Florian Roth
|
3f46d0ea28
|
Update sysmon_outlook_newform.yml
|
2021-06-10 17:41:57 +02:00 |
|
frack113
|
fb2d0092f1
|
forget to add modified
|
2021-06-10 17:27:15 +02:00 |
|
frack113
|
4e516414c9
|
Split to Convert eventID to correct category
|
2021-06-10 16:58:45 +02:00 |
|
frack113
|
a0aed54f7d
|
Convert eventID 22 to category dns_query
|
2021-06-10 16:43:33 +02:00 |
|
Tobias Michalski
|
54e98c8441
|
Merge branch 'master' of github.com:humpalum/sigma
|
2021-06-10 16:41:22 +02:00 |
|
Tobias Michalski
|
1f52763878
|
Removed EventIDs
|
2021-06-10 16:41:00 +02:00 |
|
frack113
|
7cb10b5475
|
convert eventID to category
|
2021-06-10 16:36:14 +02:00 |
|
Tobias Michalski
|
e8c38a9d6c
|
Renamed file to all lowercase
|
2021-06-10 16:35:02 +02:00 |
|
Florian Roth
|
83dddf99b4
|
Update win_exchange_TransportAgent.yml
|
2021-06-10 16:07:22 +02:00 |
|
Florian Roth
|
0cfc462fb9
|
fix: fixed driver load rule
|
2021-06-10 16:03:35 +02:00 |
|
Florian Roth
|
cd0531b345
|
fix: removed process_creation log source
|
2021-06-10 15:37:00 +02:00 |
|
Tobias Michalski
|
3970934252
|
Switched EventID:1 to category: process_creation
|
2021-06-10 14:13:29 +02:00 |
|
Tobias Michalski
|
b1913deaca
|
Removed extra whitespace
|
2021-06-10 14:09:16 +02:00 |
|
luffynextgen
|
e170a4a12a
|
Update sysmon_svchost_cred_dump.yml
following the advices given to me I changed the category and the filter to be closer to sysmon field.
|
2021-06-10 14:04:58 +02:00 |
|
Tobias Michalski
|
56d200bad0
|
Fixed meta informations
|
2021-06-10 12:44:19 +02:00 |
|
Tobias Michalski
|
bbc8633c67
|
Merge branch 'master' of github.com:humpalum/sigma
|
2021-06-10 11:32:08 +02:00 |
|
Tobias Michalski
|
4d6e7e1338
|
Rules persitence by exploiting Outlook or Exchange
|
2021-06-10 11:26:21 +02:00 |
|
Florian Roth
|
5e35e387dd
|
Merge pull request #1549 from SigmaHQ/rule-devel
Rule devel
|
2021-06-10 10:19:47 +02:00 |
|
Florian Roth
|
45c3d4702b
|
Merge pull request #1520 from SyeedHasan/master
Detection rule for 'ISO mounts'
|
2021-06-10 09:51:29 +02:00 |
|
Florian Roth
|
78817d100b
|
style: removed unneeded space chars
|
2021-06-10 09:42:19 +02:00 |
|
Florian Roth
|
9c0700bc56
|
Powershell artefacts to critical
|
2021-06-10 09:42:07 +02:00 |
|
Florian Roth
|
04faf985d2
|
more PowerShell suspicious keywords
|
2021-06-10 09:41:55 +02:00 |
|
Florian Roth
|
f52ed7604c
|
BabyShark Pattern
|
2021-06-10 09:41:36 +02:00 |
|
Florian Roth
|
28abdf3a81
|
Update win_iso_mount.yml
|
2021-06-10 09:31:40 +02:00 |
|
luffynextgen
|
c75d92410d
|
Create sysmon_svchost_cred_dump.yml
|
2021-06-10 09:30:08 +02:00 |
|
Florian Roth
|
b2d0fbba2c
|
Adjustments
|
2021-06-10 09:12:37 +02:00 |
|
Florian Roth
|
8a04bea6aa
|
Merge pull request #1535 from mvelazc0/master
Password Spraying Sigma Rules
|
2021-06-08 16:14:52 +02:00 |
|
Andreas Hunkeler
|
2d44803bf5
|
Revert renaming of ngrok rule
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
|
2021-06-08 13:09:35 +02:00 |
|
Florian Roth
|
cfdf3b7c08
|
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies
Add t1490 powershell delete volume shadow copie
|
2021-06-08 11:02:34 +02:00 |
|
Florian Roth
|
07176ddb25
|
Merge pull request #1541 from frack113/win_tamper_with_windows_defender
Windows tamper with windows defender
|
2021-06-08 11:02:14 +02:00 |
|
Florian Roth
|
242b56031f
|
Merge pull request #1542 from Karneades/patch-1
Update ngrok usage rule
|
2021-06-08 11:01:45 +02:00 |
|
frack113
|
c1f43cc4ca
|
T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features
|
2021-06-08 09:32:01 +02:00 |
|
frack113
|
0a6f7763aa
|
Split original to existing file
|
2021-06-07 20:27:14 +02:00 |
|
Andreas Hunkeler
|
cea2d5cd81
|
Add modified date to ngrok rule
|
2021-06-07 18:17:17 +02:00 |
|
Andreas Hunkeler
|
e1ef13bb24
|
Update ngrok usage rule
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
|
2021-06-07 17:20:18 +02:00 |
|
frack113
|
5914e46d4a
|
fix typo errors
|
2021-06-07 15:15:36 +02:00 |
|
frack113
|
e66a3f9513
|
T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp.
