Florian Roth
6ad5f82248
Corrected rule
2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading
...
2) correct typo in dns server rule
2017-05-15 20:58:31 +02:00
Florian Roth
01e1d3a3d7
WannaCry Service Install
2017-05-15 16:06:16 +02:00
Florian Roth
75e55d647b
Fixed and added strings
2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8
Wannacrypt Update
2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5
Changed rule as "m.vbs" isn't stable
2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5
Reference in WannaCrypt rule
2017-05-12 23:02:13 +02:00
Florian Roth
d35b6c0353
Backup catalog deletion rule
2017-05-12 23:00:56 +02:00
Florian Roth
b7837d4cdb
Fixed WannaCrypt rule
2017-05-12 22:32:40 +02:00
Florian Roth
1ab3c746c1
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-05-12 21:59:43 +02:00
Florian Roth
5cdb2b013b
WannaCrypt Ransomware
2017-05-12 21:57:53 +02:00
Florian Roth
0b541b2689
Suspicious Windows Process Creations Update
2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e
Fixed condition
...
AND has higher precedence than OR.
2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be
Removed "1 of" expression (no bug, but cleaner)
2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b
Microsoft Malware Protection Engine Crash - ref CVE-2017-0290
2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34
Updated sigma signature
2017-05-08 21:25:07 +02:00
Florian Roth
16ac2337a4
Suspicious DNS Server Config Error - Sysmon Rule
2017-05-08 13:39:50 +02:00
Florian Roth
75e58b8142
Bugfix and date
2017-05-08 13:10:40 +02:00
Florian Roth
263c98a2c8
Suspicious DNS Server Config Error - ServerLevelPluginDLL issue
2017-05-08 13:09:50 +02:00
Florian Roth
c7cc2a00d3
WScript/CScript Dropper
2017-05-05 17:30:46 +02:00
Florian Roth
004fed24e0
Linux Generic Rules
2017-05-02 20:32:38 +02:00
Florian Roth
dc4ae35be1
Schtasks frequency - minute
2017-04-28 17:03:35 +02:00
Florian Roth
a5c3f424c1
regsvr32 Anomalies
2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b
Minor fix > list to single value
2017-04-16 12:01:03 +02:00
Florian Roth
30163939f3
Fix: Rule identifier in EQGRP C2 rule
2017-04-15 23:32:56 +02:00
Florian Roth
8363b25888
Suspicious Control Panel DLL Load
2017-04-15 23:32:26 +02:00
Florian Roth
a0ee92a5c3
Equation group C2 server in firewall log rule
2017-04-15 11:32:56 +02:00
Florian Roth
37449e2c5d
Fix: Search to log source in network rule
2017-04-15 11:32:38 +02:00
Florian Roth
89e43c1059
Improved MSHTA rule
2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f
Bugfix in rule
2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a
Removed duplicate
2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df
MSHTA Rule v1
2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc
Merge pull request #31 from neu5ron/patch-4
...
Create win_alert_ad_user_backdoors.yml
2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d
Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving
...
improved win_pass_the_hash.yml rule
2017-04-13 01:05:09 +02:00
Nate Guagenti
53313d45be
Create win_alert_ad_user_backdoors.yml
2017-04-12 16:15:41 -04:00
Florian Roth
a5297b1f29
Equation Group Script/Tool Commands
2017-04-09 20:11:56 +02:00
Florian Roth
abb01cc264
Rule: PowerShell credential prompt
2017-04-09 10:22:04 +02:00
Florian Roth
44bedf9e17
Rule: Cloud Hopper WmiExec VBS
2017-04-07 17:41:53 +02:00
Florian Roth
92b4a7ad93
Added reference
2017-04-07 15:42:08 +02:00
yugoslavskiy
f83d0e36b8
improved win_pass_the_hash.yml rule
...
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]
[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb
Create win_alert_active_directory_user_control.yml
2017-04-03 15:58:23 -04:00
Nate Guagenti
85b4efabed
Update win_alert_enable_weak_encryption.yml
2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776
Create win_alert_enable_weak_encryption.yml
...
kerberoast and enabling weak encryption for password/hash cracking
2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
Florian Roth
d9e6913c03
APT 29 - tor / google update service
2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c
Rule: APT29 Google Update service install
2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8
Rule: Carbon Paper Framework Service (Turla)
...
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c
Improved StoneDrill Rule
2017-03-31 19:25:10 +02:00
Florian Roth
fa90fb2fed
Improved WMIC process call create rule
2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8
PowerShell Combo - False Positive with MOM
2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f
Improved certutil.exe rules
2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180
Updated Windows suspicious activity
2017-03-27 17:27:04 +02:00
Florian Roth
67d9c44bb3
Improved linux suspicious activity rule
2017-03-27 15:21:39 +02:00
Florian Roth
707e5a948f
Rules: Password dumper activity and lateral movement
2017-03-27 15:20:50 +02:00
Florian Roth
c5323ac1c2
Changes to Linux suspicious activity rule
2017-03-27 10:29:57 +02:00
Florian Roth
125bf4f3f2
Rule adjustment
...
