Commit Graph

4624 Commits

Author SHA1 Message Date
Florian Roth
3f46d0ea28
Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113
fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113
4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113
a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113
7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
0cfc462fb9 fix: fixed driver load rule 2021-06-10 16:03:35 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski
b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen
e170a4a12a
Update sysmon_svchost_cred_dump.yml
following the advices given to me I changed the category and the filter to be closer to sysmon field.
2021-06-10 14:04:58 +02:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski
bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski
4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel
Rule devel
2021-06-10 10:19:47 +02:00
Florian Roth
45c3d4702b
Merge pull request #1520 from SyeedHasan/master
Detection rule for 'ISO mounts'
2021-06-10 09:51:29 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth
9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth
04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth
f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth
28abdf3a81
Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen
c75d92410d
Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth
b2d0fbba2c
Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth
8a04bea6aa
Merge pull request #1535 from mvelazc0/master
Password Spraying Sigma Rules
2021-06-08 16:14:52 +02:00
Andreas Hunkeler
2d44803bf5
Revert renaming of ngrok rule
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
2021-06-08 13:09:35 +02:00
Florian Roth
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies
Add t1490 powershell delete volume shadow copie
2021-06-08 11:02:34 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender
Windows tamper with windows defender
2021-06-08 11:02:14 +02:00
Florian Roth
242b56031f
Merge pull request #1542 from Karneades/patch-1
Update ngrok usage rule
2021-06-08 11:01:45 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
2021-06-07 17:20:18 +02:00
frack113
5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113
e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
mvelazco
178df3f056 fixing title lengths 2021-06-04 10:57:52 -04:00
frack113
169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
mvelazco
d8aa0ae124 adding references 2021-06-03 23:38:10 -04:00
mvelazco
d4f66f2af6 rolling back unwanted changes 2021-06-03 18:29:06 -04:00
mvelazco
7ebab6f872 Merge branch 'master' of github.com:mvelazc0/sigma 2021-06-03 18:26:09 -04:00
mvelazco
103fe2b344 minor fixes and 3 extra sigma rules 2021-06-03 18:26:07 -04:00
mvelazco
f53675f41a Merge branch 'SigmaHQ:master' into master 2021-06-03 14:54:41 -07:00
mvelazco
50d734a17a Adding 4 initial sigma rules 2021-06-03 17:51:47 -04:00
frack113
537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
Remco Hofman
12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth
42036049ec
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration
Filtering Platform Connection are in security channel not system
2021-06-03 20:50:23 +02:00
Florian Roth
b45561c4c9
Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts
make powershell_alternate_powershell_hosts more accurate
2021-06-03 20:50:06 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel
fix: FPs with Volume Shadow Copy Service Keys
2021-06-03 20:49:31 +02:00
Florian Roth
4d7b3b7afe
Merge pull request #1530 from Karneades/patch-1
Add further detections to shadow copies deletion
2021-06-03 13:51:00 +02:00
Florian Roth
11eca86be3
Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion
9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler
e8ee6aec2f
Add further detections to shadow copies deletion
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
2021-06-02 15:47:41 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth
7288ae93b9
Merge pull request #1526 from WojciechLesicki/master
Added a new rule about loading dll CS via rundll32 and also some chan…
2021-06-01 21:54:26 +02:00
Florian Roth
eb4300756e
Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel
fix: rule FPs with Stealthy VSTO Persistence
2021-06-01 18:18:22 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
Florian Roth
b191efaab1
Merge pull request #1522 from SigmaHQ/rule-devel
rule: nginx core dump
2021-05-31 16:56:16 +02:00
Florian Roth
ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
frack113
0b2037ccad fix **firewall** is a category like in all other rules 2021-05-30 09:43:29 +02:00
frack113
7d55c7ca80 category other is useless
Add a new reference
2021-05-30 09:17:41 +02:00
frack113
f91abf8929 Fix auditd is a service 2021-05-30 08:58:25 +02:00
frack113
a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
frack113
58436c2a02 product is lowercase 2021-05-30 08:37:48 +02:00
frack113
33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
Hasan
fdeb8a8e7f Added rule to detect ISO mounts 2021-05-29 22:48:29 +05:00
frack113
9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
2021-05-27 21:06:07 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
2021-05-27 20:59:26 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations
https://twitter.com/ber_m1ng/status/1397948048135778309
2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel
Update win_susp_regedit_trustedinstaller.yml
2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel
ProcessHacker rule, NCCGroup rclone rules
2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth
7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth
5cf7078fb3
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
2021-05-27 12:55:31 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master
Updated rule for Advanced IP Scanner and new rule for PowerView
2021-05-27 12:55:03 +02:00
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access
Add Windows Defender on WL
2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file
Exclude dism.exe
2021-05-27 12:53:27 +02:00
Florian Roth
9239690ef3
Merge pull request #1488 from dacelbot/master
Contribute AWS snapshot exfiltration rule
2021-05-27 12:52:46 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list
Fix rule where Falsepositives not a valid value
2021-05-27 12:51:54 +02:00