Commit Graph

1680 Commits

Author SHA1 Message Date
Florian Roth
4298abffb7
Modifications 2019-04-17 23:29:29 +02:00
Florian Roth
615a802a8e
Modifications 2019-04-17 23:26:20 +02:00
Florian Roth
0a960ed3cd
Merge pull request #319 from Sam0x90/master
Update win_susp_svchost rule
2019-04-17 23:22:08 +02:00
Sam0x90
0e8a46aaf7
Update win_subp_svchost rule
Adding rpcnet.exe as ParentImage
2019-04-16 15:00:06 +02:00
christophetd
4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Florian Roth
17470d1545 Rule: extended parent list for legitimate svchost starts
https://twitter.com/Sam0x90/status/1117768799816753153
2019-04-15 14:54:35 +02:00
Florian Roth
daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth
612a7642d2
Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth
65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth
1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades
d872c52a43
Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Thomas Patzke
5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth
1e262f5055
Merge pull request #303 from Karneades/patch-1
Remove too loose filter in wmi spwns powershell rule
2019-04-14 23:11:57 +02:00
Florian Roth
cb0a87e21e
Merge pull request #316 from megan201296/patch-19
Update win_mal_ursnif.yml
2019-04-14 23:10:16 +02:00
Florian Roth
08ec8597a5
Merge pull request #317 from megan201296/patch-20
Create apt_oceanlotus_registry.yml
2019-04-14 23:09:42 +02:00
Thomas Patzke
5463128ea0
Merge pull request #314 from Karneades/patch-4
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-14 23:02:42 +02:00
megan201296
74fce5f511
Create apt_oceanlotus_registry.yml
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
2019-04-14 12:01:52 -05:00
megan201296
eb8a0636c5
Update win_mal_ursnif.yml
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
patrick
51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick
4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Florian Roth
6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00
Florian Roth
038918d2c0
Merge pull request #311 from jmallette/master
ATT&CK Navigator Coverage Layer
2019-04-11 18:18:16 +02:00
Karneades
75d36165fc
Remove non-generic falsepositives
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
Karneades
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jon
cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
jmallette
c775b7a033
Merge pull request #1 from Neo23x0/master
update fork
2019-04-09 22:43:32 -04:00
Jason Lynch
89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
patrick
ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades
97376c00de
Fix condition 2019-04-04 22:33:32 +02:00
Karneades
766b8b8d18
Fix condition 2019-04-04 22:32:47 +02:00
Karneades
788e75ef1b
Fix condition 2019-04-04 22:32:21 +02:00
Karneades
840eb2f519
Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades
eb690d8902
Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades
1915561351
Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master
Create win_atsvc_task.yml
2019-04-04 18:32:13 +02:00
sbousseaden
c4b8f75940
Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml
Fixed my botched YAML syntax...
2019-04-04 08:35:37 +02:00
sbousseaden
22958c45a3
Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden
b4ac9a432f
Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden
353e457104
Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden
d5818a417b
Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden
9c5575d003
Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden
edb98f2781
Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
2019-04-03 20:31:31 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature
Add new signature for linux clear command history
2019-04-03 19:45:06 +02:00
Florian Roth
13f86e9333
Merge pull request #296 from Karneades/patch-1
Remove backslashes in CommandLine for sticky key rule
2019-04-03 19:44:02 +02:00
Florian Roth
b4b7d810fc
Merge pull request #300 from yt0ng/development
Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
2019-04-03 19:20:46 +02:00
yt0ng
e0459cec1c
renamed file 2019-04-03 17:39:17 +02:00
christophetd
d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00