04fd598bcf
Update additional rules to have correct logsource attributes
2020-07-13 17:02:17 -04:00
efe720d44e
Added new rule. AppLocker
2020-07-13 20:51:48 +00:00
f12cb7309b
fix: references is not a list
2020-07-13 17:37:03 +02:00
e3734aaa27
fix: missing upper tick
2020-07-08 15:53:04 +02:00
efae210556
adding google chrome to FP list
...
legitimate errors generated by Google Chrome are reported often.
Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
2020-07-08 16:44:41 +03:00
3c760fabc1
Merge pull request #745 from Rettila/master
...
Added new rules
2020-07-07 23:14:19 +02:00
de0bb36c51
Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785
2020-07-02 23:04:59 +02:00
77553e11e8
Update win_not_allowed_rdp_access.yml
2020-06-30 10:03:00 +02:00
502ec4b417
add win_not_allowed_rdp_access.yml rule
2020-06-26 22:15:53 +00:00
d385cbfa69
Fix quoting for AD Object WriteDAC Access
...
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
5c0bb0e94f
Fixed indentation
2020-06-16 15:01:13 -06:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
f5aa871e5d
Identifiers shared between global document and rule gets overwritten
...
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
2020-06-15 13:14:31 -04:00
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source
...
Fix 'source' value for win_susp_backup_delete
2020-05-25 10:48:36 +02:00
879ad6f206
Update win_susp_ntlm_rdp.yml
2020-05-22 13:32:02 +10:00
daa3c5e053
Update win_susp_ntlm_rdp.yml
2020-05-22 13:28:56 +10:00
0f8f5fb29c
Create win_susp_ntlm_rdp.yml
2020-05-22 13:24:27 +10:00
9ab65cd1c7
Update win_alert_ad_user_backdoors.yml
2020-05-19 14:50:22 +02:00
c815773b1a
enhancement rule
2020-05-19 18:05:51 +09:00
49f68a327a
enhancement rule
2020-05-19 18:00:50 +09:00
54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
d510e1aad4
Fix 'source' value for win_susp_backup_delete
2020-05-11 18:31:59 +02:00
6ec74364f2
Create win_global_catalog_enumeration.yml
2020-05-11 17:40:47 +02:00
ccacedf621
Merge pull request #3 from Neo23x0/master
...
merge
2020-05-11 17:38:27 +02:00
07a50edf89
Update win_metasploit_authentication.yml
2020-05-07 14:42:00 +02:00
123a23adae
win_susp_failed_logon_source rule
2020-05-06 22:24:02 +02:00
6aed82a039
Update win_metasploit_authentication.yml
2020-05-06 17:04:47 +02:00
2beb65076c
Update win_metasploit_authentication.yml
2020-05-06 16:44:19 +02:00
7371ce234b
Create win_metasploit_authentication.yml
2020-05-06 16:42:27 +02:00
473c31232e
add additional reference
2020-05-05 19:25:33 +02:00
0e1fa5c135
Update win_possible_dc_shadow.yml
2020-05-05 18:14:32 +02:00
55d018255c
Update win_possible_dc_shadow.yml
2020-05-05 16:52:08 +02:00
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml
2020-05-05 16:51:35 +02:00
f27aa4bfee
Update win_possible_dc_sync.yml
2020-05-05 16:50:13 +02:00
db810b342f
Delete win_possible_dc_shadow.yml
2020-05-05 16:48:39 +02:00
e3f21805f3
Update win_possible_dc_shadow.yml
2020-05-05 16:43:56 +02:00
0f4cc9d365
Create win_possible_dc_shadow.yml
2020-05-05 16:40:52 +02:00
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
5cbe008350
Casing
2020-04-14 13:39:22 +02:00
1f918253e8
Add additional reference
2020-04-13 11:09:36 -05:00
9cdb3a4a64
Fix typo
2020-04-13 11:09:00 -05:00
61b9234d7f
Update win_user_driver_loaded.yml
...
removed internal field
2020-04-09 11:28:19 +02:00
e913db0dca
Update win_user_driver_loaded.yml
...
CI
2020-04-08 18:54:59 +02:00
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
8dcbfd9aca
Add AD User Enumeration
...
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.
This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.
Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.
False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
Ryan Plas