Commit Graph

295 Commits

Author SHA1 Message Date
Florian Roth
d35b6c0353 Backup catalog deletion rule 2017-05-12 23:00:56 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
1ab3c746c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-05-12 21:59:43 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
0b541b2689 Suspicious Windows Process Creations Update 2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e Fixed condition
AND has higher precedence than OR.
2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be Removed "1 of" expression (no bug, but cleaner) 2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b Microsoft Malware Protection Engine Crash - ref CVE-2017-0290 2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34 Updated sigma signature 2017-05-08 21:25:07 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
75e58b8142 Bugfix and date 2017-05-08 13:10:40 +02:00
Florian Roth
263c98a2c8 Suspicious DNS Server Config Error - ServerLevelPluginDLL issue 2017-05-08 13:09:50 +02:00
Florian Roth
f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
004fed24e0 Linux Generic Rules 2017-05-02 20:32:38 +02:00
Florian Roth
dc4ae35be1 Schtasks frequency - minute 2017-04-28 17:03:35 +02:00
Thomas Patzke
05e9d1e1e9 Check if aggregation is present in BaseBackend
Caused NotImplementedError in ElasticsearchQueryStringBackend.
2017-04-17 00:11:20 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
30163939f3 Fix: Rule identifier in EQGRP C2 rule 2017-04-15 23:32:56 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
a0ee92a5c3 Equation group C2 server in firewall log rule 2017-04-15 11:32:56 +02:00
Florian Roth
37449e2c5d Fix: Search to log source in network rule 2017-04-15 11:32:38 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc Merge pull request #31 from neu5ron/patch-4
Create win_alert_ad_user_backdoors.yml
2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving
improved win_pass_the_hash.yml rule
2017-04-13 01:05:09 +02:00
Florian Roth
75a0a2c4bb Merge pull request #27 from benno001/patch-1
Added field mappings for events with logins
2017-04-13 01:04:20 +02:00
Nate Guagenti
53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth
a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth
875c187425 Merge pull request #29 from neu5ron/patch-2
Create win_alert_active_directory_user_control.yml
2017-04-04 18:56:19 +02:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Florian Roth
c5b19d5661 Merge pull request #28 from neu5ron/patch-1
Create win_alert_enable_weak_encryption.yml
2017-04-03 21:27:20 +02:00
Nate Guagenti
85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776 Create win_alert_enable_weak_encryption.yml
kerberoast and enabling weak encryption for password/hash cracking
2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla)
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Ben de Haan
dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Thomas Patzke
f174d861bf Merge pull request #26 from benno001/patch-1
Added LogPoint conditional username mapping
2017-03-30 10:46:18 +02:00
Ben de Haan
cb9a9bc2ff Added LogPoint conditional username mapping
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
2017-03-30 09:51:32 +02:00
Thomas Patzke
298f3413f0 Merge branch 'devel-sigmac' 2017-03-29 23:34:52 +02:00