valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,124 Commits 20 Branches 25 Tags 21 MiB
fedda17231
Commit Graph

2628 Commits

Author SHA1 Message Date
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777
a52583dc68
.002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth
5625f471d7
Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth
3abc3d0a76
docs: add FP condition 2020-08-03 13:50:47 +02:00
Florian Roth
6f7aecbe06
fix: preventive change to avoid FPs 2020-08-03 13:49:52 +02:00
Cian Heasley
de33b953ba
Add files via upload 
Webshell ReGeorg Detection Via Web Logs
 2020-08-03 12:20:04 +01:00
Florian Roth
df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth
5abf101c0b
Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
IPv777
77a8ac59ef
remove duplicate 2020-07-24 16:38:08 +02:00
Ryan Plas
aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas
e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Florian Roth
8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Florian Roth
951c6fee8b
Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
Daniel Masse
13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth
db98fe79b0 Revert "rule: update - MATA framework UserAgent" 
This reverts commit 81ef0137c5.
 2020-07-22 14:02:51 +02:00
Florian Roth
81ef0137c5 rule: update - MATA framework UserAgent 2020-07-22 14:02:13 +02:00
Florian Roth
769a9212a5
Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley
023bf76363
Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Poming huang
2b2bf34a64
add wmi persistence script event consumer false positive 2020-07-20 12:27:16 +08:00
Aidan Bracher
ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher
1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher
4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Aidan Bracher
4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher
3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher
dcf20e580d Updated tags to include sub-techniques 2020-07-18 02:50:57 +01:00
Aidan Bracher
1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher
b61527d0b2 Added ATT&CK tactic 2020-07-18 02:42:10 +01:00
Aidan Bracher
161829a4c0 Added ATT&CK tactic 2020-07-18 02:41:48 +01:00
Aidan Bracher
147fd46157 Added ATT&CK tactic 2020-07-18 02:41:10 +01:00
Aidan Bracher
2d227a08c5 Updated suspicious service with sub-techniques 2020-07-18 02:40:22 +01:00
Aidan Bracher
97452a9df3 Update to include sub-technique mapping 2020-07-18 02:38:47 +01:00
Aidan Bracher
30bd591c96 Update win_apt_ke3chang to include sub-techniques 2020-07-18 02:37:56 +01:00
Aidan Bracher
ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher
ea1b2ae59f Updated invoke_phantom with sub-technique mapping 2020-07-18 02:32:42 +01:00
Aidan Bracher
23dd2e3cac Updated to include sub-technique mapping 2020-07-18 02:29:58 +01:00
Aidan Bracher
2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Marko Okuka
1d39b40fd1 Fixing typo in rule: Username to User 2020-07-16 10:09:29 -04:00
Florian Roth
3025d6850c
Merge pull request #932 from rtkdmasse/rule-selection-typos 
Change the selection from Command to CommandLine in a couple of rules
 2020-07-16 09:10:15 +02:00
Florian Roth
992bf676f9
Update sysmon_apt_pandemic.yml 2020-07-16 08:48:32 +02:00
Florian Roth
b1de627e94
Update win_apt_zxshell.yml 2020-07-16 08:47:24 +02:00
Daniel Masse
0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth
f8e10273ef
Merge pull request #929 from Neo23x0/pr/919 
Pr/919
 2020-07-15 21:30:57 +02:00
Florian Roth
d0c09f10a9 changed newline character to LF 2020-07-15 16:46:44 +02:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
duzvik
a9b860d749
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:24:49 +03:00
duzvik
d24e15cc27
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:12:58 +03:00
duzvik
c5dfffdac0
Create sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:02:34 +03:00
Florian Roth
8f66803ddf
Merge pull request #927 from Neo23x0/rule-devel 
improved CVE-2020-1350 rule
 2020-07-15 12:06:31 +02:00
Florian Roth
1c103a749f fix: more FPs based on feedback 
https://twitter.com/GossiTheDog/status/1283341486680166400
 2020-07-15 12:05:50 +02:00
Florian Roth
c2eb110fca fix: more exact patterns 2020-07-15 11:56:11 +02:00
Florian Roth
ae7fbb9245 fix: false positive filters based on SOC Prime's rule 2020-07-15 11:49:20 +02:00
Florian Roth
e5a34a965c
Merge pull request #926 from Neo23x0/rule-devel 
rule: CVE-2020-1350
 2020-07-15 11:19:07 +02:00
Florian Roth
80639afd43 rule: CVE-2020-1350 2020-07-15 11:03:31 +02:00
Bhabesh Rai
e0c1d84951 Added new Lateral Movement Attack ID 2020-07-14 22:32:29 +05:45
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth
38c29977ff
Merge pull request #925 from Neo23x0/rule-devel 
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923
 2020-07-14 18:14:51 +02:00
Florian Roth
1928b3dc06
Merge pull request #920 from qwerty1q2w/feature 
Added AppLocker log source and new rule
 2020-07-14 18:03:17 +02:00
Florian Roth
