Commit Graph

318 Commits

Author SHA1 Message Date
Florian Roth
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck
fix FP : field null value can be '-'
2019-09-25 17:43:22 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
Ruler fix
2019-09-25 17:26:55 +02:00
ecco
a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76 add microsoft reference for events fields names 2019-09-23 05:21:30 -04:00
ecco
d48b63a235 ruler rule field name fix for eventID 4776 2019-09-23 05:17:35 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
ecco
fe93d84015 fix FP : field null value can be '-' 2019-09-06 05:14:58 -04:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
323a7313fd
FP adjustments
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
Thomas Patzke
80f45349ed
Modified rule
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Thomas Patzke
8e854b06f6 Specified source to prevent EventID collisions
Issue #263
2019-04-01 23:45:55 +02:00
Thomas Patzke
be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
yugoslavskiy
33db032a16 added missed service 2019-03-14 00:44:26 +01:00