valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,192 Commits 20 Branches 25 Tags 21 MiB
df715386b6
Commit Graph

2026 Commits

Author SHA1 Message Date
Florian Roth
d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth
080532d20c
logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke
7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Kevin Dienst
98471bc53c
Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke
ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus
0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel 
Winnti rule and helpful message in test script
 2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
7a222920df
added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth
190afcac88
Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth
e3d61d5579
Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth
033ab26d5e
Added date 2020-01-31 07:21:02 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Florian Roth
617ece1aa2 fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00
Florian Roth
4ad71c44bc chore: moved network device rules to the 'network' folder 2020-01-30 14:30:26 +01:00
Florian Roth
5130072b04
Merge pull request #529 from c2defense/master 
Network Device Analytics
 2020-01-30 14:28:44 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth
598b750f48
Minor change 2020-01-30 10:31:16 +01:00
Florian Roth
8cef4b2941
fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth
0a4d32c7c7
fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth
9828d7f81d
re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth
d90ea6d267
improved rule 2020-01-30 09:58:32 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master 
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
 2020-01-30 09:14:58 +01:00
Florian Roth
6adc732d79
Merge pull request #603 from Neo23x0/devel 
Colorized Testing
 2020-01-30 09:14:25 +01:00
Florian Roth
2c38c53829 fix: removed test rule 2020-01-30 08:52:33 +01:00
Florian Roth
fe6c30fa59 feat: colorized output in test 2020-01-30 08:37:47 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything 
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
 2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
647d98ac71
Merge pull request #599 from vitaliy0x1/master 
Detection Rules for AWS events
 2020-01-29 21:01:20 +01:00
Florian Roth
376092cfd3
Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth
05d7448a9a
Minor Changes 2020-01-29 20:25:46 +01:00
Florian Roth
d1357ddc50
Minor changes 2020-01-29 20:25:14 +01:00
Florian Roth
8a4f9ad7f8
Minor changes 2020-01-29 20:24:31 +01:00
Florian Roth
a6d7af270d
Added date 2020-01-29 20:23:40 +01:00
Florian Roth
56e1e6b13d
Lower case service name 2020-01-29 20:23:12 +01:00
Florian Roth
f1ce6ba6ad
Lowering level 
Lowering level to medium for events that can have a legitimate cause
 2020-01-29 20:22:34 +01:00
Florian Roth
eac484092c fix: changed hashes field to sha1 for better consistency 2020-01-29 19:52:24 +01:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d
bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth
f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
2d4d
341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth
4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth
c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d
d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d
0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
vitaliy0x1
5aa75a90fd added aws_root_account_usage.yml 2020-01-21 15:07:32 +02:00
vitaliy0x1
0d6642abd6 added aws_config_disable_recording.yml 2020-01-21 15:07:10 +02:00
vitaliy0x1
17c00d8a11 added aws_cloudtrail_disable_logging.yml 2020-01-21 15:06:44 +02:00
Thomas Patzke
5f1e933b93
Merge pull request #588 from timbMSFT/timb 
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
 2020-01-20 10:06:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
2d4d
e35ebcc185 complete_cve_2019-19781 2020-01-15 21:59:33 +01:00
Florian Roth
41c4a499b4 rule: added a reference 2020-01-15 21:27:40 +01:00
Florian Roth
6db20d4bad rule: windows audit cve 2020-01-15 21:23:32 +01:00
Florian Roth
5ef64e4e99 rule: changes at Shitrix rule 2020-01-13 20:15:08 +01:00
Florian Roth
a0bad54dbd
Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml 
add newbm.pl
 2020-01-13 14:48:38 +01:00
sbousseaden
b60671397d
Update win_lm_namedpipe.yml 2020-01-13 10:50:35 +01:00
Florian Roth
ba7c634f1a
More changes 2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes 2020-01-13 09:56:49 +01:00