741d42ce88 fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 17:59:59 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Bhabesh Rai
6fb045aa4b Conforming to Rule Creation Guide. 2020-07-14 14:20:07 +05:45
Bhabesh Rai
66ad325fde Added support for Defender's PSExec and WMI ASR rules. 2020-07-14 14:01:43 +05:45
Florian Roth
781667ef22 fix: zeek rule references isn't a list 2020-07-14 00:33:47 +02:00
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Pushkarev Dmitry
efe720d44e Added new rule. AppLocker 2020-07-13 20:51:48 +00:00
Bart
308420bf7f
Update sysmon_dllhost_net_connections.yml 
Fix @
 2020-07-13 21:20:55 +02:00
Bart
007f62ba01
Add Dllhost WAN access 2020-07-13 21:12:37 +02:00
Florian Roth
f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth
1c63a93643 fix: wrong casing in tag 2020-07-13 16:20:51 +02:00
Florian Roth
1b75a3a96b
Merge pull request #916 from viniciusvec/patch-2 
Update lnx_shell_clear_cmd_history.yml
 2020-07-13 15:54:11 +02:00
Florian Roth
557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
viniciusvec
26f0d49772
Update lnx_shell_clear_cmd_history.yml 
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
 2020-07-13 14:06:14 +01:00
Florian Roth
7e8aa7b12b
Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth
7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Ömer Günal
bee467dbd6
Rename lnx_setgid_setuid to lnx_setgid_setuid.yml 2020-07-13 01:36:20 +03:00
Ömer Günal
bf8f0307b7
Rename lnx_space_after_filename_ to lnx_space_after_filename_.yml 2020-07-13 01:33:59 +03:00
Ömer Günal
4b74a0df76
Create lnx_space_after_filename_ 2020-07-13 01:33:39 +03:00
Ömer Günal
c749aa2539
Create lnx_setgid_setuid 2020-07-13 01:33:09 +03:00
Ömer Günal
6b24a5df65
Create lnx_security_tools_disabling.yml 2020-07-13 01:32:24 +03:00
Ömer Günal
bdeca13825
Create lnx_proxy_connection.yml 2020-07-13 01:31:05 +03:00
Ömer Günal
708a28e307
Delete lnx_space_after_filename.yml 2020-07-13 01:26:37 +03:00
Ömer Günal
af6ad5a41b
Delete lnx_setuid_setgid.yml 2020-07-13 01:26:29 +03:00
Ömer Günal
64a9b6e098
Delete lnx_disabling_security_tools.yml 2020-07-13 01:26:11 +03:00
Ömer Günal
7466c8d425
Delete lnx_connection_proxy.yml 2020-07-13 01:26:03 +03:00
Ömer Günal
7ce16d1bbc
Update lnx_space_after_filename.yml 2020-07-13 01:07:32 +03:00
Ryan Plas
25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Ryan Plas
3bb45f00af Update web_citrix_cve_2019_19781_exploit.yml logsource to use the correct Sigma schema values 2020-07-11 00:00:21 -04:00
Florian Roth
1a87492bd4
Merge pull request #912 from Neo23x0/rule-devel 
rule: improved Citrix rule
 2020-07-10 19:46:09 +02:00
Florian Roth
129925ce0b rule: improved Citrix rule 2020-07-10 18:15:35 +02:00
Florian Roth
17dedddbdd
Merge pull request #911 from Neo23x0/rule-devel 
rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195
 2020-07-10 18:09:19 +02:00
Florian Roth
383953c74e rule: better rule name and descriptions, plus MITRE ATT&CK tags 2020-07-10 17:55:13 +02:00
Florian Roth
0d89208242 rule: updated Citrix rule 2020-07-10 17:49:18 +02:00
Florian Roth
eda08e3a89 rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 2020-07-10 17:45:11 +02:00
Florian Roth
3ab5eb97d8
Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth
49aa0b4621
Merge pull request #909 from EccoTheFlintstone/fp2 
add WMI module load false positive
 2020-07-10 15:45:53 +02:00
Florian Roth
5de82628fa
Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Florian Roth
168952840b
Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth
268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
ecco
e30eaa0202 be more specific about file location 2020-07-09 13:33:59 -04:00
ecco
94e3bd9e6b add WMI module load false positive 2020-07-09 13:32:21 -04:00
ecco
905f1b3823 add WMI and powershell false positives 2020-07-09 10:26:54 -04:00
Florian Roth
7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke
205b584e80 Merge branch 'pr-829' 2020-07-07 23:42:57 +02:00
Thomas Patzke
3e17cc1900
Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Thomas Patzke
28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke
90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Thomas Patzke
4762a59b89
Merge pull request #891 from rtkbkish/image-load-fixes 
Fix typo for rule in image_load category
 2020-07-07 22:31:32 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Thomas Patzke
9e85731253
Merge pull request #899 from rtkbkish/refix-rules 
Re-fix sysmon rules that lost changes with category refactoring.
 2020-07-07 22:28:37 +02:00
Florian Roth
acfe20aa34 rule: extended F5 BIG-IP exploitation detection rule 2020-07-07 21:45:08 +02:00
Aidan Bracher
90983dcc4b add level field to rule 2020-07-07 14:28:18 +01:00
Aidan Bracher
f549a14d9a rule: Leviathan registry key 2020-07-07 13:27:57 +01:00
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Brad Kish
c758ca0eb9 Re-fix sysmon rules that are lost changes with category refactoring. 
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.