|
2021-06-07 15:03:19 +02:00 |
|
frack113
|
43ccc07ad0
|
T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
|
2021-06-07 10:09:21 +02:00 |
|
mvelazco
|
178df3f056
|
fixing title lengths
|
2021-06-04 10:57:52 -04:00 |
|
frack113
|
169f948ac2
|
Get a new error after another Atomic Test
|
2021-06-04 13:20:10 +02:00 |
|
frack113
|
3d9fe490ab
|
Detect modification of sysmon configuration by sysmon
|
2021-06-04 11:27:15 +02:00 |
|
mvelazco
|
d8aa0ae124
|
adding references
|
2021-06-03 23:38:10 -04:00 |
|
mvelazco
|
d4f66f2af6
|
rolling back unwanted changes
|
2021-06-03 18:29:06 -04:00 |
|
mvelazco
|
7ebab6f872
|
Merge branch 'master' of github.com:mvelazc0/sigma
|
2021-06-03 18:26:09 -04:00 |
|
mvelazco
|
103fe2b344
|
minor fixes and 3 extra sigma rules
|
2021-06-03 18:26:07 -04:00 |
|
mvelazco
|
f53675f41a
|
Merge branch 'SigmaHQ:master' into master
|
2021-06-03 14:54:41 -07:00 |
|
mvelazco
|
50d734a17a
|
Adding 4 initial sigma rules
|
2021-06-03 17:51:47 -04:00 |
|
frack113
|
537272c944
|
Add t1490 powershell delete volume shadow copie
|
2021-06-03 22:39:06 +02:00 |
|
Remco Hofman
|
12c822511e
|
Consistency: Service File Name to ServiceFileName
|
2021-06-03 21:33:11 +02:00 |
|
Florian Roth
|
42036049ec
|
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration
Filtering Platform Connection are in security channel not system
|
2021-06-03 20:50:23 +02:00 |
|
Florian Roth
|
b45561c4c9
|
Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts
make powershell_alternate_powershell_hosts more accurate
|
2021-06-03 20:50:06 +02:00 |
|
Florian Roth
|
d41825766a
|
Merge pull request #1529 from SigmaHQ/rule-devel
fix: FPs with Volume Shadow Copy Service Keys
|
2021-06-03 20:49:31 +02:00 |
|
Florian Roth
|
4d7b3b7afe
|
Merge pull request #1530 from Karneades/patch-1
Add further detections to shadow copies deletion
|
2021-06-03 13:51:00 +02:00 |
|
Florian Roth
|
11eca86be3
|
Update process_creation_c3_load_by_rundll32.yml
|
2021-06-03 12:44:47 +02:00 |
|
Florian Roth
|
151d120a24
|
Update process_creation_SDelete.yml
|
2021-06-03 12:40:55 +02:00 |
|
frack113
|
ba0f2e6b16
|
Add windows T1485 SDelete
|
2021-06-03 10:59:22 +02:00 |
|
Alfie Champion
|
9876643e3e
|
added rule for rundll32 launch of fsecure C3
|
2021-06-02 19:57:39 +01:00 |
|
Andreas Hunkeler
|
e8ee6aec2f
|
Add further detections to shadow copies deletion
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
|
2021-06-02 15:47:41 +02:00 |
|
Florian Roth
|
7812ff51d3
|
fix: FPs with Volume Shadow Copy Service Keys
|
2021-06-02 13:04:05 +02:00 |
|
Florian Roth
|
7288ae93b9
|
Merge pull request #1526 from WojciechLesicki/master
Added a new rule about loading dll CS via rundll32 and also some chan…
|
2021-06-01 21:54:26 +02:00 |
|
Florian Roth
|
eb4300756e
|
Update win_cobaltstrike_service_installs.yml
|
2021-06-01 21:53:25 +02:00 |
|
Florian Roth
|
736eeabf9f
|
Merge pull request #1527 from SigmaHQ/rule-devel
fix: rule FPs with Stealthy VSTO Persistence
|
2021-06-01 18:18:22 +02:00 |
|
Florian Roth
|
950b252d5c
|
Update process_creation_cobaltstrike_load_by_rundll32.yml
|
2021-06-01 18:11:19 +02:00 |
|
WojciechLesicki
|
d6f6b88b4c
|
I corrected the tag
|
2021-06-01 17:11:24 +02:00 |
|
WojciechLesicki
|
90a21d954a
|
Change title
|
2021-06-01 16:55:49 +02:00 |
|
WojciechLesicki
|
cc4c55ed10
|
Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations
|
2021-06-01 16:18:23 +02:00 |
|
Florian Roth
|
34cf1333de
|
fix: rule FPs with Stealthy VSTO Persistence
|
2021-06-01 13:58:35 +02:00 |
|
frack113
|
bf98f43850
|
Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID
|
2021-06-01 10:47:17 +02:00 |
|
frack113
|
5f98f00a36
|
Filtering Platform Connection are in security channel not system
