6e349030d9
rule: suspicious camera and mic access
2020-06-08 10:18:44 +02:00
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
3697186281
fix: fixed title
2020-06-06 14:04:40 +02:00
246a95557b
fix: description over multiple lines
2020-06-06 13:56:48 +02:00
d54209dcc5
rule: ETW disabled
2020-06-06 13:56:19 +02:00
2e77e65285
rule: Covenant launchers
2020-06-05 11:03:28 +02:00
39b41b5582
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
76dcc1a16f
rule: renamed debugview
2020-05-28 09:22:25 +02:00
4ca81b896d
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source
...
Fix 'source' value for win_susp_backup_delete
2020-05-25 10:48:36 +02:00
0afe0623af
Merge pull request #757 from tliffick/master
...
added rule for Blue Mockingbird (cryptominer)
2020-05-25 10:47:23 +02:00
6fcf3f9ebf
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
28652e4648
Add Windows Server 2008 and Windows Vista support
...
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
...
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.
Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
b8ee736f44
Remove AppData folder as suspicious folder
...
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)
Too many to whitelist them all
2020-05-24 15:16:07 +02:00
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel
...
Esentutl rule and StrongPity Loader UA
2020-05-23 23:47:12 +02:00
3028a27055
fix: buggy rule
2020-05-23 18:32:02 +02:00
df715386b6
rule: suspicious esentutl use
2020-05-23 18:27:36 +02:00
67faf4bd41
fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml
2020-05-23 10:56:23 -04:00
9cd9a301c2
Merge pull request #791 from SanWieb/master
...
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
10ca3006f5
move rule where needed
2020-05-23 10:07:55 -04:00
d9bc09c38c
fix test
2020-05-23 10:02:58 -04:00
78a7852a43
renamed dbghelp rule with new ID and comment and removed a false positive
2020-05-23 09:16:40 -04:00
d310805ed9
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
75ba5f989c
add 1 more FP to wmi load
2020-05-23 07:44:45 -04:00
9a7f462d79
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
cfde0625f5
fix false positive matching on every powershell process not run by SYSTEM account
2020-05-23 07:05:09 -04:00
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
...
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
34006d0794
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
57c8e63acd
refactore: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:09:58 +02:00
ec17c2ab56
filter on createkey only when needed
2020-05-22 10:37:00 -04:00
91c4c4ecc5
refactor: slightly improved Greenbug rule
2020-05-21 13:38:11 +02:00
9a3b6c1c77
docs: added MITRE ATT&CK group tag
2020-05-21 09:44:11 +02:00
344eb713c5
rule: Greenbug campaign
2020-05-21 09:39:57 +02:00
0dd089db47
various rules cleaning
2020-05-18 20:29:53 -04:00
96fae4be68
Added CrachMapExec rules
2020-05-22 00:50:37 +02:00
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel
...
refactor: slightly improved Greenbug rule
2020-05-21 14:19:09 +02:00
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel
...
Greenbug Rule
2020-05-21 09:55:46 +02:00
e7980bb434
Merge pull request #782 from ZikyHD/patch-1
...
Remove duplicate 'CommandLine' in fields
2020-05-20 12:55:41 +02:00
8963c0a65e
Remove duplicate 'CommandLine' in fields
2020-05-20 11:54:47 +02:00
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml
2020-05-19 14:50:22 +02:00
c815773b1a
enhancement rule
2020-05-19 18:05:51 +09:00
49f68a327a
enhancement rule
2020-05-19 18:00:50 +09:00
1aa97fe577
flake 8
2020-05-18 10:03:18 -04:00
088800cd18
fix rule due to sigmac bug?
2020-05-18 09:39:48 -04:00
e89613aee0
add some false positives checks
2020-05-18 07:19:06 -04:00
8154ca355a
Merge pull request #768 from maximelb/master
...
Remove "condition" from global rule in CVE-2020-1048.
2020-05-18 12:52:49 +02:00
25d3a5a893
Remove "condition" from global rule.
...
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
2020-05-17 12:44:57 -07:00
a46e357874
Merge branch 'master' into rule-devel
2020-05-16 08:59:34 +02:00
d5e7d4e302
fix: missing condition in CVE-2020-1048 rule
2020-05-16 08:59:05 +02:00
Florian Roth