Re-add the fixes.

38afd8b5de

422b2bffd7

dfae2a6df6
 2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd Proposed fix for sysmon_uac_bypass_eventvwr 
Issue: https://github.com/Neo23x0/sigma/issues/888

The rules were not merged correctly with the transition to sysmon categories.

Split the rule into separate documents: one for the registry_event and one for
the process_creation
 2020-07-06 09:20:34 -04:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Florian Roth
4aae3a6aa5
Merge pull request #897 from Neo23x0/rule-devel 
improved F5 BIG-IP rule based on private feedback
 2020-07-05 16:38:20 +02:00
Florian Roth
13ab00f744 improved F5 BIG-IP rule based on private feedback 2020-07-05 16:21:48 +02:00
Florian Roth
ab9a988682
Merge pull request #896 from Neo23x0/rule-devel 
rule: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
 2020-07-05 13:44:36 +02:00
Florian Roth
fbe6c0e7d9 improved F5 BIG-IP rule 2020-07-05 13:29:30 +02:00
Florian Roth
f079d0f915 rule: CVE-2020-5902 F5 BIG-IP Exploitation Attempt 
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
 2020-07-05 13:18:53 +02:00
Florian Roth
c51b4d0524
Merge pull request #890 from rtkbkish/file-event-fixes 
Fixes for rules in the sysmon file_event category
 2020-07-05 13:13:24 +02:00
Florian Roth
4a810dd136
Merge pull request #886 from Neo23x0/rule-devel 
Windows Curl Rules
 2020-07-05 13:12:41 +02:00
Furkan CALISKAN
8ef82e48eb ditsnap 2020-07-04 23:21:52 +03:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Brad Kish
7031d9e2b8 Fix typo for rule in image_load category 
image_load not image_loaded.
 2020-07-03 16:23:17 -04:00
Brad Kish
1e9d0e9653 Fixes for rules in the sysmon file_event category 
Fix a couple of typos

