valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,848 Commits 20 Branches 25 Tags 21 MiB
cc01f76e99
Commit Graph

809 Commits

Author SHA1 Message Date
yugoslavskiy
6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Codehardt
1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Codehardt
6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Karneades
b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Thomas Patzke
49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke
80f45349ed
Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth
aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software 2019-04-19 09:51:32 +02:00
Karneades
d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick
8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path 2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications 2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications 2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications 2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth
daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth
612a7642d2
Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth
65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth
1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth
cb0a87e21e
Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
Karneades
75d36165fc
Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Karneades
97376c00de
Fix condition 2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition 2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition 2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
yt0ng
e0459cec1c
renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00