d5c7b4795d
Add files via upload
2020-01-30 11:29:01 +08:00
376092cfd3
Merge pull request #565 from RiccardoAncarani/master
...
Add Covenant default named pipe
2020-01-29 20:28:00 +01:00
a816f4775f
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
7786edac29
rule: dctask64.exe evasion techniques
...
https://twitter.com/gN3mes1s/status/1222088214581825540
2020-01-28 11:29:24 +01:00
d48fc9d1ff
fix: multiple false positive conditions
2020-01-28 10:11:09 +01:00
240b764660
rule: reduced level of system time mod rule
2020-01-27 14:30:09 +01:00
5f0589b787
rule: mstsc shadowing
2020-01-24 16:18:19 +01:00
e24ea159f3
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
4066ae6371
rule: added a reference
2020-01-24 15:31:06 +01:00
11607a8621
rule: windows audit cve
2020-01-24 15:31:06 +01:00
a4e62fcb1b
Update win_lm_namedpipe.yml
2020-01-24 15:31:06 +01:00
c24bbdcf81
Sigma queries for
...
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-24 15:31:06 +01:00
4f29556a01
Update win_susp_winword_wmidll_load.yml
...
Update x2
2020-01-24 15:31:06 +01:00
48a071ad4e
Update win_susp_winword_wmidll_load.yml
...
Fix to error on incorrect mitre tags used.
2020-01-24 15:31:06 +01:00
8fbe08d5fa
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2020-01-24 15:31:06 +01:00
9f3672fdc0
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
4260d01ff0
Initial Upload
...
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2020-01-24 15:31:06 +01:00
5f8b152166
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
5d04c76f68
svchost spawned without cli
2020-01-24 15:31:06 +01:00
032c382184
corrected logic
2020-01-24 15:31:06 +01:00
991e3b8a51
Trickbot behavioral recon activity
2020-01-24 15:31:06 +01:00
9f7eee8bb1
Add the ability to detect PowerUp - Invoke-AllChecks
...
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
2020-01-24 15:31:06 +01:00
9bb50f3d60
OSCD QA wave 2
...
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
ba7c634f1a
More changes
2020-01-13 09:59:14 +01:00
7bd820c151
Changes
2020-01-13 09:56:49 +01:00
ffcfcb70ad
Add files via upload
2020-01-13 13:21:06 +08:00
ae6fcefbcd
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
8d6a507ec4
OSCD QA wave 1
...
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
b34bf98c61
Fixed rule: added condition
2020-01-07 15:20:16 +01:00
48f5f480fd
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
fd28a64591
rule: WCE
2019-12-31 09:27:38 +01:00
c007ecf90c
Merge pull request #585 from Neo23x0/devel
...
Devel
2019-12-30 15:08:43 +01:00
5980cb8d0c
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
86e6b92903
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
5ad793e04a
Merge pull request #582 from tvjust/patch-1
...
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
948af2993b
Merge pull request #583 from msec1203/msec1203-submit-rule1
...
MS Office Doc Load WMI DLL Rule
2019-12-30 14:13:58 +01:00
dbdf6680e0
Update win_susp_winword_wmidll_load.yml
...
Update x2
2019-12-30 18:49:39 +09:00
a45f877712
Update win_susp_winword_wmidll_load.yml
...
Fix to error on incorrect mitre tags used.
2019-12-30 18:41:16 +09:00
f574c20432
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2019-12-29 18:02:49 +02:00
7e7f6d1182
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2019-12-29 18:01:19 +02:00
845d67f1f3
Initial Upload
...
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2019-12-29 23:14:29 +09:00
a1f07cdb4b
Added new sticky key attack binary
2019-12-29 08:32:23 -05:00
4a65a25070
svchost spawned without cli
2019-12-28 10:28:08 -05:00
35b4806104
corrected logic
2019-12-28 09:55:39 -05:00
474a8617e5
Trickbot behavioral recon activity
2019-12-27 21:25:53 -05:00
f45587074b
Add the ability to detect PowerUp - Invoke-AllChecks
...
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
2019-12-23 11:50:57 +01:00
fc8607bbea
rule: whoami as local system
2019-12-22 18:50:26 +01:00
fb76f2b9ac
rule: CreateMiniDump
2019-12-22 08:29:12 +01:00
511229c0b6
rule: modified Bloodhound rule
2019-12-21 21:22:13 +01:00
1fd4c26005
Merge pull request #569 from Neo23x0/devel
...
rule: improved bloodhound rule
2019-12-20 17:32:21 +01:00
sreemanshanker