Added wilcards cause the field can contain a full path
2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4
Windows Supicious Process Creation
...
- Bugfix in selection name
- New keyword expressions
2017-03-26 23:25:47 +02:00
Florian Roth
b0c8ffb051
Combined vssadmin rule
2017-03-26 01:27:26 +01:00
Florian Roth
800262a738
Renamed and double removed
2017-03-26 01:27:08 +01:00
Florian Roth
c1a6a542db
Rule: Windows 4688 process creation rule
2017-03-26 01:26:34 +01:00
Florian Roth
5c4a13af71
Rules: Linux commands and log entries of interest
2017-03-25 19:59:45 +01:00
Florian Roth
c8cc857b7c
Improved the linux suspicious keywords rule
2017-03-25 19:23:10 +01:00
Michael Haag
5ea6fad999
net.exe and wmic.exe
...
Suspicious execution of net and wmic
2017-03-25 06:48:23 -07:00
Florian Roth
699c638ee2
Bugfix: Wrong Event ID and extended description
2017-03-23 11:50:30 +01:00
Florian Roth
d377884972
Rule: Rare scheduled tasks creations
2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c
Updated Eventvwr UAC evasion
2017-03-22 14:40:55 +01:00
Florian Roth
fa37f5afcf
Rules: PowerShell Downgrade Attacks
2017-03-22 11:17:46 +01:00
Florian Roth
3bfa9ed121
Bugfix: Minor fix cause Sysmon uses SID as Software key
2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32
Bugfix: Fixed UAC bypass rules
2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed
Bugfixes and improvements
2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad
Rule: Suspicious task creation description changed
2017-03-21 10:23:53 +01:00
Florian Roth
6932fcec65
Rule: Linux shell more suspicious keywords
2017-03-21 10:23:12 +01:00
Florian Roth
055992eb05
Bugfix: PowerShell rules log source inconstency
2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1
Broader definition certutil.exe rule
2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605
Bugfix in UAC Rule
2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7
Rule: UAC bypass via eventvwr, minor changes
2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
Thomas Patzke
889315c960
Changed values with placeholders to quoted strings
...
Values beginning with % cause YAML parse error
2017-03-18 23:05:16 +01:00
Thomas Patzke
56f415e42c
Fixed rule
2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb
Create sysmon_sdclt_uac_bypass.yml
...
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ . Sorry in advance for not being 100% about the sysmon event ids / fields
2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e
Bugfix: Taskscheduler log source definition
2017-03-17 16:09:31 +01:00
Florian Roth
dd81b18d6e
Rule: Suspicious interactive console logons to servers
2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7
Added missing description
2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff
Rule: Rare scheduled task installs
2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9
Added references to rule
2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc
Rule: Vssadmin / NTDS.dit activity
2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5
Rule: Windows recon activity
2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2
Rule: Suspicious PowerShell parent image combination
2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7
Renamed and removed double space
2017-03-16 18:58:32 +01:00
Florian Roth
789b3899df
Improved Linux Shell Activity Rule
2017-03-15 09:07:59 +01:00
Florian Roth
9afa12f4a3
Further shell commands from MSF repo
2017-03-14 16:33:51 +01:00
Florian Roth
daeb7c3693
Rule: Suspicious activity in shell commands
2017-03-14 14:54:08 +01:00
Florian Roth
546a587df7
Rule: Shellshock Regex detection
...
http://rubular.com/r/zxBfjWfFYs
2017-03-14 14:53:29 +01:00
Florian Roth
dd558e941c
Rule: Access to ADMIN$ share
2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710
Bug and typo fixes
2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43
Rule: User account added to local Administrators
2017-03-14 12:51:50 +01:00
Florian Roth
cb683a6b56
Rule: Suspicious executions in web folders / non-exe folders
2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b
Rule: Scheduled task creation
2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0
Reduced to user accounts
2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8
Restrict rule to non-private IP ranges only
2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5
Rule: Suspicious PowerShell Parameter Substring
2017-03-13 17:23:25 +01:00
Florian Roth
ff8e3fe584
Merge pull request #9 from iliaselmatani/patch-1
...
Create win_pass_the_hash.yml
2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c
Update win_pass_the_hash.yml
2017-03-13 16:16:34 +01:00
Florian Roth
a87d513efa
Rule: Suspicious executable downloads
2017-03-13 16:11:43 +01:00
IeM
9f5e5a2366
Update win_pass_the_hash.yml
...
