Thomas Patzke
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
Florian Roth
4e91462838
fix: Bugfix in Adwind rule
2018-08-15 12:33:03 +02:00
ntim
c99dc9f643
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
Thomas Patzke
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
84645f4e59
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
SherifEldeeb
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
Florian Roth
3a378f08ea
Bugfix in Adwind rule - typo in typo
2017-11-10 12:51:54 +01:00
Florian Roth
6e4e857456
Improved Adwind Sigma rule
2017-11-10 12:39:08 +01:00
Florian Roth
57d56dddb7
Improved Adwind RAT rule
2017-11-09 18:53:46 +01:00
Florian Roth
b558f5914e
Added reference to Tom Ueltschie's slides
2017-11-09 18:30:50 +01:00
Florian Roth
781db7404e
Updated Adwind RAT rule
2017-11-09 18:28:27 +01:00
Florian Roth
970f01f9f2
Renamed file for consistency
2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1
Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder
2017-11-09 15:43:32 +01:00
Thomas Patzke
5035c9c490
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections
2017-11-01 22:12:14 +01:00
Thomas Patzke
986c9ff9b7
Added field names to first rules
2017-09-12 23:54:04 +02:00
Florian Roth
950a00f33e
Updated Petya rule
2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8
Added perfc.dat keyword to NotPetya rule
2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163
NotPetya Title Fixed
2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970
NotPetya Sigma Rule for Sysmon Events
2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01
Wannacry Rules Reorg and Renaming
2017-06-28 09:08:53 +02:00