dd1a0e764c
docs: more false positive conditions
2020-02-25 11:13:58 +01:00
5d96f81a84
fix: lowered level due to false positives
2020-02-25 11:12:11 +01:00
48d95f027c
Merge branch 'oscd'
2020-02-20 23:11:57 +01:00
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
a4c210ed16
rule: remove keywords in powershell rule prone to FPs
2020-02-11 16:26:17 +01:00
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
815c562a17
Merge branch 'master' into oscd
2020-02-02 13:40:08 +01:00
f59b36d891
Fixed rule
2020-02-02 12:54:56 +01:00
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
7a222920df
added 'date'
2020-01-31 15:27:30 +01:00
913c839780
added 'id'
2020-01-31 15:26:43 +01:00
848e0c90e4
Merge branch 'master' into master
2020-01-31 14:45:29 +01:00
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
9bb50f3d60
OSCD QA wave 2
...
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
ae6fcefbcd
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
8d6a507ec4
OSCD QA wave 1
...
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
f45587074b
Add the ability to detect PowerUp - Invoke-AllChecks
...
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
2019-12-23 11:50:57 +01:00
924e1feb54
UUIDs + moved unsupported logic
...
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
testing.
2019-12-19 23:56:36 +01:00
694d666539
Merge branch 'master' into oscd
2019-12-19 23:15:15 +01:00
e251568760
Data Compressed duplciate titles
2019-12-09 16:24:10 +00:00
d5722979ea
add rules by Daniel Bohannon
2019-11-27 00:02:45 +01:00
efc404fbae
resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml
2019-11-19 02:11:19 +01:00
cd69111522
Merge branch 'oscd' into master
2019-11-14 00:36:34 +03:00
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov
...
[OSCD] Ilyas Ochkov contribution
2019-11-14 00:22:48 +03:00
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
5f6a4225ec
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
b7c3f8da91
refactor: cleanup, single element lists, renamed files, level adjustments
2019-11-12 12:55:05 +01:00
0db5436778
add tieto dns exfil rules
2019-11-10 20:27:21 +03:00
bdac415fea
Merge pull request #486 from yugoslavskiy/tieto_oscd
...
[OSCD] Tieto DNS exfiltration rules
2019-11-10 19:36:02 +03:00
4fa928866f
oscd task #6 done.
...
add 25 new rules:
- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml
improve 1 rule:
- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 18:43:41 +03:00
127335a0ec
Merge pull request #482 from yugoslavskiy/master
...
[OSCD][The ThreatHunter-Playbook] Task 6: DONE
2019-11-10 17:27:54 +03:00
82f23c5f63
Merge pull request #477 from zinint/oscd
...
add 13 new rules:
- rules/linux/auditd/lnx_auditd_masquerading_crond.yml
- rules/linux/auditd/lnx_auditd_user_discovery.yml
- rules/linux/auditd/lnx_data_compressed.yml
- rules/linux/auditd/lnx_network_sniffing.yml
- rules/windows/powershell/powershell_data_compressed.yml
- rules/windows/powershell/powershell_winlogon_helper_dll.yml
- rules/windows/process_creation/win_change_default_file_association.yml
- rules/windows/process_creation/win_data_compressed_with_rar.yml
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml
- rules/windows/process_creation/win_network_sniffing.yml
- rules/windows/process_creation/win_query_registry.yml
- rules/windows/process_creation/win_service_execution.yml
- rules/windows/process_creation/win_xsl_script_processing.yml
modify 1 rule:
- rules/windows/process_creation/win_possible_applocker_bypass.yml
2019-11-05 04:55:29 +03:00
ac95d840b4
Update powershell_winlogon_helper_dll.yml
2019-11-05 04:33:07 +03:00
c147863eb3
Update powershell_data_compressed.yml
2019-11-05 02:38:36 +03:00
2679baddcd
Delete powershell_network_sniffing.yml
2019-11-04 23:46:43 +03:00
12ef86fcbe
t1040
2019-10-30 23:18:37 +03:00
f4e9690d6b
Merge pull request #508 from Karneades/fixRule3
...
fix: bound keywords to field in multiple PS rules
2019-10-29 22:34:08 +01:00
78d8ca2b41
Merge pull request #507 from Karneades/fixRule2
...
fix: bound keywords to field in PS cred prompt rule
2019-10-29 22:31:01 +01:00
ab5556ae8c
fix: change keyword and bound it to a field
2019-10-29 19:59:43 +01:00
aafab2e936
fix: bound keywords to field in multiple PS rules
...
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
2019-10-29 19:53:18 +01:00
f31750e567
fix: bound keywords to field in PS cred prompt rule
2019-10-29 19:43:04 +01:00
cb6eb35913
adding some more suspicious PS keywords
...
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
2019-10-28 22:14:14 -07:00
4251d9f490
ilyas ochkov contribution
2019-10-29 03:44:22 +03:00
5eb484a062
add tieto dns exfiltration rules
2019-10-25 04:30:55 +02:00
4fb9821b49
added:
...
win_non_interactive_powershell.yml
win_remote_powershell_session.yml
win_wmiprvse_spawning_process.yml
powershell_alternate_powershell_hosts.yml
powershell_remote_powershell_session.yml
sysmon_alternate_powershell_hosts_moduleload.yml
sysmon_alternate_powershell_hosts_pipe.yml
sysmon_non_interactive_powershell_execution.yml
sysmon_powershell_execution_moduleload.yml
sysmon_powershell_execution_pipe.yml
sysmon_remote_powershell_session_network.yml
sysmon_remote_powershell_session_process.yml
sysmon_wmi_module_load.yml
sysmon_wmiprvse_spawning_process.yml
2019-10-24 15:48:38 +02:00
aef5fa3c2b
Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml
2019-10-24 16:37:38 +03:00
5a98fdbbbd
ART t1004
2019-10-24 16:33:29 +03:00
317e9d3df9
PS Data Compressed attack.t1002
...
PS Data Compressed attack.t1002
2019-10-24 15:43:46 +03:00
01956f1312
powershell false positives
2019-09-06 03:54:19 -04:00
Florian Roth