ecco
b410710338
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-06 10:57:03 -04:00
ecco
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
ecco
fe93d84015
fix FP : field null value can be '-'
2019-09-06 05:14:58 -04:00
Florian Roth
7f1b6eb311
fix: duplicate rule
2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8
rule: image debugger
2019-09-06 10:28:20 +02:00
ecco
01956f1312
powershell false positives
2019-09-06 03:54:19 -04:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master
...
Escaped '\*' to '\*' where required
2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim
...
Fixed commandline to detect any shim install from any location
2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb
fix typo
2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7
rule: minor improvement to susp ps enc cmd
2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
ecco
fc89804f34
rule: impacket framework lateralization detection
2019-09-03 10:28:59 -04:00
Florian Roth
03d45d57de
rule: emissary panda activity
2019-09-03 15:35:33 +02:00
ecco
8cad0c638e
add comcvcs.dll memdump method
2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master
...
add/modify powershell Empire rules
2019-09-02 11:40:36 +02:00
ecco
5f30e52739
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6
rule: improved csc rule
2019-08-31 08:44:09 +02:00
Florian Roth
7cc26e30b4
docs: renamed file name
2019-08-30 12:04:20 +02:00
Florian Roth
f8785e722f
docs: changed title and description of rule
2019-08-30 12:03:42 +02:00
Florian Roth
ba46d6b4de
docs: added reference to rule
2019-08-30 11:55:02 +02:00
Florian Roth
398ef9c6aa
rules: teardown implant, apt28 ua
2019-08-30 11:53:55 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag
2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes
2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196
2019-08-27 14:55:55 +06:30
Florian Roth
70a26a6132
fix: fixed MITRE tags
2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680
rule: csc.exe suspicious source folder
2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817
rules: encoded FromBase64String keyword
2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe
fix: fixed wrong MITRE tag
2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21
rule: encoded IEX
2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1
...
Detection of usage mimikatz trough WinRM
2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
...
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
...
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Florian Roth
cc01f76e99
docs: minor changes
2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe
rule: renamed powershell
2019-08-22 14:22:55 +02:00
ecco
d0a24f4409
filter NULL values to remove false positives
2019-08-20 05:10:41 -04:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match
...
Add default task name and powershell task command to match what the rule name says: detects default config.
2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098
fix: removed mmc susp rule due to many FPs
2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4
Rule: separate Ryuk rule created for VBurovs strings
2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5
...
Ryuk Ransomware commands from real case
2019-08-06 10:29:00 +02:00
Florian Roth
83841ea117
Merge pull request #411 from nikotin69/master
...
compliance rules by SOC prime
2019-08-05 20:53:02 +02:00
Florian Roth
302ae9c5d0
Added level
2019-08-05 19:51:22 +02:00
Florian Roth
4dbf392562
Title, Level adjusted
2019-08-05 19:48:56 +02:00
Florian Roth
fdb9b351d0
Level to low
2019-08-05 19:48:21 +02:00
Florian Roth
317c0bd07a
Removed "Detects" keyword from title
2019-08-05 19:47:46 +02:00
Florian Roth
2af8cb0d0e
Update cleartext_protocols.yml
2019-08-05 19:47:03 +02:00
Florian Roth
c7ec45c0ff
Update workstation_was_locked.yml
2019-08-05 19:44:14 +02:00
Florian Roth
e64fcb32a2
Update group_modification_logging.yml
2019-08-05 19:43:59 +02:00
Florian Roth
5caf4f5f14
Update default_credentials_usage.yml
2019-08-05 19:43:46 +02:00
Florian Roth
10cc1de4c9
Fixed global rule syntax
2019-08-05 19:43:15 +02:00
Florian Roth
dcdd021dc6
Duplicate port 3306
2019-08-05 19:36:50 +02:00
Karneades
42e6c9149b
Remove unneeded event code
2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule
2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell
...
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml . And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml .
2019-08-05 18:42:31 +02:00
nikotin
780d9223e6
compliance rules by SOC prime
2019-08-05 19:42:19 +03:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says
...
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac
rule: reworked vssadmin rule
2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf
fix: fixing rule win_cmstp_com_object_access
...
https://github.com/Neo23x0/sigma/issues/408
2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99
Rule: reworked win_susp_powershell_enc_cmd
2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2
Rule: FP filters extended
2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
d08a993159
Fixed commandline to detect any shim install from any location
2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule
2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6
fix: null value in separate expression
2019-07-02 20:14:45 +02:00
Florian Roth
f5a8a81ff7
fix: linux cmds rule
2019-07-02 15:22:26 +02:00
Florian Roth
ce43d600e3
fix: added null value / application to 4688 problem
2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services.
2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case
2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf
fix: removed unusable extensions in proc exec context
2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002
fix: fixed duplicate element in new double extension rule
2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959
Rule: suspicious double extension
2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7
Rule: Suspicious userinit.exe child process
2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35
fix: fixed image in taskmgr rule
2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e
Adjusted level
2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652
Rule fixes
...
* tagging
* removed spaces
* converted to generic log source
* typos/case
2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8
Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master
2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing
...
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
Thomas Patzke
e4e8ebbf95
Merge pull request #368 from JayPowerUser/web-source-code-enumeration
...
Web Source Code Enumeration via .git
2019-06-19 23:27:37 +02:00
Thomas Patzke
dbbc1751ef
Converted rule to generic log source
2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285
...
CAR tagging
2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors
...
Refactors
2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c
sigma/Add sysmon_renamed_binary
2019-06-15 20:20:52 +10:00
mgreen27
1d26708887
sigma/Add sysmon_renamed_binary
2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions
...
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b
Converted rule to generic log source
2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9
Usage of Channel field name in ELK Windows config
2019-06-11 13:15:43 +02:00
Tareq AlKhatib
3bcfc53905
Corrected Typo
2019-06-10 09:54:37 +03:00
Tareq AlKhatib
fce2a45dac
Corrected Typo
2019-06-10 09:51:34 +03:00
James Ahearn
eae7e3ab10
Web Source Code Enumeration via .git
2019-06-08 22:40:28 -04:00
Thomas Patzke
407d8214f7
Added APT40 Dropbox exfiltration proxy rule
2019-06-07 14:03:41 +02:00
yugoslavskiy
5827165c2d
event id deleted
2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720
changed to process_creation category
2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41
date added
2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596
rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing
2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Thomas Patzke
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156
...
added rule .bash_profile and .bashrc T1156
2019-05-30 22:43:33 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Patryk
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml
...
Deleted tab character (\t)
2019-05-20 13:22:36 +02:00
Patryk
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml
...
Detects usage of mimikatz through WinRM protocol
2019-05-20 12:25:58 +02:00
Florian Roth
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
Unknown
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
Unknown
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
petermmm
b6c4e64a9b
fixed attack category number 2->3
2019-05-12 11:59:13 +02:00
petermmm
2778558ae3
added rule .bash_profile and .bashrc T1156
2019-05-12 02:07:13 +02:00
Codehardt
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
Codehardt
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection
...
New C2 DNS Tunneling Sigma Detection Rule
2019-05-10 00:12:39 +02:00
Thomas Patzke
46c789105b
Fix and ordering
2019-05-10 00:08:26 +02:00
Thomas Patzke
595f22552d
Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep
2019-05-10 00:05:06 +02:00
Thomas Patzke
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
Thomas Patzke
f51e918a2e
Small rule change
2019-05-09 23:57:55 +02:00
Thomas Patzke
31946426a5
Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1
2019-05-09 23:54:18 +02:00
Thomas Patzke
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00