Florian Roth
e77657db2f
Merge pull request #451 from EccoTheFlintstone/sysmon_clean
...
sysmon rules cleanup and move to process_creation
2019-09-25 17:28:23 +02:00
Florian Roth
365a46e27e
Merge pull request #454 from EccoTheFlintstone/no_tab
...
remove TAB from cli escape as it's currently unsupported in sigmac
2019-09-25 17:27:56 +02:00
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
...
Ruler fix
2019-09-25 17:26:55 +02:00
ecco
4c54e8322a
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
2019-09-25 11:11:22 -04:00
ecco
a644b938a0
fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)
2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76
add microsoft reference for events fields names
2019-09-23 05:21:30 -04:00
ecco
d48b63a235
ruler rule field name fix for eventID 4776
2019-09-23 05:17:35 -04:00
ecco
c2868f6e03
remove TAB from cli escape as it's currently unsupported in sigmac
2019-09-23 04:46:10 -04:00
ecco
0c96777f6a
sysmon rules cleanup and move to process_creation
2019-09-11 10:24:43 -04:00
Florian Roth
038900e2fe
fix: renamed powershell rule
2019-09-06 17:33:56 +02:00
ecco
b410710338
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-06 10:57:03 -04:00
ecco
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
ecco
fe93d84015
fix FP : field null value can be '-'
2019-09-06 05:14:58 -04:00
Florian Roth
7f1b6eb311
fix: duplicate rule
2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8
rule: image debugger
2019-09-06 10:28:20 +02:00
ecco
01956f1312
powershell false positives
2019-09-06 03:54:19 -04:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master
...
Escaped '\*' to '\*' where required
2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim
...
Fixed commandline to detect any shim install from any location
2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb
fix typo
2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7
rule: minor improvement to susp ps enc cmd
2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
ecco
fc89804f34
rule: impacket framework lateralization detection
2019-09-03 10:28:59 -04:00
ecco
8cad0c638e
add comcvcs.dll memdump method
2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master
...
add/modify powershell Empire rules
2019-09-02 11:40:36 +02:00
ecco
5f30e52739
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6
rule: improved csc rule
2019-08-31 08:44:09 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag
2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes
2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196
2019-08-27 14:55:55 +06:30
Florian Roth
70a26a6132
fix: fixed MITRE tags
2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680
rule: csc.exe suspicious source folder
2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817
rules: encoded FromBase64String keyword
2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe
fix: fixed wrong MITRE tag
2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21
rule: encoded IEX
2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1
...
Detection of usage mimikatz trough WinRM
2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
...
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
...
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Florian Roth
cc01f76e99
docs: minor changes
2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe
rule: renamed powershell
2019-08-22 14:22:55 +02:00
ecco
d0a24f4409
filter NULL values to remove false positives
2019-08-20 05:10:41 -04:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match
...
Add default task name and powershell task command to match what the rule name says: detects default config.
2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098
fix: removed mmc susp rule due to many FPs
2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4
Rule: separate Ryuk rule created for VBurovs strings
2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5
...
Ryuk Ransomware commands from real case
2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code
2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule
2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell
...
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml . And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml .
2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says
...
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac
rule: reworked vssadmin rule
2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf
fix: fixing rule win_cmstp_com_object_access
...
https://github.com/Neo23x0/sigma/issues/408
2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99
Rule: reworked win_susp_powershell_enc_cmd
2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2
Rule: FP filters extended
2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
Tareq AlKhatib
d08a993159
Fixed commandline to detect any shim install from any location
2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule
2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6
fix: null value in separate expression
2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3
fix: added null value / application to 4688 problem
2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services.
2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case
2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf
fix: removed unusable extensions in proc exec context
2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002
fix: fixed duplicate element in new double extension rule
2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959
Rule: suspicious double extension
2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7
Rule: Suspicious userinit.exe child process
2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35
fix: fixed image in taskmgr rule
2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e
Adjusted level
2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652
Rule fixes
...
* tagging
* removed spaces
* converted to generic log source
* typos/case
2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8
Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master
2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing
...
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
Thomas Patzke
dbbc1751ef
Converted rule to generic log source
2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285
...
CAR tagging
2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors
...
Refactors
2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c
sigma/Add sysmon_renamed_binary
2019-06-15 20:20:52 +10:00
mgreen27
1d26708887
sigma/Add sysmon_renamed_binary
2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions
...
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b
Converted rule to generic log source
2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9
Usage of Channel field name in ELK Windows config
2019-06-11 13:15:43 +02:00
Tareq AlKhatib
fce2a45dac
Corrected Typo
2019-06-10 09:51:34 +03:00
yugoslavskiy
5827165c2d
event id deleted
2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720
changed to process_creation category
2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41
date added
2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596
rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing
2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00