fd06cde641
Rule: Detect base64 encoded PowerShell shellcode
...
https://twitter.com/cyb3rops/status/1063072865992523776
2018-11-17 09:10:09 +01:00
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
cd5950749e
revert to upstream
2018-11-15 08:45:25 +03:00
742192b452
Merge pull request #4 from Neo23x0/master
...
fetch updates from upstream
2018-11-15 08:32:33 +03:00
b92c032c2d
Linux JexBoss back connect shell
2018-11-08 23:21:36 +01:00
9bfdcba400
Update win_alert_ad_user_backdoors.yml
...
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
2018-11-05 21:08:19 -05:00
37294d023f
Suspicious svchost.exe executions
2018-10-30 09:37:40 +01:00
580692aab4
Improved procdump on lsass rule
2018-10-30 09:37:40 +01:00
ff98991c80
Fixed rule
2018-10-18 16:20:51 +02:00
a2da73053d
Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9
2018-10-18 16:16:57 +02:00
732de3458f
Merge pull request #186 from megan201296/patch-15
...
Update sysmon_cmstp_com_object_access.yml
2018-10-18 15:49:06 +02:00
fdd0823e07
Merge pull request #187 from megan201296/patch-16
...
Additional MITRE ATT&CK Tagging
2018-10-18 15:38:11 +02:00
3c3b14a26b
rule: new malware UA
2018-10-10 15:27:58 +02:00
fd34437575
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
fdd264d946
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
54678fcb36
Rule: CertUtil UA
...
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel
...
Suspicious SYSVOL Domain Group Policy Access
2018-09-08 15:56:54 +02:00
6f5a73b2e2
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
68896d9294
style: renamed rule files to all lower case
2018-09-08 10:25:20 +02:00
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1
...
Create win_susp_powershell_hidden_b64_cmd.yml
2018-09-08 10:23:05 +02:00
5d714ab44e
Rule: Added malware UA
2018-09-08 10:22:26 +02:00
d0f2fbb6d6
Merge pull request #161 from megan201296/patch-12
...
Fix typo
2018-09-08 10:21:20 +02:00
3f444b5fc2
Merge pull request #162 from megan201296/patch-13
...
Added .yml extension and fix typo
2018-09-08 10:21:00 +02:00
863736587c
Adding ATTCK
2018-09-08 09:34:27 +02:00
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml
...
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
2018-09-07 20:23:11 -07:00
d866097c07
CobaltStrike Malleable Amazon browsing traffic profile
2018-09-07 19:52:35 +02:00
cf48a77d5a
Adding CMStar user-agent "O/9.27 (W; U; Z)"
2018-09-07 09:07:24 +02:00
3154be82f3
Added .yml extension and fix typo
2018-09-06 20:28:22 -05:00
Florian Roth