sreemanshanker
ffcfcb70ad
Add files via upload 2020-01-13 13:21:06 +08:00
2d4d
364e859a6b add newbm.pl 2020-01-12 00:29:10 +01:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke
b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth
a29c832b6a rule: updated netscaler rule 2020-01-07 14:42:16 +01:00
Florian Roth
c9a75a8371 fix: shortened path in Citrix Netscaler rule 2020-01-07 13:00:28 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
2d4d
35fbdd1248 add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 01:48:29 +01:00
2d4d
b98e57603e add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 00:34:52 +01:00
Tim Burrell (MSTIC)
9bd0402681 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00
Tim Burrell (MSTIC)
5051334e85 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-02 14:47:55 +00:00
Florian Roth
fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel 
Devel
 2019-12-30 15:08:43 +01:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1 
Added new sticky key attack binary
 2019-12-30 14:14:20 +01:00
Florian Roth
948af2993b
Merge pull request #583 from msec1203/msec1203-submit-rule1 
MS Office Doc Load WMI DLL Rule
 2019-12-30 14:13:58 +01:00
msec1203
dbdf6680e0
Update win_susp_winword_wmidll_load.yml 
Update x2
 2019-12-30 18:49:39 +09:00
msec1203
a45f877712
Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2019-12-30 18:41:16 +09:00
GelosSnake
f574c20432 Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2019-12-29 18:02:49 +02:00
GelosSnake
7e7f6d1182 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2019-12-29 18:01:19 +02:00
msec1203
845d67f1f3
Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2019-12-29 23:14:29 +09:00
Justin Schoenfeld
a1f07cdb4b
Added new sticky key attack binary 2019-12-29 08:32:23 -05:00
david-burkett
4a65a25070
svchost spawned without cli 2019-12-28 10:28:08 -05:00
david-burkett
35b4806104
corrected logic 2019-12-28 09:55:39 -05:00
David Burkett
474a8617e5
Trickbot behavioral recon activity 2019-12-27 21:25:53 -05:00
Alessio Dalla Piazza
f45587074b
Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2019-12-23 11:50:57 +01:00
Florian Roth
fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel 
rule: improved bloodhound rule
 2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel 
Devel
 2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth
0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel 
Devel
 2019-12-20 15:32:56 +01:00
Florian Roth
5f061c15d0 fix: fixed missing condition 2019-12-20 15:18:05 +01:00
Florian Roth
bb466407ee rule: operation Wocao activity 2019-12-20 15:00:07 +01:00
Florian Roth
708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Thomas Patzke
9ca52259dd Fixed identifier 2019-12-20 00:11:34 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Riccardo Ancarani
8b70cb6761
Add Covenant default named pipe 
Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication.
The default named pipe name is "\gruntsvc".
References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456
 2019-12-18 15:19:47 +00:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel 
Devel
 2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke
ef63a65efe Converted to Unix line end 2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil
d19df2e4f7 fix issues with wrong tagging 2019-12-15 00:17:22 +01:00
Yugoslavskiy Daniil
9a511e5e62 fix issue with doubled detection section in apt_silence_downloader_v3.yml 2019-12-15 00:06:28 +01:00
Florian Roth
7acfecbe66
Merge pull request #530 from bartblaze/master 
Add scriptlets
 2019-12-14 11:24:51 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Thomas Patzke
7a280ae092
Merge pull request #557 from robrankin/fix_dupe_rule_name 
Elastalert error, duplicate rule titles
 2019-12-13 21:46:58 +01:00
Florian Roth
1b42f2a0e2
Merge pull request #561 from Neo23x0/devel 
Devel
 2019-12-12 13:34:58 +01:00
Florian Roth
67dfd729fd rule: extended Proxy UA suspicious rule 2019-12-12 10:42:23 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Rob Rankin
e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Rob Rankin
b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Yugoslavskiy Daniil
185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00
Yugoslavskiy Daniil
4789b15fd5 add rules by Sergey Soldatov, Kaspersky Lab 2019-12-07 01:45:55 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Florian Roth
e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Florian Roth