For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
 2020-07-03 16:22:29 -04:00
Brad Kish
4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth
11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth
80f15a1e50
Merge pull request #885 from Neo23x0/rule-devel 
fix: trailing whitespace
 2020-07-03 18:00:19 +02:00
Florian Roth
4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Ömer Günal
47a2f1bc94
Update lnx_space_after_filename.yml 2020-07-03 18:56:51 +03:00
Ömer Günal
51363d8a87
Update lnx_setuid_setgid.yml 2020-07-03 18:56:40 +03:00
Ömer Günal
87346d4b94
Update lnx_disabling_security_tools.yml 2020-07-03 18:56:30 +03:00
Ömer Günal
64afd6e7ee
Update lnx_connection_proxy.yml 2020-07-03 18:56:19 +03:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth
8a0262d1a2 fix: in linux keyword expression 2020-07-03 15:08:20 +02:00
Florian Roth
4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth
5dd5b87f43 rule: guacamole exploitation detection 2020-07-03 13:20:03 +02:00
Florian Roth
abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth
fa452bf3e5
Merge pull request #849 from omergunal/ogunal-1 
Rules for detecting suspicious remote file copy
 2020-07-03 11:59:45 +02:00
Florian Roth
b9966a173c
Update lnx_file_copy.yml 2020-07-03 11:32:49 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth
d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00
Florian Roth
34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth
53620a0d2f
Merge pull request #879 from Neo23x0/rule-devel 
fix: missing copy command
 2020-07-03 10:18:21 +02:00
Florian Roth
0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth
248506be93
Merge pull request #878 from Neo23x0/rule-devel 
DesktopImgDownLdr Rules and extra rule
 2020-07-03 10:14:58 +02:00
Florian Roth
1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Thomas Patzke
de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Ömer Günal
0c3ce445da
Delete remote_copy.yml 2020-06-29 18:51:18 +03:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Ömer Günal
4eb97ec43d
Update lnx_file_copy.yml 2020-06-22 21:35:50 +03:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Ömer Günal
d17e0ae6eb
typo 2020-06-20 23:04:52 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Ömer Günal
93719d8a01
Merge pull request #1 from omergunal/omergunal-patch-1 
Remote file copy
 2020-06-18 23:56:29 +03:00
Ömer Günal
40a07a2d4f
Delete lnx_sudo_enumeration.yml 2020-06-18 23:55:24 +03:00
Ömer Günal
d87b0c95a4
Delete lnx_trap.yml 2020-06-18 23:55:16 +03:00
Ömer Günal
8db7c3207a
Delete lnx_sudo_caching.yml 2020-06-18 23:54:43 +03:00
Ömer Günal
5bc72b6cba
Delete lnx_space_after_filename.yml 2020-06-18 23:54:28 +03:00
Ömer Günal
f10440b9fa
Delete lnx_setuid_setgid.yml 2020-06-18 23:54:20 +03:00
Ömer Günal
6c8d104e7d
Delete lnx_disabling_security_tools.yml 2020-06-18 23:54:06 +03:00
Ömer Günal
84c4683607
Delete lnx_connection_proxy.yml 2020-06-18 23:53:43 +03:00
Ömer Günal
c4a1e853bc
Remote file copy 2020-06-18 23:47:53 +03:00
Ömer Günal
c6c455a3ec
Remote file copy 2020-06-18 23:37:49 +03:00
Ömer Günal
9bfc3d6807
Delete lnx_file_copy.yml 2020-06-18 23:37:12 +03:00
Ömer Günal
a963630db8
Remote File Copy 2020-06-18 23:36:29 +03:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ömer Günal
3a607abe33
Update lnx_trap.yml 2020-06-17 19:51:53 +03:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Ömer Günal
7b86f4aefb
Update lnx_trap.yml 2020-06-17 19:47:31 +03:00
Ömer Günal
ebbd32d2e1
file extension 2020-06-17 19:43:57 +03:00
Ömer Günal
f989f7e155
file extension 2020-06-17 19:43:49 +03:00
Ömer Günal
772c03c49a
Connection Proxy 2020-06-17 19:39:55 +03:00
Ömer Günal
9d285ecf74
Trap 2020-06-17 19:39:00 +03:00
Ömer Günal
d0b66ab828
Space After Filename 2020-06-17 19:38:38 +03:00
Ömer Günal
3b8fb9e3d8
Disabling Security Tools 2020-06-17 19:38:10 +03:00
Florian Roth
0022705373 fix: filter not functional 
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
 2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
fd2429bd34
Update lnx_setuid_setgid.yml 2020-06-16 19:46:50 +02:00
Florian Roth
06fe720165
Update lnx_sudo_enumeration.yml 2020-06-16 19:33:39 +02:00
Florian Roth
545c05d4d3
Update lnx_setuid_setgid.yml 2020-06-16 19:31:34 +02:00
Ömer Günal
0027415fa2
Update lnx_setuid_setgid.yml 2020-06-16 20:26:50 +03:00
Ömer Günal
41b2309418
file type changed 2020-06-16 20:24:09 +03:00
Ömer Günal
0d0058da43
added id 2020-06-16 20:21:07 +03:00
Ömer Günal
bbcd506fb1
added id 2020-06-16 20:21:02 +03:00
Ömer Günal
ace575aaa6
added id 2020-06-16 20:20:42 +03:00
Ömer Günal
4b1557a587
Setuid and Setgid 
Detects suspicious change of file privileges with chown and chmod commands
 2020-06-16 20:12:24 +03:00
Ömer Günal
b7e1c6750c
sudo caching 
attack.t1206
 2020-06-16 19:31:02 +03:00
Ömer Günal
e43f13ed67
Update lnx_sudo_enumeration.yml 
attack.t1169
 2020-06-16 19:20:42 +03:00
Ömer Günal
52487159c5
Detect Sudo enumeration commands 2020-06-16 19:17:00 +03:00
Florian Roth
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier 
Identifiers shared between global document and rule gets overwritten
 2020-06-15 20:20:23 +02:00
Florian Roth
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Florian Roth
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish
dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish
f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00