Florian Roth
707e5a948f
Rules: Password dumper activity and lateral movement
2017-03-27 15:20:50 +02:00
Florian Roth
125bf4f3f2
Rule adjustment
...
Added wilcards cause the field can contain a full path
2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4
Windows Supicious Process Creation
...
- Bugfix in selection name
- New keyword expressions
2017-03-26 23:25:47 +02:00
Florian Roth
c1a6a542db
Rule: Windows 4688 process creation rule
2017-03-26 01:26:34 +01:00
Florian Roth
699c638ee2
Bugfix: Wrong Event ID and extended description
2017-03-23 11:50:30 +01:00
Florian Roth
d377884972
Rule: Rare scheduled tasks creations
2017-03-23 11:45:10 +01:00
Florian Roth
7ce958a3ed
Bugfixes and improvements
2017-03-21 10:24:20 +01:00
Thomas Patzke
889315c960
Changed values with placeholders to quoted strings
...
Values beginning with % cause YAML parse error
2017-03-18 23:05:16 +01:00
Florian Roth
dd81b18d6e
Rule: Suspicious interactive console logons to servers
2017-03-17 09:44:24 +01:00
Florian Roth
dd558e941c
Rule: Access to ADMIN$ share
2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710
Bug and typo fixes
2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43
Rule: User account added to local Administrators
2017-03-14 12:51:50 +01:00
Florian Roth
ff8e3fe584
Merge pull request #9 from iliaselmatani/patch-1
...
Create win_pass_the_hash.yml
2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c
Update win_pass_the_hash.yml
2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366
Update win_pass_the_hash.yml
...
Added placeholders for WorkstationName to detect network logons between Workstations.
2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6
Update win_pass_the_hash.yml
2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644
Rule: Rare Windows Service Installs
2017-03-08 19:09:34 +01:00
IeM
381b85fd94
Update win_pass_the_hash.yml
...
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
2017-03-08 18:48:06 +01:00
IeM
e4d764ceba
Create win_pass_the_hash.yml
...
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
2017-03-08 18:04:31 +01:00
Florian Roth
5484886932
Rule: Windows - Recon Activity (improved)
2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276
Rule: Windows - Recon Activity
2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834
Windows Built-In rules > LogSource definition
2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9
Windows Malicious Password Dumper Service Installs
2017-03-05 23:52:02 +01:00
Florian Roth
b1446f9b87
Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b
Rule review
...
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6
Added new rules
...
From adsecurity.org:
* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac
Removed lists from log source section
2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0
Sysmon rules 'logsource' change
2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f
Fixed type of condition
2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
04ea201817
New rules and cleanup
2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5
Moved rules to a separate directory
2017-02-07 00:44:40 +01:00