ab2dd094a5 fix: fixed broken link in elise rule 2019-12-05 09:56:20 +01:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
yugoslavskiy
edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy
48a94d1609
Update lnx_dd_delete_file.yml 2019-12-02 02:54:48 +01:00
yugoslavskiy
ca1c2f4436
Update lnx_chattr_immutable_removal.yml 2019-12-02 02:54:32 +01:00
yugoslavskiy
9e90335a5a
Update lnx_pers_systemd_reload.yml 2019-12-02 02:54:13 +01:00
yugoslavskiy
46ca68436e
Update lnx_file_or_folder_permissions.yml 2019-12-02 02:53:35 +01:00
yugoslavskiy
1273a10dcb add win_new_service_creation.yml 2019-12-02 01:19:54 +01:00
yugoslavskiy
9fba097421 add sysmon_in_memory_powershell.yml by Tom Kern 2019-12-01 23:26:00 +01:00
booberry46
df162b232f
Update win_malware_emotet.yml 2019-11-30 13:17:44 +08:00
mrblacyk
9d0889def4
Adding auditd compatibility 2019-11-29 09:34:08 +01:00
mrblacyk
cafbb25d2e
Update lnx_file_or_folder_permissions.yml 2019-11-29 09:33:04 +01:00
mrblacyk
bf5e6cc56b
Adding auditd compatibility 2019-11-29 09:32:05 +01:00
mrblacyk
a15c84eb80
Adding auditd compatibility 2019-11-29 09:27:31 +01:00
Yugoslavskiy Daniil
71e588cae1 add apt silence rules by Group-IB 2019-11-28 21:15:55 +01:00
yugoslavskiy
d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
yugoslavskiy
41a09cde34 updated filenames 2019-11-26 23:31:18 +01:00
webhead404
21ef152e3a
Update win_external_device.yml 2019-11-20 16:19:45 -06:00
webhead404
2bfd4ea654
Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404
5c5d28acdc
Create win_external_device 2019-11-20 16:07:29 -06:00
Florian Roth
39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth
f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth
4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth
98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
yugoslavskiy
1b591ee598 add JET CSIRT team sysmon_process_reimaging.yml with unsupported logic 2019-11-19 02:17:07 +01:00
yugoslavskiy
2a33e6fed9 unify location of rules with unsupported logic 2019-11-19 02:12:22 +01:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Florian Roth
2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth
fdc32889a7 rule: PulseSecure CVE-2019-11510 attack 2019-11-18 15:33:58 +01:00
Florian Roth
93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
Florian Roth
da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth
2c54d1afe4 rule: removed Zebrocy rule because it doesn't work that way 
reason: command line gets split up at the '&' character, which results in two command lines
 2019-11-18 11:42:38 +01:00
Austin Clark
ad1a6a2bd3
Update cisco_cli_net_sniff.yml 2019-11-15 19:32:53 +01:00
Austin Clark
441a302623
Update cisco_cli_moving_data.yml 2019-11-15 19:31:41 +01:00
Austin Clark
93a40b3b97
Update cisco_cli_modify_config.yml 2019-11-15 19:31:07 +01:00
Austin Clark
9cd6670501
Update cisco_cli_local_accounts.yml 2019-11-15 19:30:33 +01:00
Austin Clark
ed85f1e612
Update cisco_cli_input_capture.yml 2019-11-15 19:11:03 +01:00
Austin Clark
d8e0cfb64c
Update cisco_cli_file_deletion.yml 2019-11-15 19:10:19 +01:00
Austin Clark
af1cf4615f
Update cisco_cli_dos.yml 2019-11-15 19:09:38 +01:00
Austin Clark
46c63094de
Update cisco_cli_discovery.yml 2019-11-15 19:08:53 +01:00
Austin Clark
ac07b00497
Update cisco_cli_disable_logging.yml 2019-11-15 19:08:08 +01:00
Austin Clark
6448631005
Update cisco_cli_crypto_actions.yml 2019-11-15 19:07:09 +01:00
Austin Clark
82237fa347
Update cisco_cli_collect_data.yml 2019-11-15 19:05:55 +01:00
Austin Clark
55f467eae2
Update cisco_cli_clear_logs.yml 2019-11-15 19:05:02 +01:00
Florian Roth
04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth
7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
Florian Roth
ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Bart
a5b4b276d4
Add scriptlets 
Adds .sct and .vbe.
 2019-11-14 22:26:22 +01:00
Austin Clark
4ec6babdff
Delete test 2019-11-14 20:56:21 +01:00
Austin Clark
85403d353c
Add files via upload 2019-11-14 20:55:28 +01:00
Austin Clark
2c8f6b5020
Create test 2019-11-14 20:53:56 +01:00
Florian Roth
2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth
95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
yugoslavskiy
ac21810d7a
Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping 
oscd task #2 completed
 2019-11-14 01:03:27 +03:00
yugoslavskiy
1cc9ddc8b8
Update win_dumping_ntdsdit_via_netsync.yml 2019-11-14 01:00:28 +03:00
yugoslavskiy
d29941b414
