Commit Graph

485 Commits

Author SHA1 Message Date
Florian Roth
707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth
125bf4f3f2 Rule adjustment
Added wilcards cause the field can contain a full path
2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4 Windows Supicious Process Creation
- Bugfix in selection name
- New keyword expressions
2017-03-26 23:25:47 +02:00
Florian Roth
c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings
Values beginning with % cause YAML parse error
2017-03-18 23:05:16 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1
Create win_pass_the_hash.yml
2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml
Added placeholders for WorkstationName to detect network logons between Workstations.
2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644 Rule: Rare Windows Service Installs 2017-03-08 19:09:34 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
2017-03-08 18:04:31 +01:00
Florian Roth
5484886932 Rule: Windows - Recon Activity (improved) 2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276 Rule: Windows - Recon Activity 2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834 Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9 Windows Malicious Password Dumper Service Installs 2017-03-05 23:52:02 +01:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b Rule review
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6 Added new rules
From adsecurity.org:

* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f Fixed type of condition 2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
04ea201817 New rules and cleanup 2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5 Moved rules to a separate directory 2017-02-07 00:44:40 +01:00