Florian Roth
6a8adc72ac
rule: reworked vssadmin rule
2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf
fix: fixing rule win_cmstp_com_object_access
...
https://github.com/Neo23x0/sigma/issues/408
2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99
Rule: reworked win_susp_powershell_enc_cmd
2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2
Rule: FP filters extended
2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
d08a993159
Fixed commandline to detect any shim install from any location
2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule
2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6
fix: null value in separate expression
2019-07-02 20:14:45 +02:00
Florian Roth
f5a8a81ff7
fix: linux cmds rule
2019-07-02 15:22:26 +02:00
Florian Roth
ce43d600e3
fix: added null value / application to 4688 problem
2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services.
2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case
2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf
fix: removed unusable extensions in proc exec context
2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002
fix: fixed duplicate element in new double extension rule
2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959
Rule: suspicious double extension
2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7
Rule: Suspicious userinit.exe child process
2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35
fix: fixed image in taskmgr rule
2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e
Adjusted level
2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652
Rule fixes
...
* tagging
* removed spaces
* converted to generic log source
* typos/case
2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8
Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master
2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing
...
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
Thomas Patzke
e4e8ebbf95
Merge pull request #368 from JayPowerUser/web-source-code-enumeration
...
Web Source Code Enumeration via .git
2019-06-19 23:27:37 +02:00
Thomas Patzke
dbbc1751ef
Converted rule to generic log source
2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285
...
CAR tagging
2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors
...
Refactors
2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c
sigma/Add sysmon_renamed_binary
2019-06-15 20:20:52 +10:00
mgreen27
1d26708887
sigma/Add sysmon_renamed_binary
2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions
...
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b
Converted rule to generic log source
2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9
Usage of Channel field name in ELK Windows config
2019-06-11 13:15:43 +02:00
Tareq AlKhatib
3bcfc53905
Corrected Typo
2019-06-10 09:54:37 +03:00
Tareq AlKhatib
fce2a45dac
Corrected Typo
2019-06-10 09:51:34 +03:00
James Ahearn
eae7e3ab10
Web Source Code Enumeration via .git
2019-06-08 22:40:28 -04:00
Thomas Patzke
407d8214f7
Added APT40 Dropbox exfiltration proxy rule
2019-06-07 14:03:41 +02:00
yugoslavskiy
5827165c2d
event id deleted
2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720
changed to process_creation category
2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41
date added
2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596
rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing
2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Thomas Patzke
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156
...
added rule .bash_profile and .bashrc T1156
2019-05-30 22:43:33 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
Patryk
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml
...
Deleted tab character (\t)
2019-05-20 13:22:36 +02:00
Patryk
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml
...
Detects usage of mimikatz through WinRM protocol
2019-05-20 12:25:58 +02:00
Florian Roth
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
Unknown
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
Unknown
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
petermmm
b6c4e64a9b
fixed attack category number 2->3
2019-05-12 11:59:13 +02:00
petermmm
2778558ae3
added rule .bash_profile and .bashrc T1156
2019-05-12 02:07:13 +02:00
Codehardt
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
Codehardt
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
Thomas Patzke
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection
...
New C2 DNS Tunneling Sigma Detection Rule
2019-05-10 00:12:39 +02:00
Thomas Patzke
46c789105b
Fix and ordering
2019-05-10 00:08:26 +02:00
Thomas Patzke
595f22552d
Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep
2019-05-10 00:05:06 +02:00
Thomas Patzke
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
Thomas Patzke
f51e918a2e
Small rule change
2019-05-09 23:57:55 +02:00
Thomas Patzke
31946426a5
Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1
2019-05-09 23:54:18 +02:00
Thomas Patzke
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f
Transformed rule
...
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs
Fixed Typo
Changes to title and description
2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402
Windows processes with wrong parent
...
Detect scenarios when malicious program is disguised as legitimate process
2019-05-09 23:48:36 +02:00
Thomas Patzke
121e21960e
Rule changes
...
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799
Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2
2019-05-09 22:55:07 +02:00
Thomas Patzke
f0b0f54500
Merge improved pull request #322
2019-04-21 23:56:36 +02:00
Thomas Patzke
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
Karneades
b47900fbee
Add default path to filter for explorer in exe anomaly rule
2019-04-21 17:42:47 +02:00
Florian Roth
dd9648b31e
Revert "New Sigma rule detecting local user creation"
2019-04-21 09:09:25 +02:00
Florian Roth
a85acdfd02
Changed title and description
2019-04-21 08:54:56 +02:00
Florian Roth
0713360443
Fixed MITRE ATT&CK tags
2019-04-21 08:52:07 +02:00
Thomas Patzke
49beb5d1a8
Integrated PR from @P4T12ICK in existing rule
...
