_susp_dxcap.yml 2019-10-26 20:02:25 +02:00
root
0616c2c39d add win_susp_dnx.yml 2019-10-26 19:58:45 +02:00
root
ee21888e67 add win_susp_cdb.yml 2019-10-26 19:49:45 +02:00
Florian Roth
42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
root
844d55c781 add win_susp_bginfo.yml 2019-10-26 08:18:37 +02:00
root
5bb5938e86 add win_susp_bginfo.yml 2019-10-26 08:16:08 +02:00
root
01c4c7cdbd modifed win_susp_msoffice.yml 2019-10-26 08:11:09 +02:00
root
bea2daac45 modifed win_susp_msoffice.yml 2019-10-26 07:55:44 +02:00
root
fc7f8ecea3 add win_susp_msoffice.yml 2019-10-26 07:48:38 +02:00
root
611c193826 modifed win_susp_odbcconf.yml 2019-10-26 07:45:53 +02:00
root
aa9a22e662 add win_susp_odbcconf.yml 2019-10-25 19:02:17 +02:00
alexpetrov12
8c2b7e9f85 fix 2019-10-25 18:30:40 +03:00
alexpetrov12
7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00
zinint
6e94e798be
t1010 2019-10-25 16:12:51 +03:00
stvetro
dcaacd07bf 4 rules to cover ART 2019-10-25 15:38:47 +04:00
yugoslavskiy
5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
4A616D6573
5678357f4e Update win_susp_net_execution.yml 
Added tag for:

References:

