Florian Roth
0a1c600d7d
Rule: Changed msiexec web install rule
2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f
Rule: Msiexec web install
2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934
Bugfix: Missing wildcard in IIS module install rule
2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b
Rule: IIS nativ-code module command line installation
2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec
Massive Title Cleanup
2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207
New recon activity rule
2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c
Removed commands - false positive reduction
2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8
Renamed rule: recon activity > net recon activity - to be more specific
2017-12-11 09:31:54 +01:00
Thomas Patzke
2ec5919b9e
Fixed win_disable_event_logging by multiline description
2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging
2017-11-15 21:56:30 -05:00
Florian Roth
a0ac61229c
Rule: Detect plugged USB devices
2017-11-09 08:40:46 +01:00
Thomas Patzke
5035c9c490
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections
2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00
Improved admin logon rules and removed duplicates
2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b
...
Admin user remote login
2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master
...
New rules
2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738
Simplified rule collection
2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f
Sigma rule collection YAML action documents
2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875
Multiple rules per file
...
* New wrapper class SigmaCollectionParser parses all YAML documents
contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
2017-10-31 23:06:18 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b
...
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573
Dropped within keyword
...
Covered by timeframe attribute.
Fixes issue #26 .
2017-10-30 00:25:56 +01:00
Thomas Patzke
c865b0e9a8
Removed within keyword in rule
2017-10-30 00:15:01 +01:00
juju4
4b64fc1704
double quotes = escape
2017-10-29 14:42:40 -04:00
juju4
07185247cb
double quotes = escape
2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75
Admin user remote login
2017-10-29 14:30:11 -04:00
juju4
19dd69140b
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-29 14:27:01 -04:00
juju4
ad27a0a117
Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002
2017-10-29 14:24:53 -04:00
juju4
e2213347ad
Merge remote-tracking branch 'upstream/master'
2017-09-09 11:33:18 -04:00
Florian Roth
e06cf6c43f
Service install - net user persistence
2017-08-16 15:16:57 +02:00
juju4
b109a1277e
Detects suspicious process related to rasdial.exe
2017-08-13 16:20:25 -04:00
juju4
012ed4cd7d
Detects execution of executables that can be used to bypass Applocker whitelisting
2017-08-13 16:20:01 -04:00
juju4
f861969e95
tentative rule to detect admin users remote login
2017-08-13 16:19:24 -04:00
juju4
d2ae98b0de
tentative rule to detect admin users interactive login
2017-08-13 16:18:58 -04:00
juju4
21b1c52d1e
forfiles, bash detection
2017-08-13 16:18:13 -04:00
Thomas Patzke
0217cd5b1d
Merge branch 'master' into travis-test-working
2017-08-02 23:03:03 +02:00
Thomas Patzke
f768bf3d61
Fixed parse errors
2017-08-02 22:49:15 +02:00
Thomas Patzke
6f5b9e183c
Merge branch 'master' into travis-test-working
2017-08-02 00:32:52 +02:00
Thomas Patzke
b82a6fdc51
Added wildcards to windows/builtin/win_susp_rundll32_activity.yml
2017-08-02 00:09:34 +02:00
Thomas Patzke
84418d2045
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
Thomas Patzke
c350a90b21
Merge branch 'master' into rules-juju4
2017-08-01 23:55:53 +02:00
juju4
5b778c9833
yamllint: quote twitter-formatted nickname
2017-07-30 11:42:25 -04:00
juju4
5b42c64fcd
Merge remote-tracking branch 'upstream/master'
2017-07-30 11:12:03 -04:00
juju4
31b033d492
suspicious rundll32 activity rules
2017-07-30 11:11:45 -04:00
juju4
3a8946a3ac
suspicious phantom dll rules
2017-07-30 11:11:17 -04:00
juju4
fbbf29fd80
suspicious cli escape character rules
2017-07-30 11:10:43 -04:00
juju4
83fa83aa43
suspicious certutil activity rules
2017-07-30 11:09:51 -04:00
juju4
f487451c45
more suspicious cli process
2017-07-30 11:09:24 -04:00
Florian Roth
d1cdb3c480
Certutil duplicate entry and "-ping" command
2017-07-23 14:51:57 -06:00
Florian Roth
cdf0894e6a
Corrected error in certutil rules (-f means force overwrite, not file)
...
> the -urlcache is the relevant command
2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2
certutil file download - more generic approach
2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458
certutil detections (renamed, extended)
...
see https://twitter.com/subTee/status/888102593838362624
2017-07-20 12:38:10 -06:00
Florian Roth
8f525d2f01
Wannacry Rules Reorg and Renaming
2017-06-28 09:08:53 +02:00
Florian Roth
3f245d27f8
Eventlog cleared ID 104
2017-06-27 17:29:39 +02:00
Thomas Patzke
7fdc78c8bf
Merge pull request #36 from dim0x69/master
...
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
2017-06-19 15:32:56 +02:00
Thomas Patzke
a4c9e24380
File renaming while deletion with SDelete
2017-06-14 16:55:32 +02:00
Thomas Patzke
8c06a5d83f
Access to wceaux.dll while WCE pass-the-hash login on source host
2017-06-14 15:59:45 +02:00
Florian Roth
576981820b
Moved PlugX rule & used builtin ID 4688 for another rule
2017-06-12 11:02:49 +02:00
Thomas Patzke
91b3c39c0d
Amended condition
...