PR #321
2019-04-21 00:28:40 +02:00
Thomas Patzke
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation
...
New Sigma rule detecting local user creation
2019-04-21 00:20:15 +02:00
Thomas Patzke
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
Florian Roth
aab3dbee4f
Rule: Detect Empire PowerShell Default Cmdline Params
2019-04-20 09:38:41 +02:00
Florian Roth
03d8184990
Rule: Extended PowerShell Susp Cmdline Enc Commands
2019-04-20 09:38:41 +02:00
Florian Roth
5249279a66
Rule: another MSF payload user agent
2019-04-20 09:38:41 +02:00
Florian Roth
d5fa51eab9
Merge pull request #305 from Karneades/patch-3
...
Remove too loose filter in notepad++ updater rule
2019-04-19 12:40:24 +02:00
Florian Roth
e32708154f
Merge pull request #304 from Karneades/patch-2
...
Remove too loose filter in mshta rule
2019-04-19 09:51:45 +02:00
Florian Roth
74dd008b10
FP note for HP software
2019-04-19 09:51:32 +02:00
Karneades
d75ea35295
Restrict whitelist filter in system exe anomaly rule
2019-04-18 22:06:12 +02:00
patrick
8609fc7ece
New Sigma rule detecting local user creation
2019-04-18 19:59:43 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master
...
added rules for renamed wscript, cscript and paexec. Added two direct…
2019-04-17 23:59:27 +02:00
Florian Roth
4808f49e0d
More exact path
2019-04-17 23:45:15 +02:00
Florian Roth
1a4a74b64b
fix: dot mustn't be escaped
2019-04-17 23:44:36 +02:00
Florian Roth
76780ccce2
Too many different trusted cscript imphashes
2019-04-17 23:33:56 +02:00
Florian Roth
7c5f985f6f
Modifications
2019-04-17 23:30:49 +02:00
Florian Roth
4298abffb7
Modifications
2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications
2019-04-17 23:26:20 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule
...
Adding rpcnet.exe as ParentImage
2019-04-16 15:00:06 +02:00
Florian Roth
17470d1545
Rule: extended parent list for legitimate svchost starts
...
https://twitter.com/Sam0x90/status/1117768799816753153
2019-04-15 14:54:35 +02:00
Florian Roth
daaee558a1
Rule: added date to Tom's WMI rule
2019-04-15 09:06:53 +02:00
Florian Roth
612a7642d2
Added Local directory
2019-04-15 08:47:53 +02:00
Florian Roth
65b81dad32
Rule: Suspicious scripting in a WMI consumer
2019-04-15 08:13:35 +02:00
Florian Roth
1d3159bef0
Rule: Extended Office Shell rule
2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule
2019-04-15 08:12:12 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1
...
Remove too loose filter in wmi spwns powershell rule
2019-04-14 23:11:57 +02:00
Florian Roth
cb0a87e21e
Merge pull request #316 from megan201296/patch-19
...
Update win_mal_ursnif.yml
2019-04-14 23:10:16 +02:00
Florian Roth
08ec8597a5
Merge pull request #317 from megan201296/patch-20
...
Create apt_oceanlotus_registry.yml
2019-04-14 23:09:42 +02:00
megan201296
74fce5f511
Create apt_oceanlotus_registry.yml
...
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ . Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
2019-04-14 12:01:52 -05:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml
...
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml ). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
patrick
51d19b36cc
Add new Sigma Rule for C2 DNS Tunneling
2019-04-13 20:28:55 +02:00
patrick
4b43db2aac
Add new Sigma Rule for C2 DNS Tunneling
2019-04-13 20:27:36 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives
...
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-11 12:53:12 +02:00
Jason Lynch
89fb726875
added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7
2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 08:07:30 -04:00
patrick
ca4b710c01
Added Sigma Use Case detecting Privilege Escalation Preparation in Linux
2019-04-07 15:36:19 +02:00
Karneades
97376c00de
Fix condition
2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition
2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition
2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule
2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule
2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule
2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master
...
Create win_atsvc_task.yml
2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml
2019-04-04 18:22:50 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml
...
Fixed my botched YAML syntax...
2019-04-04 08:35:37 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml
2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml
2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml
2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml
2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml
2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml
2019-04-03 21:40:59 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml
...