https://attack.mitre.org/techniques/T1077/
https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
 2019-10-25 12:20:47 +11:00
4A616D6573
a7a753862c
Update win_susp_net_execution.yml 
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
 2019-10-25 12:06:32 +11:00
Florian Roth
a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
zinint
7c5dc0ca01
Update win_data_compressed.yml 2019-10-24 15:34:13 +03:00
Florian Roth
86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
alexpetrov12
cc998aa667 fix 2019-10-24 00:48:43 +03:00
mrblacyk
499627edf3 File permissions modification (T1222) 2019-10-23 11:24:13 -07:00
mrblacyk
4979b56296 Domain Trust Discovery rule (T1482) 2019-10-23 11:23:12 -07:00
mrblacyk
262514c782 Windows Service stop rule (T1489) 2019-10-23 11:22:09 -07:00
alexpetrov12
4c84412944 added new rule 
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
 2019-10-23 18:08:30 +03:00
alexpetrov12
bc943343df update win_sysmon_driver_unload 2019-10-23 15:41:14 +03:00
alexpetrov12
215e500894 fix 2019-10-23 14:43:01 +03:00
alexpetrov12
193c95a11a add new rule1 2019-10-23 14:27:52 +03:00
root
edcbc49ce8 add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml 2019-10-23 13:00:21 +02:00
alexpetrov12
043e3f7ca6 fix 2019-10-23 13:48:44 +03:00
alexpetrov12
e38540a37f fix 2019-10-23 13:28:04 +03:00
alexpetrov12
c1cfbacd24 fix 2019-10-23 13:18:57 +03:00
alexpetrov12
ad9b98541c fix 2019-10-23 13:05:38 +03:00
alexpetrov12
fa4a8c974d fix 2019-10-23 12:45:06 +03:00
alexpetrov12
f4ea01217e fix 2019-10-23 02:47:04 +03:00
alexpetrov12
ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12
29cd7fed3e fix 2019-10-23 02:39:40 +03:00
alexpetrov12
5a260db459 fix 2019-10-23 02:27:14 +03:00
alexpetrov12
6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12
8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
Florian Roth
3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
zinint
a8bd2c8e78
Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00
zinint
74d1fef8b8
Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint
cc6d4b05ac
OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
Florian Roth
b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth
0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
root
00a757959e add rule win_susp_capture_screenshots.yml 2019-10-22 06:06:07 +02:00
zinint
daf1034621
Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
Florian Roth
ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth
5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth
d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth
4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth
312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth
5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth
60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Thomas Patzke
60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth
3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth
6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth
7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth
e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth
4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
Florian Roth
52df9e9f44 rule: execution in Outlook temp folder 2019-10-01 16:07:43 +02:00
Florian Roth
9a7ef0e3c2 fix: fixed rule warning 2019-09-30 19:38:40 +02:00
Florian Roth
2fbd35053e rule: improved formbook detection rule 2019-09-30 19:01:40 +02:00
Florian Roth
38831a05ae rule: formbook malware process creation 2019-09-30 18:57:58 +02:00
Florian Roth
05ca684962 rule: improved emotet rule 2019-09-30 17:17:23 +02:00
Florian Roth
66cbdbfff5 rule: emotet process creation 2019-09-30 15:53:29 +02:00
Florian Roth
93227e1eec
Merge pull request #436 from EccoTheFlintstone/master 
rule: impacket framework lateralization detection
 2019-09-28 11:37:07 +02:00
Florian Roth
ad59c90b29
Capitalization in Title 2019-09-28 10:30:16 +02:00
Florian Roth
0eb5fd75e1
Merge pull request #446 from EccoTheFlintstone/eventclear 
move wevtutil / fsutil events from ransomware to dedicated rules
 2019-09-28 10:29:03 +02:00
Florian Roth
29c5a9dc8e
Merge pull request #458 from EccoTheFlintstone/psexec 
fix: PsExec false positives
 2019-09-28 10:15:23 +02:00
ecco
5a15687c6c fix rule: task manager as parent: task manager can be run with higher privileges (show processes from all users --> UAC) and its parent is still the old taskmgr 2019-09-27 11:06:21 -04:00
ecco
7a1d48cccd fix: PsExec false positives 2019-09-26 04:50:43 -04:00
Florian Roth
e77657db2f
Merge pull request #451 from EccoTheFlintstone/sysmon_clean 
sysmon rules cleanup and move to process_creation
 2019-09-25 17:28:23 +02:00
ecco
c2868f6e03 remove TAB from cli escape as it's currently unsupported in sigmac 2019-09-23 04:46:10 -04:00
ecco
0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
ecco
b410710338 move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00
Florian Roth
fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
Florian Roth
afcbf4226d fix: duplicate rule - issue #441 2019-09-06 10:22:27 +02:00
Florian Roth
e85c204404 fix: removed event id 2019-09-06 10:20:36 +02:00
Florian Roth
01d5e3882f fix: log source category 2019-09-06 10:17:32 +02:00
Florian Roth
e9fc8d3d09 rule: split up registry debugger registration rule into two 2019-09-06 10:13:21 +02:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master 
Escaped '\*' to '\*' where required
 2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim 
Fixed commandline to detect any shim install from any location
 2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb fix typo 2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
ecco
fc89804f34 rule: impacket framework lateralization detection 2019-09-03 10:28:59 -04:00
ecco
8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco
5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth
f2c44c80b6 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/process_creation/win_encoded_frombase64string.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2019-08-28 09:21:25 +02:00
Florian Roth
f71dc41531 rule: extended csc rule 2019-08-28 09:00:43 +02:00
Florian Roth
406b40af11 rule: suspicious msbuild folder 2019-08-28 09:00:35 +02:00
Florian Roth
70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth
1dfd560299 rule: csc.exe suspicious source folder 2019-08-24 13:49:40 +02:00
Florian Roth
a137a1380b rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00
Florian Roth
c9a4e6fe8a rule: process creations in env var folders 2019-08-24 08:26:37 +02:00
Florian Roth
87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
ecco
d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Florian Roth
4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Tareq AlKhatib
d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Florian Roth
0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Vasiliy Burov
2f123f64a7
Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke
dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Alec Costello
886de39814 Small edits 
Got trigger happy, first time doing this, please dont cruicify me.
 2019-05-17 17:40:32 +03:00
Alec Costello
34d9b4b365 Update win_susp_process_creations.yml 
Tested the type method redirecting to a file and dumping the hashes out with pwdump.

Used the wmic method to create the shadow copy.
 2019-05-17 16:10:43 +03:00
Alec Costello
3c8be3d48b Update win_susp_vssadmin_ntds_activity.yml 2019-05-17 15:19:03 +03:00
Alec Costello
8b14a5673d Update win_susp_vssadmin_ntds_activity.yml 
Updated with SAM and SYSTEM for esentutl
 2019-05-17 15:18:01 +03:00
Codehardt
1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Codehardt
6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Karneades
b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Thomas Patzke
49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Florian Roth
aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software 2019-04-19 09:51:32 +02:00
Karneades
d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path 2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications 2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications 2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications 2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth
612a7642d2
Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth
1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Karneades
97376c00de
Fix condition 2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition 2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition 2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
yt0ng
e0459cec1c
renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Yugoslavskiy Daniil
5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Thomas Patzke
3c1948f089
Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil
475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296
c2a16591af
Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
Yugoslavskiy Daniil
cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil
8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil
5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk
6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk
07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth
7b3d67ae66 fix: bugfix in new proc creation rule 2019-03-02 11:28:13 +01:00
Florian Roth
1a583c158d fixed typo as in pull request by @m0jtaba 2019-03-02 08:16:25 +01:00
Florian Roth
2188001f98 Extended filter list provided by @Ov3rflow 2019-03-02 08:13:29 +01:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke
7622b17415 Moved test rule to final location/naming scheme 2019-01-14 23:58:25 +01:00