valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
349 Commits 20 Branches 25 Tags 21 MiB
d1cdb3c480
Commit Graph

154 Commits

Author SHA1 Message Date
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Nate Guagenti
53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Nate Guagenti
85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth
707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth
125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth
c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1 
Create win_pass_the_hash.yml
 2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
Florian Roth
85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth
4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth
de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Florian Roth
d6957f1c2e Merge pull request #10 from MHaggis/master 
Sysmon
 2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
 2017-03-08 22:49:35 -08:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644 Rule: Rare Windows Service Installs 2017-03-08 19:09:34 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00
Florian Roth
5484886932 Rule: Windows - Recon Activity (improved) 2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276 Rule: Windows - Recon Activity 2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834 Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9 Windows Malicious Password Dumper Service Installs 2017-03-05 23:52:02 +01:00
Florian Roth
7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination 2017-03-05 23:51:39 +01:00
Florian Roth
294df21c56 Added expression 2017-03-05 22:45:54 +01:00
Florian Roth
7fae49b183 More PowerShell rules 2017-03-05 15:01:51 +01:00
Florian Roth
1e1cf9cb9e PowerShell Rules Revision 2017-03-05 14:14:31 +01:00
Omer Yampel
97b4078d01 Update powershell_malicious_commandlets.yml 
Added https://github.com/putterpanda/mimikittenz reference
 2017-03-04 20:26:39 -05:00
Florian Roth
12535417d9 Typo 2017-03-05 01:47:37 +01:00
Florian Roth
d397ee9f68 First PowerShell Ruleset 2017-03-05 01:47:25 +01:00
Michael Haag
a3cd7123a8 wscript/cscript 
WSF, JSE, JS, VBA and VBE file execution
 2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479 mshta shells 
🐚 for all!
 2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2 Modifications 
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
 2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791 Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681 Rule: Certutil Decode in AppData 2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab Two new Sysmon rules for Office Macro/PS detection 2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab Removed Sysmon EventLog from selection > via 'logsource' 2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371 Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6 Added new rules 
From adsecurity.org:

* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
 2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f Fixed type of condition 2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00