5aa62bd342
fix yml
2021-10-12 21:02:15 +02:00
37c637066b
add process_creation_conti_cmd_ransomware.yml
2021-10-12 20:57:12 +02:00
7497fdb484
Merge pull request #2129 from d4rk-d4nph3/master
...
Added rule for possible persistence via VMTools
2021-10-10 10:55:06 +02:00
a241f526ef
Added more strict path
2021-10-10 07:54:40 +05:45
a45e516f99
Added rule for possible persistence via VMTools
2021-10-08 13:28:35 +05:45
e70d17745e
Update modified field
2021-10-07 18:42:22 +02:00
0ee777e3b4
Fix rule detection logic
...
Changed ParentImage to Image
2021-10-07 14:25:18 +03:00
4f86a245f8
Order file i correct directory
2021-10-05 07:30:43 +02:00
201708c097
Merge pull request #2103 from webboy2015/patch-1
...
Create win_lolbas_execution_of_nltest.exe.yaml
2021-10-05 07:24:05 +02:00
654b5b4bff
Update win_lolbas_execution_of_nltest.yml
2021-10-04 22:08:47 +02:00
dc030e0128
Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
...
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-03 08:24:52 +02:00
81d1bb0e2b
Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-02 13:32:20 -05:00
f652745924
Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml
2021-10-02 07:53:19 +02:00
e6b32b90af
Update win_lolbas_execution_of_nltest.exe
2021-10-02 07:25:11 +02:00
87df79302d
Update win_lolbas_execution_of_nltest.exe
...
Changed condition as follows:
detection:
selection:
EventID: 4689
ProcessName|endswith: nltest.exe
Status: "0x0"
condition: selection
Included field - SubjectDomainName
2021-10-01 12:55:37 -07:00
19a834e317
Merge pull request #2111 from TareqAlKhatib/master
...
Corrected Technique
2021-10-01 15:17:01 +02:00
0d22601112
Added Compromise Infrastructure: Web Services technique
2021-10-01 08:40:59 -04:00
04acba9c77
Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-09-30 19:58:21 -05:00
b0b95ce32b
Corrected Technique
2021-09-30 16:34:14 -04:00
e900945761
Update win_trust_discovery.yml
2021-09-30 19:26:14 +02:00
76224b0fb2
Added alternative nltest command parameter
...
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2chttps://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
2021-09-30 18:12:19 +02:00
056067086c
Create win_lolbas_execution_of_nltest.exe.yaml
...
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
2021-09-29 14:33:36 -07:00
ed1a1caa2e
Merge pull request #2098 from frack113/fix_tags
...
fix tags in win_susp_mpcmdrun_download.yml
2021-09-29 17:06:18 +02:00
2ae2c35a7f
mispelled 'mshta.exe' in selection_base
...
it said 'mhsta.exe' and it should say 'mshta.exe'
2021-09-29 07:47:12 -05:00
4a66ea04bd
fix tags
2021-09-29 08:26:05 +02:00
a2418e4d2c
Added alternative command parameter
...
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection.
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
2021-09-28 17:39:21 +02:00
c3222945ef
Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml
...
win_sysmon_driver_unload.yml
2021-09-28 16:22:43 +02:00
3e7b3073cf
Update win_sysmon_driver_unload.yml
2021-09-27 23:30:30 -05:00
b227f8459d
fix: typo in filename
2021-09-27 22:37:20 +02:00
ada966c5be
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-09-27 22:34:30 +02:00
cee44e6688
renamed files: lowercase
2021-09-27 22:33:30 +02:00
267da51745
The issues have been fixed
2021-09-24 22:18:00 +02:00
ecd4719a20
add new rule win_process_dump_rdrleakdiag
2021-09-24 18:22:06 +02:00
c59b0eb543
Merge pull request #2063 from frack113/last_global
...
Split Last Global Rules
2021-09-23 13:54:57 +02:00
3107ede1c4
Merge branch 'pr/2065'
2021-09-23 09:18:15 +02:00
ab613af365
Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
2021-09-22 22:24:24 -05:00
6e6d57b019
fix filename
2021-09-22 18:45:08 +02:00
9924cc3946
win-apt-greenbug-fix amend b64 value of /server= as seen in IOC
2021-09-22 10:33:04 -04:00
ab5f5f95bc
fix filename
2021-09-22 16:27:05 +02:00
3c906b52a0
fix filename
2021-09-22 16:21:07 +02:00
3ace73f9fd
win-apt-greenbug-fix - change modified date as well
2021-09-21 16:59:32 -04:00
993bf46550
win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria
2021-09-21 16:56:01 -04:00
8c13bd23b9
split global win_powershell_web_request
2021-09-21 13:44:19 +02:00
ba3c7a020a
split global win_root_certificate_installed.yml
2021-09-21 13:34:32 +02:00
6368a88ad3
split global win_software_discovery.yml
2021-09-21 13:28:47 +02:00
4718f914e9
split global sysmon_hack_dumpert.yml
2021-09-21 10:43:42 +02:00
318f8b714e
split global win_tool_psexec.yml
2021-09-21 10:10:48 +02:00
8909eefb90
Merge pull request #2052 from phantinuss/pr
...
xwizard dll sideloading
2021-09-20 12:35:42 +02:00
25a407e24f
Update win_dll_sideload_xwizard.yml
2021-09-20 10:56:37 +02:00
6c630502dc
Update win_dll_sideload_xwizard.yml
2021-09-20 10:54:53 +02:00
frack113