4ed512011a
All Rules use 'TargetFilename' instead of 'TargetFileName'.
...
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
...
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
39b41b5582
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
4ca81b896d
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
3681b8cb56
Extended Windows processes
2020-05-26 13:56:51 +02:00
f9f814f3b3
Shortened title
2020-05-26 13:06:27 +02:00
a241792e10
Reduce FP of legitime processes
...
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe
All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.
Python 2.7, 3.3 and 3.7 does not have any file characteristics.
So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
6fcf3f9ebf
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
28652e4648
Add Windows Server 2008 and Windows Vista support
...
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
...
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.
Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
9cd9a301c2
Merge pull request #791 from SanWieb/master
...
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
10ca3006f5
move rule where needed
2020-05-23 10:07:55 -04:00
d310805ed9
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
9a7f462d79
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
...
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
34006d0794
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
57c8e63acd
refactore: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:09:58 +02:00
96fae4be68
Added CrachMapExec rules
2020-05-22 00:50:37 +02:00
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel
...
refactor: slightly improved Greenbug rule
2020-05-21 14:19:09 +02:00
91c4c4ecc5
refactor: slightly improved Greenbug rule
2020-05-21 13:38:11 +02:00
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel
...
Greenbug Rule
2020-05-21 09:55:46 +02:00
9a3b6c1c77
docs: added MITRE ATT&CK group tag
2020-05-21 09:44:11 +02:00
344eb713c5
rule: Greenbug campaign
2020-05-21 09:39:57 +02:00
8963c0a65e
Remove duplicate 'CommandLine' in fields
2020-05-20 11:54:47 +02:00
fd386fe8eb
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel
...
Rule devel
2020-05-15 12:07:04 +02:00
54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
ab950fb89d
fix: removed rules missing in master
2020-05-14 15:53:09 +02:00
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives
...
Widen the search as it gives too many false negatives
2020-05-13 21:02:12 +02:00
78a5c743f2
Widen the search as it gives too many false negatives
2020-05-13 16:20:23 +02:00
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6
...
Create win_advanced_ip_scanner.yml
2020-05-13 14:09:12 +02:00
220a14f31c
fix: typo in contains
2020-05-13 12:38:54 +02:00
a1856c5743
Update win_advanced_ip_scanner.yml
2020-05-13 11:56:25 +02:00
a9ef7ef382
Fix a bad CommandLine search
2020-05-13 11:32:05 +02:00
bb17fd74ee
Create win_advanced_ip_scanner.yml
...
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
2020-05-12 21:43:01 -06:00
1104044f53
fix: delete duplicate rules
2020-05-11 10:55:02 +02:00
2b18b66c16
Merge branch 'master' into rule-devel
2020-05-11 10:50:10 +02:00
4366a95024
rule: Maze ransomware
2020-05-11 10:46:26 +02:00
f96c3a5fd4
Merge branch 'master' into rule-devel
...
# Conflicts:
# rules/proxy/proxy_ua_suspicious.yml
# rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
# rules/windows/process_creation/win_susp_csc_folder.yml
2020-05-11 10:44:19 +02:00
2d38cb7b52
fix incorrect use of global
2020-05-06 23:00:45 +02:00
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary
...
Add netsh to renamed binary rule
2020-05-02 14:12:34 +02:00
b4b9b0155f
Merge pull request #716 from Karneades/patch-1
...
Add rule to detect wifi creds harvesting using netsh
2020-05-02 14:12:10 +02:00
4600bf73dc
Update rules to follow the Sigma state specification
...
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional ) states the following:
> Declares the status of the rule:
> - stable: the rule is considered as stable and may be used in production systems or dashboards.
> - test: an almost stable rule that possibly could require some fine tuning.
> - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.
However the Sigma Rx YAML specification states the following:
> ```yaml
> status:
> type: //any
> of:
> - type: //str
> value: stable
> - type: //str
> value: testing
> - type: //str
> value: experimental
> ```
The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
- [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49 )
- [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26 )
- [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98 )
Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
2020-04-24 20:50:31 +02:00
7d437c2969
Add netsh to renamed binary rule
2020-04-20 17:12:25 +02:00
d4e9606266
Improve netsh wifi rule another time due to arg shortcut
2020-04-20 16:40:03 +02:00
af498d8a8c
Improve rule to detect argument shortcut in netsh wlan rule
2020-04-20 16:32:25 +02:00
ba541c3952
Fix title for new netsh wifi rule
2020-04-20 16:20:45 +02:00
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
3889be6255
Replace reference link for win_susp_netsh_dll_persistence
2020-04-10 01:05:10 -05:00
82db80bee6
Remove wrong mitre technique
2020-04-10 01:02:43 -05:00
Sven Scharmentke