77553e11e8
Update win_not_allowed_rdp_access.yml
2020-06-30 10:03:00 +02:00
502ec4b417
add win_not_allowed_rdp_access.yml rule
2020-06-26 22:15:53 +00:00
d385cbfa69
Fix quoting for AD Object WriteDAC Access
...
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
5c0bb0e94f
Fixed indentation
2020-06-16 15:01:13 -06:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
f5aa871e5d
Identifiers shared between global document and rule gets overwritten
...
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
2020-06-15 13:14:31 -04:00
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source
...
Fix 'source' value for win_susp_backup_delete
2020-05-25 10:48:36 +02:00
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml
2020-05-19 14:50:22 +02:00
c815773b1a
enhancement rule
2020-05-19 18:05:51 +09:00
49f68a327a
enhancement rule
2020-05-19 18:00:50 +09:00
54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
d510e1aad4
Fix 'source' value for win_susp_backup_delete
2020-05-11 18:31:59 +02:00
123a23adae
win_susp_failed_logon_source rule
2020-05-06 22:24:02 +02:00
473c31232e
add additional reference
2020-05-05 19:25:33 +02:00
0e1fa5c135
Update win_possible_dc_shadow.yml
2020-05-05 18:14:32 +02:00
55d018255c
Update win_possible_dc_shadow.yml
2020-05-05 16:52:08 +02:00
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml
2020-05-05 16:51:35 +02:00
f27aa4bfee
Update win_possible_dc_sync.yml
2020-05-05 16:50:13 +02:00
db810b342f
Delete win_possible_dc_shadow.yml
2020-05-05 16:48:39 +02:00
e3f21805f3
Update win_possible_dc_shadow.yml
2020-05-05 16:43:56 +02:00
0f4cc9d365
Create win_possible_dc_shadow.yml
2020-05-05 16:40:52 +02:00
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
5cbe008350
Casing
2020-04-14 13:39:22 +02:00
1f918253e8
Add additional reference
2020-04-13 11:09:36 -05:00
9cdb3a4a64
Fix typo
2020-04-13 11:09:00 -05:00
61b9234d7f
Update win_user_driver_loaded.yml
...
removed internal field
2020-04-09 11:28:19 +02:00
e913db0dca
Update win_user_driver_loaded.yml
...
CI
2020-04-08 18:54:59 +02:00
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
8dcbfd9aca
Add AD User Enumeration
...
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.
This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.
Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.
False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
3f577c98e7
Title capalized
2020-03-26 17:03:33 +01:00
39a3af04ce
Fixed title length
2020-03-26 16:56:06 +01:00
ddacde9e6b
add LDAPFragger detections
2020-03-26 15:13:36 +01:00
3c74d8b87d
Add correct Source to detection to avoid FP
2020-03-24 19:49:24 +01:00
4b572f3ccb
newline in description - typo
2020-03-14 14:58:58 -04:00
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1
...
MMC Lateral Movement Rule 1
2020-03-07 11:02:16 +01:00
2e184382f5
fix: eventid in process_creation rules
2020-03-07 10:43:47 +01:00
b040c129be
fix: author field starting with an '@' symbol
2020-03-07 10:38:02 +01:00
ae56db97ff
mmc lateral movement detection 1
...
see https://github.com/Neo23x0/sigma/issues/576
2020-03-04 14:57:41 -05:00
d4b5dd5749
Exclude Azure AD sync accounts from AD Replication rule
2020-03-02 16:43:20 +01:00
19d383989c
fix: keyword expression in rule
2020-02-29 16:03:31 +01:00
fa6458b70f
rule: two rules to detect CVE-2020-0688 exploitation
2020-02-29 15:45:45 +01:00
61d31c3f3a
Fixed tagging
2020-02-20 23:51:12 +01:00
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
7f3f1944d9
fix redundancy
2020-02-18 01:10:56 +03:00
Florian Roth