Commit Graph

4192 Commits

Author SHA1 Message Date
Thomas Patzke
824f26c51c Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-03-17 23:34:19 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Thomas Patzke
b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
789b3899df Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00
Thomas Patzke
d2a9a91175 Log source conditions are integrated in generated expressions
Indices not yet included
2017-03-14 23:22:32 +01:00
Thomas Patzke
9f4d7c7934 Merge branch 'devel-sigmac' into devel-sigmac-config 2017-03-14 22:48:32 +01:00
Thomas Patzke
4d3756259e Merge branch 'master' into devel-sigmac 2017-03-14 22:48:15 +01:00
Florian Roth
9afa12f4a3 Further shell commands from MSF repo 2017-03-14 16:33:51 +01:00
Florian Roth
daeb7c3693 Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00
Florian Roth
546a587df7 Rule: Shellshock Regex detection
http://rubular.com/r/zxBfjWfFYs
2017-03-14 14:53:29 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
3f95615a9b IDE settings file 2017-03-14 12:52:11 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1
Create win_pass_the_hash.yml
2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
Florian Roth
a87d513efa Rule: Suspicious executable downloads 2017-03-13 16:11:43 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml
Added placeholders for WorkstationName to detect network logons between Workstations.
2017-03-13 16:09:32 +01:00
Florian Roth
85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth
b8db4935e0 Rule: PowerShell UserAgent in Proxy Logs 2017-03-13 13:51:32 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Thomas Patzke
52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Florian Roth
9fd375c130 Bugfix: Added time frame to correlation rule 2017-03-12 17:11:29 +01:00
Florian Roth
4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth
de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Thomas Patzke
e262b574b2 Merge branch 'master' into devel-sigmac 2017-03-11 23:53:58 +01:00
Thomas Patzke
12e825783b Merge branch 'master' into devel-sigmac 2017-03-11 23:49:56 +01:00
Thomas Patzke
63e23af63c Merge branch 'devel-sigmac-config' into devel-sigmac 2017-03-11 23:49:41 +01:00
Michael Haag
359ae18989 Merge remote-tracking branch 'Neo23x0/master' 2017-03-08 23:05:57 -08:00
Florian Roth
d6957f1c2e Merge pull request #10 from MHaggis/master
Sysmon
2017-03-09 08:05:22 +01:00
Michael Haag
923f298015 Merge remote-tracking branch 'Neo23x0/master' 2017-03-08 22:51:03 -08:00
Michael Haag
c5f05dd829 bitsadmin & VSSAdmin
+Bitsadmin download
+VSSAdmin delete
2017-03-08 22:49:35 -08:00