Changed condition according to proposed syntax for related event matching (#4 )
2017-06-11 23:54:19 +02:00
dimi
ac95e372e5
clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes
2017-06-09 14:15:37 +02:00
dimi
a2a2366dfb
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
2017-06-09 14:05:40 +02:00
Florian Roth
5dd3d4dd57
Generic Hacktool Use Rule
2017-05-31 08:42:35 +02:00
Florian Roth
ae4cab6783
Corrected - no lists needed
2017-05-25 12:07:11 +02:00
dimi
0b8c82b75b
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading
...
2) correct typo in dns server rule
2017-05-15 20:58:31 +02:00
Florian Roth
01e1d3a3d7
WannaCry Service Install
2017-05-15 16:06:16 +02:00
Florian Roth
46643324a8
Wannacrypt Update
2017-05-13 10:40:41 +02:00
Florian Roth
d35b6c0353
Backup catalog deletion rule
2017-05-12 23:00:56 +02:00
Florian Roth
1ab3c746c1
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-05-12 21:59:43 +02:00
Florian Roth
0b541b2689
Suspicious Windows Process Creations Update
2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e
Fixed condition
...
AND has higher precedence than OR.
2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be
Removed "1 of" expression (no bug, but cleaner)
2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b
Microsoft Malware Protection Engine Crash - ref CVE-2017-0290
2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34
Updated sigma signature
2017-05-08 21:25:07 +02:00
Florian Roth
75e58b8142
Bugfix and date
2017-05-08 13:10:40 +02:00
Florian Roth
263c98a2c8
Suspicious DNS Server Config Error - ServerLevelPluginDLL issue
2017-05-08 13:09:50 +02:00
Florian Roth
dc4ae35be1
Schtasks frequency - minute
2017-04-28 17:03:35 +02:00
Florian Roth
d66c97921f
Bugfix in rule
2017-04-13 01:22:03 +02:00
Florian Roth
64caa8aedc
Merge pull request #31 from neu5ron/patch-4
...
Create win_alert_ad_user_backdoors.yml
2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d
Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving
...
improved win_pass_the_hash.yml rule
2017-04-13 01:05:09 +02:00
Nate Guagenti
53313d45be
Create win_alert_ad_user_backdoors.yml
2017-04-12 16:15:41 -04:00
yugoslavskiy
f83d0e36b8
improved win_pass_the_hash.yml rule
...
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]
[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb
Create win_alert_active_directory_user_control.yml
2017-04-03 15:58:23 -04:00
Nate Guagenti
85b4efabed
Update win_alert_enable_weak_encryption.yml
2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776
Create win_alert_enable_weak_encryption.yml
...
kerberoast and enabling weak encryption for password/hash cracking
2017-04-03 09:12:58 -04:00
Florian Roth
f91f813b3f
Improved certutil.exe rules
2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180
Updated Windows suspicious activity
2017-03-27 17:27:04 +02:00
Florian Roth
707e5a948f
Rules: Password dumper activity and lateral movement
2017-03-27 15:20:50 +02:00
Florian Roth
125bf4f3f2
Rule adjustment
...
Added wilcards cause the field can contain a full path
2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4
Windows Supicious Process Creation
...
- Bugfix in selection name
- New keyword expressions
2017-03-26 23:25:47 +02:00
Florian Roth
c1a6a542db
Rule: Windows 4688 process creation rule
2017-03-26 01:26:34 +01:00
Florian Roth
699c638ee2
Bugfix: Wrong Event ID and extended description
2017-03-23 11:50:30 +01:00
Florian Roth
d377884972
Rule: Rare scheduled tasks creations
2017-03-23 11:45:10 +01:00
Florian Roth
7ce958a3ed
Bugfixes and improvements
2017-03-21 10:24:20 +01:00
Thomas Patzke
889315c960
Changed values with placeholders to quoted strings
...
Values beginning with % cause YAML parse error
2017-03-18 23:05:16 +01:00
Florian Roth
dd81b18d6e
Rule: Suspicious interactive console logons to servers
2017-03-17 09:44:24 +01:00
Florian Roth
dd558e941c
Rule: Access to ADMIN$ share
2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710
Bug and typo fixes
2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43
Rule: User account added to local Administrators
2017-03-14 12:51:50 +01:00
Florian Roth
ff8e3fe584
Merge pull request #9 from iliaselmatani/patch-1
...
Create win_pass_the_hash.yml
2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c
Update win_pass_the_hash.yml
2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366
Update win_pass_the_hash.yml
...
Added placeholders for WorkstationName to detect network logons between Workstations.
2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6
Update win_pass_the_hash.yml
2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644
Rule: Rare Windows Service Installs
2017-03-08 19:09:34 +01:00
IeM
381b85fd94
Update win_pass_the_hash.yml
...
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
2017-03-08 18:48:06 +01:00
IeM
e4d764ceba
Create win_pass_the_hash.yml
...
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
2017-03-08 18:04:31 +01:00
Florian Roth
5484886932
Rule: Windows - Recon Activity (improved)
2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276
Rule: Windows - Recon Activity
2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834
Windows Built-In rules > LogSource definition
2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9
Windows Malicious Password Dumper Service Installs
2017-03-05 23:52:02 +01:00
Florian Roth
b1446f9b87
Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b
Rule review
...
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6
Added new rules
...
From adsecurity.org:
* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac
Removed lists from log source section
2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0
Sysmon rules 'logsource' change
2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f
Fixed type of condition
2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
04ea201817
New rules and cleanup
2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5
Moved rules to a separate directory
2017-02-07 00:44:40 +01:00