0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
5f6a4225ec
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
9835950f04
rule: SID to AD object rule level adjusted
2019-11-09 12:49:54 +01:00
68fd20cb66
fix: bound windows event log rules to message field
...
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 11:25:29 +01:00
98f0d01b2e
rule: mimikatz use extended
2019-10-11 18:50:33 +02:00
ec5bb71049
fix: Mimikatz DC Sync rule FP description and level
2019-10-08 17:45:10 +02:00
14971a7b9c
fix: FPs with Mimikatz DC Sync rule
2019-10-08 17:44:00 +02:00
60ef593a6f
Fixed wrong backslash escaping of *
...
Fixes issue #466
2019-10-07 22:14:44 +02:00
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck
...
fix FP : field null value can be '-'
2019-09-25 17:43:22 +02:00
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
...
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
...
Ruler fix
2019-09-25 17:26:55 +02:00
a644b938a0
fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)
2019-09-23 05:44:26 -04:00
6a7f7e0f76
add microsoft reference for events fields names
2019-09-23 05:21:30 -04:00
d48b63a235
ruler rule field name fix for eventID 4776
2019-09-23 05:17:35 -04:00
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
fe93d84015
fix FP : field null value can be '-'
2019-09-06 05:14:58 -04:00
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
...
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
...
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
8609fc7ece
New Sigma rule detecting local user creation
2019-04-18 19:59:43 +02:00
c4b8f75940
Update win_lm_namedpipe.yml
2019-04-04 18:22:50 +02:00
22958c45a3
Update win_GPO_scheduledtasks.yml
2019-04-03 21:50:55 +02:00
b4ac9a432f
Update win_susp_psexec.yml
2019-04-03 21:50:25 +02:00
353e457104
Update win_lm_namedpipe.yml
2019-04-03 21:49:58 +02:00
d5818a417b
Update win_impacket_secretdump.yml
2019-04-03 21:49:30 +02:00
9c5575d003
Update win_atsvc_task.yml
2019-04-03 21:48:38 +02:00
edb98f2781
Update win_account_discovery.yml
2019-04-03 21:40:59 +02:00
eda5298457
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 16:16:05 +02:00
0756b00cdf
Create win_susp_psexec.yml
2019-04-03 15:59:46 +02:00
9c1a5a5264
Create win_lm_namedpipe.yml
2019-04-03 15:48:42 +02:00
56b68a0266
Create win_GPO_scheduledtasks.yml
2019-04-03 15:36:24 +02:00
Thomas Patzke