|
2021-06-01 08:19:26 +02:00 |
|
Florian Roth
|
b191efaab1
|
Merge pull request #1522 from SigmaHQ/rule-devel
rule: nginx core dump
|
2021-05-31 16:56:16 +02:00 |
|
Florian Roth
|
ab73dd4dd6
|
rule: nginx core dump
|
2021-05-31 10:49:42 +02:00 |
|
frack113
|
0b2037ccad
|
fix **firewall** is a category like in all other rules
|
2021-05-30 09:43:29 +02:00 |
|
frack113
|
7d55c7ca80
|
category other is useless
Add a new reference
|
2021-05-30 09:17:41 +02:00 |
|
frack113
|
f91abf8929
|
Fix auditd is a service
|
2021-05-30 08:58:25 +02:00 |
|
frack113
|
a634452871
|
product is lowercase
|
2021-05-30 08:43:01 +02:00 |
|
frack113
|
58436c2a02
|
product is lowercase
|
2021-05-30 08:37:48 +02:00 |
|
frack113
|
33a5137bc7
|
Fix logsource to get accurate detection
|
2021-05-30 08:22:38 +02:00 |
|
Hasan
|
fdeb8a8e7f
|
Added rule to detect ISO mounts
|
2021-05-29 22:48:29 +05:00 |
|
frack113
|
9a0604029e
|
duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
|
2021-05-27 21:06:07 +02:00 |
|
frack113
|
179bfa7d56
|
duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
|
2021-05-27 20:59:26 +02:00 |
|
Florian Roth
|
39900bb7c5
|
refactor: re-add exec seldction
|
2021-05-27 19:24:20 +02:00 |
|
Florian Roth
|
9af8e81cb4
|
Merge branch 'master' into rule-devel
|
2021-05-27 19:23:21 +02:00 |
|
Florian Roth
|
c3ab7d19f1
|
Merge pull request #1515 from jbeley/master
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
|
2021-05-27 18:22:16 +02:00 |
|
Florian Roth
|
431f34b985
|
fix: other locations
https://twitter.com/ber_m1ng/status/1397948048135778309
|
2021-05-27 18:12:20 +02:00 |
|
Florian Roth
|
a4e6f58b16
|
rule: suspicious programs - no DLL in command line
|
2021-05-27 17:49:10 +02:00 |
|
Florian Roth
|
fa45298474
|
Merge pull request #1516 from SigmaHQ/rule-devel
Update win_susp_regedit_trustedinstaller.yml
|
2021-05-27 17:48:48 +02:00 |
|
Jeff Beley
|
f675ac36b1
|
Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON)
|
2021-05-27 15:03:52 +00:00 |
|
Florian Roth
|
61f5e66569
|
Update win_susp_regedit_trustedinstaller.yml
|
2021-05-27 16:57:41 +02:00 |
|
Florian Roth
|
71625c54f0
|
Merge pull request #1514 from SigmaHQ/rule-devel
ProcessHacker rule, NCCGroup rclone rules
|
2021-05-27 16:30:30 +02:00 |
|
Florian Roth
|
d1582944a7
|
fix: dates in new rules
|
2021-05-27 16:30:09 +02:00 |
|
Florian Roth
|
d5e8d1153f
|
fix: missing condition
|
2021-05-27 15:04:13 +02:00 |
|
Florian Roth
|
7ce7095c2c
|
fix: title with lower case letters
|
2021-05-27 15:01:32 +02:00 |
|
Florian Roth
|
5cf7078fb3
|
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
|
2021-05-27 12:55:31 +02:00 |
|
Florian Roth
|
ea430c8823
|
Merge pull request #1471 from d4rk-d4nph3/master
Updated rule for Advanced IP Scanner and new rule for PowerView
|
2021-05-27 12:55:03 +02:00 |
|
Florian Roth
|
8d834cf681
|
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access
Add Windows Defender on WL
|
2021-05-27 12:54:15 +02:00 |
|
Florian Roth
|
d8827fc29d
|
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
|
2021-05-27 12:53:56 +02:00 |
|
Florian Roth
|
1bf9546fad
|
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file
Exclude dism.exe
|
2021-05-27 12:53:27 +02:00 |
|
Florian Roth
|
9239690ef3
|
Merge pull request #1488 from dacelbot/master
Contribute AWS snapshot exfiltration rule
|
2021-05-27 12:52:46 +02:00 |
|
Florian Roth
|
a80c29a7c2
|
Merge pull request #1491 from w0rk3r/patch-1
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
|
2021-05-27 12:52:14 +02:00 |
|
Florian Roth
|
059e669ac6
|
Merge pull request #1496 from frack113/falsepositives_NOT_a_list
Fix rule where Falsepositives not a valid value
|
2021-05-27 12:51:54 +02:00 |
|