Added placeholders for WorkstationName to detect network logons between Workstations.
2017-03-13 16:09:32 +01:00
Florian Roth
85c298c43c
Bugfix in rule
2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a
Rule: PowerShell with network connections
2017-03-13 13:57:41 +01:00
Florian Roth
b8db4935e0
Rule: PowerShell UserAgent in Proxy Logs
2017-03-13 13:51:32 +01:00
Florian Roth
a0047f7c67
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
Florian Roth
9fd375c130
Bugfix: Added time frame to correlation rule
2017-03-12 17:11:29 +01:00
Florian Roth
4470c2f893
PowerShell Suspicious Invocation > Sysmon
2017-03-12 17:11:05 +01:00
Florian Roth
de689c32b5
Suspicious PowerShell Invocation
2017-03-12 17:06:53 +01:00
Florian Roth
d6957f1c2e
Merge pull request #10 from MHaggis/master
...
Sysmon
2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829
bitsadmin & VSSAdmin
...
+Bitsadmin download
+VSSAdmin delete
2017-03-08 22:49:35 -08:00
IeM
4d5ded46e6
Update win_pass_the_hash.yml
2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644
Rule: Rare Windows Service Installs
2017-03-08 19:09:34 +01:00
IeM
381b85fd94
Update win_pass_the_hash.yml
...
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
2017-03-08 18:48:06 +01:00
IeM
e4d764ceba
Create win_pass_the_hash.yml
...
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
2017-03-08 18:04:31 +01:00
Florian Roth
5484886932
Rule: Windows - Recon Activity (improved)
2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276
Rule: Windows - Recon Activity
2017-03-07 12:01:39 +01:00
Florian Roth
b34d1b7565
Stonedrill rule enhancement
2017-03-07 10:22:14 +01:00
Florian Roth
7113b3aed9
Rule: APT StoneDrill Service Install
2017-03-07 09:24:12 +01:00
Florian Roth
aad892c834
Windows Built-In rules > LogSource definition
2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9
Windows Malicious Password Dumper Service Installs
2017-03-05 23:52:02 +01:00
Florian Roth
7b815ef3e5
Sysmon PowerShell - Suspicious Param Combination
2017-03-05 23:51:39 +01:00
Florian Roth
294df21c56
Added expression
2017-03-05 22:45:54 +01:00
Florian Roth
7fae49b183
More PowerShell rules
2017-03-05 15:01:51 +01:00
Florian Roth
1e1cf9cb9e
PowerShell Rules Revision
2017-03-05 14:14:31 +01:00
Omer Yampel
97b4078d01
Update powershell_malicious_commandlets.yml
...
Added https://github.com/putterpanda/mimikittenz reference
2017-03-04 20:26:39 -05:00
Florian Roth
12535417d9
Typo
2017-03-05 01:47:37 +01:00
Florian Roth
d397ee9f68
First PowerShell Ruleset
2017-03-05 01:47:25 +01:00
Michael Haag
a3cd7123a8
wscript/cscript
...
WSF, JSE, JS, VBA and VBE file execution
2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479
mshta shells
...
🐚 for all!
2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2
Modifications
...
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab
Two new Sysmon rules for Office Macro/PS detection
2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab
Removed Sysmon EventLog from selection > via 'logsource'
2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371
Proposed changes to mimimkatz-inmemory aggregation
2017-03-01 10:16:43 +01:00
Florian Roth
9934a66a3c
Rule: ClamAV
2017-03-01 10:00:17 +01:00
Florian Roth
2e0632b05f
Rule: Linux: buffer overflows
2017-03-01 08:38:33 +01:00
Florian Roth
001bed0c45
ModSecurity rule: multiple blocks
2017-02-28 17:53:32 +01:00
Florian Roth
9c8ed4c0b1
Apache segmentation fault rule
2017-02-28 17:53:06 +01:00
Florian Roth
b1446f9b87
Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b
Rule review
...
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Thomas Patzke
fdbadb8e6e
Rule fix
...
Fixed condition in webshell keyowrd rule.
2017-02-22 22:42:35 +01:00
Thomas Patzke
a4611d6dc6
Added new rules
...
From adsecurity.org:
* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac
Removed lists from log source section
2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0
Sysmon rules 'logsource' change
2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f
Fixed type of condition
2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
a6173df0b9
LSASS Remote Thread Update
2017-02-12 16:33:09 +01:00
Florian Roth
04ea201817
New rules and cleanup
2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00
Thomas Patzke
97847a29de
Moved network rules into rules directory
2017-02-08 12:43:50 +01:00
Florian Roth
1307a45fd5
Moved rules to a separate directory
2017-02-07 00:44:40 +01:00