fc1febdebe
Update sysmon_susp_service_installed.yml
...
Fixed Author
2020-04-08 18:41:25 +02:00
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
Fixed CI
2020-04-08 18:23:29 +02:00
5e724a0a54
Update sysmon_susp_service_installed.yml
...
Fixed CI
2020-04-08 18:22:51 +02:00
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
81d0f82272
Create new rule T1223
...
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master
...
New sigma rules to detect new MITRE technique in last update (T1502)
2020-04-03 09:59:36 +02:00
f4928e95bc
Update powershell_suspicious_profile_create.yml
2020-04-03 09:36:17 +02:00
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
...
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1
...
Typo fix for powershell_suspicious_invocation_generic.yml
2020-04-03 09:30:32 +02:00
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant
...
WMImplant detection rule
2020-04-02 11:54:09 +02:00
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
97c0872c81
Date typo.
2020-04-02 09:53:09 +02:00
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped.
2020-04-01 18:18:13 +02:00
18cdddb09e
Small typo
2020-03-31 15:22:00 +02:00
8dcbfd9aca
Add AD User Enumeration
...
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.
This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.
Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.
False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
b791d599ee
Disabled keywords that could cause FPs
2020-03-30 08:53:52 +02:00
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml
...
' - windowstyle hidden ' changed to ' -windowstyle hidden '
2020-03-29 04:16:15 -06:00
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini
...
Add "Suspicious desktop.ini Action" rule
2020-03-28 13:34:01 +01:00
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
e2b90220a2
Update sysmon_susp_desktop_ini.yml
2020-03-28 13:19:10 +01:00
bbb10a51f4
Update win_powershell_downgrade_attack.yml
2020-03-28 13:17:58 +01:00
0e94eb9e86
Update win_powershell_downgrade_attack.yml
2020-03-28 13:12:07 +01:00
2426b39d83
Merge pull request #678 from justintime/title_collision
...
Eliminate title collision
2020-03-28 12:57:55 +01:00
f52ed4150d
WMImplant parameter detection
2020-03-27 15:08:35 +01:00
55258e1799
Title capitalized
2020-03-26 17:04:08 +01:00
3f577c98e7
Title capalized
2020-03-26 17:03:33 +01:00
68c20dca20
Fixed title length
2020-03-26 16:56:46 +01:00
39a3af04ce
Fixed title length
2020-03-26 16:56:06 +01:00
dabc759136
Eliminate title collision
...
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
2020-03-26 09:13:52 -05:00
ddacde9e6b
add LDAPFragger detections
2020-03-26 15:13:36 +01:00
28953a2942
fix: MITRE tags in rule
2020-03-25 18:11:04 +01:00
6584729a0d
rule: powershell downloadfile
2020-03-25 14:58:14 +01:00
35e43db7a7
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
17297193c7
Merge branch 'master' into devel
2020-03-25 14:18:11 +01:00
50b0d04ee8
rule: Exploited CVE-2020-10189 Zoho ManageEngine
2020-03-25 14:02:53 +01:00
28d8b87a0f
rule: extended web shell spawn rule
2020-03-25 14:02:39 +01:00
1d86e0b4a5
Change falsepositives to array
2020-03-24 19:59:54 +01:00
c784adb10b
Wrong indentation falsepositives
2020-03-24 19:55:41 +01:00
98a633e54c
Add missing status and falsepositives
2020-03-24 19:53:41 +01:00
3c74d8b87d
Add correct Source to detection to avoid FP
2020-03-24 19:49:24 +01:00
bc442d3021
Add path with lowercase system32
2020-03-24 19:48:24 +01:00
78bfa950d7
Add WinPrvSE.exe to detection
2020-03-24 19:47:10 +01:00
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
...
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
ba3994f319
Fix of '1 of x' condition
2020-03-21 12:19:01 +01:00
81b277ba1a
suspicious powershell parent process...
2020-03-21 00:26:30 +01:00
a88b22a1bd
Fix namefield.
2020-03-20 23:34:15 +01:00
Iveco