f0b0f54500
Merge improved pull request #322
2019-04-21 23:56:36 +02:00
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
b47900fbee
Add default path to filter for explorer in exe anomaly rule
2019-04-21 17:42:47 +02:00
dd9648b31e
Revert "New Sigma rule detecting local user creation"
2019-04-21 09:09:25 +02:00
a85acdfd02
Changed title and description
2019-04-21 08:54:56 +02:00
0713360443
Fixed MITRE ATT&CK tags
2019-04-21 08:52:07 +02:00
49beb5d1a8
Integrated PR from @P4T12ICK in existing rule
...
PR #321
2019-04-21 00:28:40 +02:00
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation
...
New Sigma rule detecting local user creation
2019-04-21 00:20:15 +02:00
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
aab3dbee4f
Rule: Detect Empire PowerShell Default Cmdline Params
2019-04-20 09:38:41 +02:00
03d8184990
Rule: Extended PowerShell Susp Cmdline Enc Commands
2019-04-20 09:38:41 +02:00
5249279a66
Rule: another MSF payload user agent
2019-04-20 09:38:41 +02:00
d5fa51eab9
Merge pull request #305 from Karneades/patch-3
...
Remove too loose filter in notepad++ updater rule
2019-04-19 12:40:24 +02:00
e32708154f
Merge pull request #304 from Karneades/patch-2
...
Remove too loose filter in mshta rule
2019-04-19 09:51:45 +02:00
74dd008b10
FP note for HP software
2019-04-19 09:51:32 +02:00
d75ea35295
Restrict whitelist filter in system exe anomaly rule
2019-04-18 22:06:12 +02:00
8609fc7ece
New Sigma rule detecting local user creation
2019-04-18 19:59:43 +02:00
f78413deab
Merge pull request #309 from jmlynch/master
...
added rules for renamed wscript, cscript and paexec. Added two direct…
2019-04-17 23:59:27 +02:00
4808f49e0d
More exact path
2019-04-17 23:45:15 +02:00
1a4a74b64b
fix: dot mustn't be escaped
2019-04-17 23:44:36 +02:00
76780ccce2
Too many different trusted cscript imphashes
2019-04-17 23:33:56 +02:00
7c5f985f6f
Modifications
2019-04-17 23:30:49 +02:00
4298abffb7
Modifications
2019-04-17 23:29:29 +02:00
615a802a8e
Modifications
2019-04-17 23:26:20 +02:00
0e8a46aaf7
Update win_subp_svchost rule
...
Adding rpcnet.exe as ParentImage
2019-04-16 15:00:06 +02:00
17470d1545
Rule: extended parent list for legitimate svchost starts
...
https://twitter.com/Sam0x90/status/1117768799816753153
2019-04-15 14:54:35 +02:00
daaee558a1
Rule: added date to Tom's WMI rule
2019-04-15 09:06:53 +02:00
612a7642d2
Added Local directory
2019-04-15 08:47:53 +02:00
65b81dad32
Rule: Suspicious scripting in a WMI consumer
2019-04-15 08:13:35 +02:00
1d3159bef0
Rule: Extended Office Shell rule
2019-04-15 08:13:35 +02:00
d872c52a43
Add restricted filters to notepad++ gup.exe rule
2019-04-15 08:12:12 +02:00
1e262f5055
Merge pull request #303 from Karneades/patch-1
...
Remove too loose filter in wmi spwns powershell rule
2019-04-14 23:11:57 +02:00
cb0a87e21e
Merge pull request #316 from megan201296/patch-19
...
Update win_mal_ursnif.yml
2019-04-14 23:10:16 +02:00
08ec8597a5
Merge pull request #317 from megan201296/patch-20
...
Create apt_oceanlotus_registry.yml
2019-04-14 23:09:42 +02:00
74fce5f511
Create apt_oceanlotus_registry.yml
...
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ . Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
2019-04-14 12:01:52 -05:00
eb8a0636c5
Update win_mal_ursnif.yml
...
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml ). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
51d19b36cc
Add new Sigma Rule for C2 DNS Tunneling
2019-04-13 20:28:55 +02:00
4b43db2aac
Add new Sigma Rule for C2 DNS Tunneling
2019-04-13 20:27:36 +02:00
75d36165fc
Remove non-generic falsepositives
...
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-11 12:53:12 +02:00
89fb726875
added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7
2019-04-09 09:45:07 -04:00
f0c8c428bb
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 08:07:30 -04:00
ca4b710c01
Added Sigma Use Case detecting Privilege Escalation Preparation in Linux
2019-04-07 15:36:19 +02:00
97376c00de
Fix condition
2019-04-04 22:33:32 +02:00
766b8b8d18
Fix condition
2019-04-04 22:32:47 +02:00
788e75ef1b
Fix condition
2019-04-04 22:32:21 +02:00
840eb2f519
Remove too loose filter in notepad updater rule
2019-04-04 22:25:05 +02:00
eb690d8902
Remove too loose filter in mshta rule
2019-04-04 22:16:24 +02:00
1915561351
Remove to loose wildcard from wmi spwns powershell rule
2019-04-04 22:12:28 +02:00
81693d81b6
Merge pull request #295 from sbousseaden/master
...
Create win_atsvc_task.yml
2019-04-04 18:32:13 +02:00
Thomas Patzke