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.
"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
2019-04-03 20:31:31 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature
...
Add new signature for linux clear command history
2019-04-03 19:45:06 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1
...
Remove backslashes in CommandLine for sticky key rule
2019-04-03 19:44:02 +02:00
yt0ng
e0459cec1c
renamed file
2019-04-03 17:39:17 +02:00
t0x1c-1
7e058e611c
WMI spawning PowerShell seen in various attacks
2019-04-03 16:56:45 +02:00
Unknown
9ada22b8e0
adjusted link
2019-04-03 16:40:18 +02:00
Unknown
d2e605fc5c
Auto stash before rebase of "Neo23x0/master"
2019-04-03 16:25:18 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule
...
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
2019-04-03 16:16:18 +02:00
sbousseaden
eda5298457
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 16:16:05 +02:00
sbousseaden
0756b00cdf
Create win_susp_psexec.yml
2019-04-03 15:59:46 +02:00
sbousseaden
9c1a5a5264
Create win_lm_namedpipe.yml
2019-04-03 15:48:42 +02:00
sbousseaden
56b68a0266
Create win_GPO_scheduledtasks.yml
2019-04-03 15:36:24 +02:00
sbousseaden
b941f6411f
Create win_impacket_secretdump.yml
2019-04-03 15:18:42 +02:00
sbousseaden
516c8f3ea1
Create win_account_discovery.yml
2019-04-03 14:41:11 +02:00
sbousseaden
3d69727332
Create sysmon_rdp_settings_hijack.yml
2019-04-03 14:16:25 +02:00
sbousseaden
016261cacf
Update sysmon_lsass_memdump.yml
2019-04-03 14:06:49 +02:00
sbousseaden
a85c668f6f
Update sysmon_lsass_memdump.yml
2019-04-03 14:00:51 +02:00
sbousseaden
d62bc41bfb
Create win_svcctl_remote_service.yml
2019-04-03 13:58:20 +02:00
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml
2019-04-03 13:51:59 +02:00
sbousseaden
548145ce10
Create win_susp_raccess_sensitive_fext.yml
2019-04-03 13:22:42 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml
2019-04-03 13:19:59 +02:00
sbousseaden
e3f99c323b
Create win_atsvc_task.yml
2019-04-03 13:08:12 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3
...
Update lnx_shell_susp_rev_shells.yml
2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838
Rule: extending rule with /dev/udp
2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml
...
added
- 'bash -i >& /dev/udp/'
- 'sh -I >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5
Rule: adding xterm -display string to rule
2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e
Rule: Suspicious reverse shell command lines
2019-04-02 17:03:57 +02:00
Thomas Patzke
8e854b06f6
Specified source to prevent EventID collisions
...
Issue #263
2019-04-01 23:45:55 +02:00
Florian Roth
d06a5431eb
Changes
2019-04-01 14:03:54 +02:00
Florian Roth
e473efb7c3
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00
Florian Roth
3f2ce4b71f
Lowered level to medium
2019-04-01 09:47:14 +02:00
t0x1c-1
51c42a15a7
Allow Incoming Connections by Port or Application on Windows Firewall
2019-04-01 08:16:56 +02:00
patrick
0242c40360
Add new signature for linux clear command history
2019-03-24 10:10:14 +01:00
Nate Guagenti
60c4fed2e0
Create win_etw_trace_evasion.yml
...
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `
Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.
example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
2019-03-22 11:36:55 -04:00
Florian Roth
ffac77fb37
Rule: extended LockerGoga description
2019-03-22 11:03:48 +01:00
Florian Roth
1adb040e0b
Rule: LockerGoga
2019-03-22 10:59:31 +01:00
Florian Roth
2ad2ba9589
fix: rule field fix in proc_creation rule
2019-03-22 10:59:18 +01:00
Thomas Patzke
be25aa2c37
Added CAR tags
2019-03-16 00:37:09 +01:00
Thomas Patzke
8512417de0
Incorporated MITRE CAR mapping from #55
2019-03-16 00:03:27 +01:00
Thomas Patzke
5e3a25537e
Merge pull request #283 from LiamSennitt/master
...
Added and fixed tags on APT rules
2019-03-15 23:00:25 +01:00
yugoslavskiy
33db032a16
added missed service
2019-03-14 00:44:26 +01:00
Liam Sennitt
bb026e4692
fixed tag typo on rules
2019-03-13 10:25:41 +00:00
Liam Sennitt
0aaac1a48e
add tags to crime fireball rule
2019-03-13 10:10:12 +00:00