Commit Graph

98 Commits

Author SHA1 Message Date
Thomas Patzke
8308cd6c1a
Rule fix 2018-08-26 22:35:35 +02:00
Thomas Patzke
0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
David Spautz
f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth
56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
root
69671733a8 added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00
Florian Roth
c10da5b734 Improved Chafer activity rule 2018-03-23 10:50:40 +01:00
Florian Roth
a797a281ac Rule: Chafer / OilRig activity Mar 18
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
2018-03-23 08:59:16 +01:00
Florian Roth
d9d27fec74 Improved EquationGroup dll load rule 2018-03-11 01:22:04 +01:00
Florian Roth
74c2f91a7d Extended the Slingshot APT rule 2018-03-10 16:44:18 +01:00
Florian Roth
66d52cfeef Rule: Defrag deactivation 2018-03-10 15:49:50 +01:00
Florian Roth
ef75f2a248 Minor adjustment in: EquationGroup dll_u load 2018-03-10 12:24:49 +01:00
Florian Roth
e9d16bfae1 Bugfix in: EquationGroup dll_u load 2018-03-10 12:22:53 +01:00
Florian Roth
6a65a7a1bf EquationGroup dll_u load 2018-03-10 09:04:11 +01:00
Thomas Patzke
3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth
1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00
Thomas Patzke
01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth
69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth
6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth
f2057f0c77 Hurricane Panda activity
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
2018-02-25 17:24:00 +01:00
Florian Roth
635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth
4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth
f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
ad53cc7cc2 Rule: Sysmon Turla Commands 2017-11-08 00:33:17 +01:00
Florian Roth
ea840632f3 Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 14:22:09 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Florian Roth
801d739a3b US CERT TA17-293A report - renamed PsExec execution 2017-10-22 12:55:26 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Florian Roth
061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
f85d847fa6 PlugX Detection
https://docs.google.com/spreadsheets/d/1f5OTQpEEvbiW-NzSfVTrzhmnZJ-hrmAZhRM7JXkDBSY/edit#gid=0
https://countuponsecurity.files.wordpress.com/2017/06/acp-search.png
2017-06-12 10:46:56 +02:00
Florian Roth
21108e60a6 Fixed description and title 2017-06-03 14:53:08 +02:00
Florian Roth
ff5e6e3999 Fireball Sigma Rule 2017-06-03 14:49:06 +02:00
Florian Roth
536e328540 Pandemic Implant 2017-06-01 22:48:59 +02:00
Florian Roth
30163939f3 Fix: Rule identifier in EQGRP C2 rule 2017-04-15 23:32:56 +02:00
Florian Roth
a0ee92a5c3 Equation group C2 server in firewall log rule 2017-04-15 11:32:56 +02:00
Florian Roth
a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth
44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla)
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Florian Roth
b34d1b7565 Stonedrill rule enhancement 2017-03-07 10:22:14 +01:00
Florian Roth
7113b3aed9 Rule: APT StoneDrill Service Install 2017-03-07 09:24:12 +01:00