Commit Graph

26 Commits

Author SHA1 Message Date
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth
4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
ntim
c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00
Florian Roth
6e4e857456 Improved Adwind Sigma rule 2017-11-10 12:39:08 +01:00
Florian Roth
57d56dddb7 Improved Adwind RAT rule 2017-11-09 18:53:46 +01:00
Florian Roth
b558f5914e Added reference to Tom Ueltschie's slides 2017-11-09 18:30:50 +01:00
Florian Roth
781db7404e Updated Adwind RAT rule 2017-11-09 18:28:27 +01:00
Florian Roth
970f01f9f2 Renamed file for consistency 2017-11-09 15:43:32 +01:00
Florian Roth
a042105aa1 Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder 2017-11-09 15:43:32 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Florian Roth
950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00