b343df2225
Further subtechnique updates
2020-06-17 11:31:40 -06:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
422b2bffd7
Fix rules with incorrect escaping of wildcars
...
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud
...
TA410 FlowCloud malware detection
2020-06-09 17:18:39 +02:00
a9bf22750a
Fixed bad indentation
2020-06-09 16:30:17 +02:00
4ce3ea735e
TA410 FlowCloud malware detection
2020-06-09 16:21:46 +02:00
d14d391761
Octopus Scanner malware rule
2020-06-09 16:12:05 +02:00
beb62dc163
fix: condition location
2020-05-15 12:06:34 +02:00
28dc2a2267
Minor changes
...
hints:
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
2020-05-15 11:33:36 +02:00
40ab1b7247
added 'action: global'
2020-05-14 23:33:08 -04:00
56a2747a70
Corrected missing condition
...
learning! fail fast & forward
2020-05-14 23:18:33 -04:00
fb1d8d7a76
Corrected typo
2020-05-14 23:04:14 -04:00
8aff6b412e
added rule for Blue Mockingbird (cryptominer)
2020-05-14 22:58:23 -04:00
09d1b00459
Changed level to ciritcal
2020-05-11 10:40:23 +02:00
c98be55d21
Update mal_azorult_reg.yml
2020-05-08 21:31:33 -04:00
61f061333b
Registry entry for Azorult malware
...
Detects registry keys used by Azorult malware
2020-05-08 21:26:24 -04:00
30d872f98f
Merge pull request #492 from booberry46/master
...
Bypass Windows Defender
2020-01-30 14:27:30 +01:00
a5b4b276d4
Add scriptlets
...
Adds .sct and .vbe.
2019-11-14 22:26:22 +01:00
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
cfe7ddbe5b
Update av_exploiting.yml
...
Not sure if the '' affects.
2019-11-06 16:16:49 +08:00
d096ab0e21
rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet
2019-10-04 16:17:34 +02:00
f6fd1df6f4
Rule: separate Ryuk rule created for VBurovs strings
2019-08-06 10:33:46 +02:00
eb8a0636c5
Update win_mal_ursnif.yml
...
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml ). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
afa18245bf
Merge pull request #254 from darkquasar/master
...
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
02239fa288
Changed registry root key
...
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete ) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
87994ca46b
adding MPreter as McAfee classifies it
...
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
34f9d17b26
Create win_mal_ursnif.yml
2019-02-13 15:22:57 -06:00
3ef930b094
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
5645c75576
Rule: updated relevant AV signatures - exploiting
...
https://twitter.com/haroldogden/status/1085556071891173376
2019-01-16 18:43:28 +01:00
d4a1fe786a
Rule: Dridex pattern
2019-01-12 12:03:36 +01:00
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
bff7ec52db
Update av_relevant_files.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection
This affetcs Elastalert integration
2018-12-05 07:53:53 +03:00
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
4e91462838
fix: Bugfix in Adwind rule
2018-08-15 12:33:03 +02:00
c99dc9f643
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
84645f4e59
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
3a378f08ea
Bugfix in Adwind rule - typo in typo
2017-11-10 12:51:54 +01:00
6e4e857456
Improved Adwind Sigma rule
2017-11-10 12:39:08 +01:00
57d56dddb7
Improved Adwind RAT rule
2017-11-09 18:53:46 +01:00
Ivan Kirillov