Florian Roth
ae2c186872
rule: wsreset.exe UAC bypass
2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
Florian Roth
a816f4775f
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29
rule: dctask64.exe evasion techniques
...
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff
fix: multiple false positive conditions
2020-01-28 10:11:09 +01:00
Florian Roth
240b764660
rule: reduced level of system time mod rule
2020-01-27 14:30:09 +01:00
Florian Roth
5f0589b787
rule: mstsc shadowing
2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
Florian Roth
4066ae6371
rule: added a reference
2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621
rule: windows audit cve
2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b
Update win_lm_namedpipe.yml
2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81
Sigma queries for
...
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-24 15:31:06 +01:00
msec1203
4f29556a01
Update win_susp_winword_wmidll_load.yml
...
Update x2
2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e
Update win_susp_winword_wmidll_load.yml
...
Fix to error on incorrect mitre tags used.
2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0
Initial Upload
...
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68
svchost spawned without cli
2020-01-24 15:31:06 +01:00
david-burkett
032c382184
corrected logic
2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51
Trickbot behavioral recon activity
2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1
Add the ability to detect PowerUp - Invoke-AllChecks
...
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
2020-01-24 15:31:06 +01:00
Thomas Patzke
b34bf98c61
Fixed rule: added condition
2020-01-07 15:20:16 +01:00
Florian Roth
48f5f480fd
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
Florian Roth
fd28a64591
rule: WCE
2019-12-31 09:27:38 +01:00
Florian Roth
5980cb8d0c
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
Florian Roth
fc8607bbea
rule: whoami as local system
2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac
rule: CreateMiniDump
2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6
rule: modified Bloodhound rule
2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel
...
rule: improved bloodhound rule
2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e
rule :improved bloodhound rule
2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel
...
Devel
2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0
fix: fixed wrong condition
2019-12-20 16:11:39 +01:00
Florian Roth
0000257371
rule: improved bloodhound rule
2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2
rule: changed level of BloodHound rule
2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d
rule: false positive condition for BloodHound rule
2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel
...
Devel
2019-12-20 15:32:56 +01:00
Florian Roth
708c17e2bc
rule: Bloodhound
2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7
style: minor changes
2019-12-20 14:59:26 +01:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel
...
Devel
2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556
rule: updating csc.exe rule
2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593
rule: improved csc.exe rule
2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c
rule: ryuk ransomware
2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel
...
Improved PowerShell Encoded Command Rule
2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217
rule: better JAB rule
2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e
rule: improved JAB expression
2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588
rule: suspicious PS rule modified to cover newest malware campaigns
2019-12-16 19:02:57 +01:00
Florian Roth
7acfecbe66
Merge pull request #530 from bartblaze/master
...
Add scriptlets
2019-12-14 11:24:51 +01:00