valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,192 Commits 20 Branches 25 Tags 21 MiB
df715386b6
Commit Graph

2026 Commits

Author SHA1 Message Date
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix 
fix false positive on taskkill.exe not related to service stop at all
 2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Florian Roth
ab1dda7685 fix: non-ascii rule 2020-02-21 16:21:39 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth
a9403b70d5
Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth
f7a6ffa121
Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Wagga
b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported" 
This reverts commit ba83b8862a.
 2020-02-15 22:52:06 +01:00
Florian Roth
eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth
d909fefa82
Merge pull request #620 from james0d0a/master 
rule: Zeek Suspicious kerberos network traffic RC4
 2020-02-13 09:34:06 +01:00
Florian Roth
94bb7dd77f
fix: issues 2020-02-13 09:17:21 +01:00
james dickenson
21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson
93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker
6d9c8e44d7
Update rules titles 2020-02-12 23:09:16 +02:00
faloker
1b15dba712
Correct the indentation 2020-02-12 22:48:46 +02:00
faloker
f387cf0c37
Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker
01d2f9f99d
Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker
b26c5d8c51
Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker
ddf5f8ec23
Update conditions 2020-02-12 22:20:15 +02:00
faloker
aacab37f84
Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker
b6c834195e
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth
d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth
080532d20c
logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Kevin Dienst
98471bc53c
Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel 
Winnti rule and helpful message in test script
 2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
7a222920df
added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth
190afcac88
Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth
e3d61d5579
Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth
033ab26d5e
Added date 2020-01-31 07:21:02 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Florian Roth
617ece1aa2 fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00
Florian Roth
4ad71c44bc chore: moved network device rules to the 'network' folder 2020-01-30 14:30:26 +01:00
Florian Roth
5130072b04
Merge pull request #529 from c2defense/master 
Network Device Analytics
 2020-01-30 14:28:44 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth
598b750f48
Minor change 2020-01-30 10:31:16 +01:00
Florian Roth
8cef4b2941
fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth
0a4d32c7c7
fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth
9828d7f81d
re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth
d90ea6d267
improved rule 2020-01-30 09:58:32 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master 
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
 2020-01-30 09:14:58 +01:00
Florian Roth
6adc732d79
Merge pull request #603 from Neo23x0/devel 
Colorized Testing
 2020-01-30 09:14:25 +01:00
Florian Roth
2c38c53829 fix: removed test rule 2020-01-30 08:52:33 +01:00
Florian Roth
fe6c30fa59 feat: colorized output in test 2020-01-30 08:37:47 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything 
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
 2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
647d98ac71
Merge pull request #599 from vitaliy0x1/master 
Detection Rules for AWS events
 2020-01-29 21:01:20 +01:00
Florian Roth
376092cfd3
Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth
05d7448a9a
Minor Changes 2020-01-29 20:25:46 +01:00
Florian Roth
d1357ddc50
Minor changes 2020-01-29 20:25:14 +01:00
Florian Roth
8a4f9ad7f8
Minor changes 2020-01-29 20:24:31 +01:00
Florian Roth
a6d7af270d
Added date 2020-01-29 20:23:40 +01:00
Florian Roth
56e1e6b13d
Lower case service name 2020-01-29 20:23:12 +01:00
Florian Roth
f1ce6ba6ad
Lowering level 
Lowering level to medium for events that can have a legitimate cause
 2020-01-29 20:22:34 +01:00
Florian Roth
eac484092c fix: changed hashes field to sha1 for better consistency 2020-01-29 19:52:24 +01:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d
bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth
f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
2d4d
341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth
4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth
c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d
d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d
0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
vitaliy0x1
5aa75a90fd added aws_root_account_usage.yml 2020-01-21 15:07:32 +02:00
vitaliy0x1
0d6642abd6 added aws_config_disable_recording.yml 2020-01-21 15:07:10 +02:00
vitaliy0x1
17c00d8a11 added aws_cloudtrail_disable_logging.yml 2020-01-21 15:06:44 +02:00
Thomas Patzke
5f1e933b93
Merge pull request #588 from timbMSFT/timb 
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
 2020-01-20 10:06:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
2d4d
e35ebcc185 complete_cve_2019-19781 2020-01-15 21:59:33 +01:00
Florian Roth
41c4a499b4 rule: added a reference 2020-01-15 21:27:40 +01:00
Florian Roth
