a371cf1057
fixup - unique rule id; use process_creation instead of sysmon EventID:1
2020-01-24 15:31:06 +01:00
c24bbdcf81
Sigma queries for
...
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-24 15:31:06 +01:00
4f29556a01
Update win_susp_winword_wmidll_load.yml
...
Update x2
2020-01-24 15:31:06 +01:00
48a071ad4e
Update win_susp_winword_wmidll_load.yml
...
Fix to error on incorrect mitre tags used.
2020-01-24 15:31:06 +01:00
8fbe08d5fa
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2020-01-24 15:31:06 +01:00
9f3672fdc0
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2020-01-24 15:31:06 +01:00
4260d01ff0
Initial Upload
...
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2020-01-24 15:31:06 +01:00
5f8b152166
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
5d04c76f68
svchost spawned without cli
2020-01-24 15:31:06 +01:00
032c382184
corrected logic
2020-01-24 15:31:06 +01:00
991e3b8a51
Trickbot behavioral recon activity
2020-01-24 15:31:06 +01:00
9f7eee8bb1
Add the ability to detect PowerUp - Invoke-AllChecks
...
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
2020-01-24 15:31:06 +01:00
5aa75a90fd
added aws_root_account_usage.yml
2020-01-21 15:07:32 +02:00
0d6642abd6
added aws_config_disable_recording.yml
2020-01-21 15:07:10 +02:00
17c00d8a11
added aws_cloudtrail_disable_logging.yml
2020-01-21 15:06:44 +02:00
5f1e933b93
Merge pull request #588 from timbMSFT/timb
...
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
2020-01-20 10:06:06 +01:00
9bb50f3d60
OSCD QA wave 2
...
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
e35ebcc185
complete_cve_2019-19781
2020-01-15 21:59:33 +01:00
41c4a499b4
rule: added a reference
2020-01-15 21:27:40 +01:00
6db20d4bad
rule: windows audit cve
2020-01-15 21:23:32 +01:00
5ef64e4e99
rule: changes at Shitrix rule
2020-01-13 20:15:08 +01:00
a0bad54dbd
Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml
...
add newbm.pl
2020-01-13 14:48:38 +01:00
b60671397d
Update win_lm_namedpipe.yml
2020-01-13 10:50:35 +01:00
ba7c634f1a
More changes
2020-01-13 09:59:14 +01:00
7bd820c151
Changes
2020-01-13 09:56:49 +01:00
ffcfcb70ad
Add files via upload
2020-01-13 13:21:06 +08:00
364e859a6b
add newbm.pl
2020-01-12 00:29:10 +01:00
ae6fcefbcd
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
8d6a507ec4
OSCD QA wave 1
...
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
b34bf98c61
Fixed rule: added condition
2020-01-07 15:20:16 +01:00
a29c832b6a
rule: updated netscaler rule
2020-01-07 14:42:16 +01:00
c9a75a8371
fix: shortened path in Citrix Netscaler rule
2020-01-07 13:00:28 +01:00
48f5f480fd
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
35fbdd1248
add rule for Citrix Netscaler CVE-2019-19781
2020-01-03 01:48:29 +01:00
b98e57603e
add rule for Citrix Netscaler CVE-2019-19781
2020-01-03 00:34:52 +01:00
9bd0402681
fixup - unique rule id; use process_creation instead of sysmon EventID:1
2020-01-02 20:05:28 +00:00
5051334e85
Sigma queries for
...
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-02 14:47:55 +00:00
fd28a64591
rule: WCE
2019-12-31 09:27:38 +01:00
c007ecf90c
Merge pull request #585 from Neo23x0/devel
...
Devel
2019-12-30 15:08:43 +01:00
5980cb8d0c
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
86e6b92903
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
5ad793e04a
Merge pull request #582 from tvjust/patch-1
...
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
948af2993b
Merge pull request #583 from msec1203/msec1203-submit-rule1
...
MS Office Doc Load WMI DLL Rule
2019-12-30 14:13:58 +01:00
dbdf6680e0
Update win_susp_winword_wmidll_load.yml
...
Update x2
2019-12-30 18:49:39 +09:00
a45f877712
Update win_susp_winword_wmidll_load.yml
...
Fix to error on incorrect mitre tags used.
2019-12-30 18:41:16 +09:00
f574c20432
Update win_system_exe_anomaly.yml
...
fixing to much original fork.
2019-12-29 18:02:49 +02:00
7e7f6d1182
Update win_system_exe_anomaly.yml
...
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170
Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml
Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
2019-12-29 18:01:19 +02:00
845d67f1f3
Initial Upload
...
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2019-12-29 23:14:29 +09:00
a1f07cdb4b
Added new sticky key attack binary
2019-12-29 08:32:23 -05:00
4a65a25070
svchost spawned without cli
2019-12-28 10:28:08 -05:00
Tim Burrell (MSTIC)