Update win_dumping_ntdsdit_via_dcsync.yml 2019-11-14 00:59:38 +03:00
yugoslavskiy
01ed5a7135
Update sysmon_unsigned_image_loaded_into_lsass.yml 2019-11-14 00:58:39 +03:00
yugoslavskiy
20a5c9498c
Update sysmon_raw_disk_access_using_illegitimate_tools.yml 2019-11-14 00:58:00 +03:00
yugoslavskiy
4b8873b706
Update sysmon_lsass_memory_dump_file_creation.yml 2019-11-14 00:55:20 +03:00
yugoslavskiy
f0cce60a2c
Update sysmon_cred_dump_tools_dropped_files.yml 2019-11-14 00:53:25 +03:00
yugoslavskiy
9b9f37715f
Update process_creation_shadow_copies_deletion.yml 2019-11-14 00:50:10 +03:00
yugoslavskiy
a1831bb503
Update process_creation_shadow_copies_creation.yml 2019-11-14 00:48:50 +03:00
yugoslavskiy
1445589839
Update process_creation_copying_sensitive_files_with_credential_data.yml 2019-11-14 00:47:14 +03:00
yugoslavskiy
c7c29a39b6
Update win_susp_lsass_dump_generic.yml 2019-11-14 00:45:47 +03:00
yugoslavskiy
633c6db254
Update win_remote_registry_management_using_reg_utility.yml 2019-11-14 00:44:47 +03:00
yugoslavskiy
cd31354df2
Update win_quarkspwdump_clearing_hive_access_history.yml 2019-11-14 00:43:56 +03:00
yugoslavskiy
334626168c
Update win_mal_service_installs.yml 2019-11-14 00:43:03 +03:00
yugoslavskiy
cd69111522
Merge branch 'oscd' into master 2019-11-14 00:36:34 +03:00
yugoslavskiy
3cd1abd0a1
Update sysmon_suspicious_remote_thread.yml 2019-11-14 00:34:09 +03:00
yugoslavskiy
1e75979a2a
Update sysmon_minidumwritedump_lsass.yml 2019-11-14 00:32:06 +03:00
yugoslavskiy
f2caf366cb moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml 2019-11-14 00:24:53 +03:00
yugoslavskiy
94caaff4fa Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2019-11-14 00:23:22 +03:00
yugoslavskiy
cb29628ceb modify rules based on BSI contribution 2019-11-14 00:23:16 +03:00
yugoslavskiy
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
yugoslavskiy
b47748399d
Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-14 00:19:30 +03:00
yugoslavskiy
1fe7f55d47
Update sysmon_suspicious_outbound_kerberos_connection.yml 2019-11-14 00:10:05 +03:00
yugoslavskiy
07ad11f3ae
Update sysmon_possible_dns_rebinding.yml 2019-11-14 00:08:50 +03:00
yugoslavskiy
ded75d033a
Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml 2019-11-13 23:47:24 +03:00
yugoslavskiy
0cb1d4fdbd
Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-13 23:44:03 +03:00
yugoslavskiy
bba360212a
Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-13 23:43:45 +03:00
yugoslavskiy
e6e308ef51
Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml 2019-11-13 23:40:29 +03:00
yugoslavskiy
d8447946d6
Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 23:37:25 +03:00
yugoslavskiy
7f01a5b1bb
Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:35:59 +03:00
yugoslavskiy
26479485e6
Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:34:46 +03:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke
d42cc78509 Converted rules Sysmon/1 parts to generic process_creation 2019-11-12 21:06:24 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth
b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
Thomas Patzke
ffdf312932 Added Ursnif user agents 2019-11-12 08:52:37 +01:00
yugoslavskiy
a4331b0eec
Merge pull request #498 from theRabbitCode/oscd 
[OSCD] Added Atomic Blue Detections Repo
 2019-11-11 23:22:57 +03:00
yugoslavskiy
1f142f6613
Delete win_reg_sam_dumping.yml 
redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee
authorship has been updated
 2019-11-11 23:22:47 +03:00
yugoslavskiy
cad0e30933
Update process_creation_grabbing_sensitive_hives_via_reg.yml 2019-11-11 23:22:25 +03:00
yugoslavskiy
38d0f832a4
Update win_uac_wsreset.yml 2019-11-11 23:13:28 +03:00
yugoslavskiy
49fb6bdf8f
Update win_uac_fodhelper.yml 2019-11-11 23:10:49 +03:00
yugoslavskiy
f991bf20b0
Update win_uac_cmstp.yml 2019-11-11 23:05:43 +03:00
yugoslavskiy
7f975f5878
Update win_trust_discovery.yml 2019-11-11 23:02:13 +03:00
yugoslavskiy
4c10a36e94
Update win_remote_time_discovery.yml 2019-11-11 22:51:35 +03:00
yugoslavskiy
ef55a580cf
Update win_net_enum.yml 2019-11-11 22:36:00 +03:00
yugoslavskiy
4635c5b1f9
Update win_net_user_add.yml 2019-11-11 22:35:43 +03:00
yugoslavskiy
bf4c2a508d
Update win_powershell_bitsjob.yaml 2019-11-11 22:06:57 +03:00
yugoslavskiy
90bf1c4187
Update win_powershell_audio_capture.yml 2019-11-11 22:03:49 +03:00
yugoslavskiy
8d9e293143
Update win_net_user_add.yml 2019-11-11 22:00:46 +03:00
yugoslavskiy
81b373cea7
Update win_net_enum.yml 2019-11-11 21:54:23 +03:00