6db20d4bad rule: windows audit cve 2020-01-15 21:23:32 +01:00
Florian Roth
5ef64e4e99 rule: changes at Shitrix rule 2020-01-13 20:15:08 +01:00
Florian Roth
a0bad54dbd
Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml 
add newbm.pl
 2020-01-13 14:48:38 +01:00
sbousseaden
b60671397d
Update win_lm_namedpipe.yml 2020-01-13 10:50:35 +01:00
Florian Roth
ba7c634f1a
More changes 2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes 2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload 2020-01-13 13:21:06 +08:00
2d4d
364e859a6b add newbm.pl 2020-01-12 00:29:10 +01:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke
b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth
a29c832b6a rule: updated netscaler rule 2020-01-07 14:42:16 +01:00
Florian Roth
c9a75a8371 fix: shortened path in Citrix Netscaler rule 2020-01-07 13:00:28 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
2d4d
35fbdd1248 add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 01:48:29 +01:00
2d4d
b98e57603e add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 00:34:52 +01:00
Tim Burrell (MSTIC)
9bd0402681 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00
Tim Burrell (MSTIC)
5051334e85 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-02 14:47:55 +00:00
Florian Roth
fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel 
Devel
 2019-12-30 15:08:43 +01:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1 
Added new sticky key attack binary
 2019-12-30 14:14:20 +01:00
Florian Roth
948af2993b
Merge pull request #583 from msec1203/msec1203-submit-rule1 
MS Office Doc Load WMI DLL Rule
 2019-12-30 14:13:58 +01:00
msec1203
dbdf6680e0
Update win_susp_winword_wmidll_load.yml 
Update x2
 2019-12-30 18:49:39 +09:00
msec1203
a45f877712
Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2019-12-30 18:41:16 +09:00
GelosSnake
f574c20432 Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2019-12-29 18:02:49 +02:00
GelosSnake
7e7f6d1182 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2019-12-29 18:01:19 +02:00
msec1203
845d67f1f3
Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2019-12-29 23:14:29 +09:00
Justin Schoenfeld
a1f07cdb4b
Added new sticky key attack binary 2019-12-29 08:32:23 -05:00
david-burkett
4a65a25070
svchost spawned without cli 2019-12-28 10:28:08 -05:00
david-burkett
35b4806104
corrected logic 2019-12-28 09:55:39 -05:00
David Burkett
474a8617e5
Trickbot behavioral recon activity 2019-12-27 21:25:53 -05:00
Alessio Dalla Piazza
f45587074b
Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2019-12-23 11:50:57 +01:00
Florian Roth
fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel 
rule: improved bloodhound rule
 2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel 
Devel
 2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth
0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel 
Devel
 2019-12-20 15:32:56 +01:00
Florian Roth
5f061c15d0 fix: fixed missing condition 2019-12-20 15:18:05 +01:00
Florian Roth
bb466407ee rule: operation Wocao activity 2019-12-20 15:00:07 +01:00
Florian Roth
708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Thomas Patzke
9ca52259dd Fixed identifier 2019-12-20 00:11:34 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Riccardo Ancarani
8b70cb6761
Add Covenant default named pipe 
Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication.
The default named pipe name is "\gruntsvc".
References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456
 2019-12-18 15:19:47 +00:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel 
Devel
 2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke
ef63a65efe Converted to Unix line end 2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil
d19df2e4f7 fix issues with wrong tagging 2019-12-15 00:17:22 +01:00
Yugoslavskiy Daniil
9a511e5e62 fix issue with doubled detection section in apt_silence_downloader_v3.yml 2019-12-15 00:06:28 +01:00
Florian Roth
7acfecbe66
Merge pull request #530 from bartblaze/master 
Add scriptlets
 2019-12-14 11:24:51 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Thomas Patzke
7a280ae092
Merge pull request #557 from robrankin/fix_dupe_rule_name 
Elastalert error, duplicate rule titles
 2019-12-13 21:46:58 +01:00
Florian Roth
1b42f2a0e2
Merge pull request #561 from Neo23x0/devel 
Devel
 2019-12-12 13:34:58 +01:00
Florian Roth
67dfd729fd rule: extended Proxy UA suspicious rule 2019-12-12 10:42:23 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Rob Rankin
e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Rob Rankin
b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Yugoslavskiy Daniil
185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00
Yugoslavskiy Daniil
4789b15fd5 add rules by Sergey Soldatov, Kaspersky Lab 2019-12-07 01:45:55 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Florian Roth
e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Florian Roth
ab2dd094a5 fix: fixed broken link in elise rule 2019-12-05 09:56:20 +01:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
yugoslavskiy
edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy
48a94d1609
Update lnx_dd_delete_file.yml 2019-12-02 02:54:48 +01:00
yugoslavskiy
ca1c2f4436
Update lnx_chattr_immutable_removal.yml 2019-12-02 02:54:32 +01:00
yugoslavskiy
9e90335a5a
Update lnx_pers_systemd_reload.yml 2019-12-02 02:54:13 +01:00