491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156
...
added rule .bash_profile and .bashrc T1156
2019-05-30 22:43:33 +02:00
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml
...
Deleted tab character (\t)
2019-05-20 13:22:36 +02:00
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml
...
Detects usage of mimikatz through WinRM protocol
2019-05-20 12:25:58 +02:00
886de39814
Small edits
...
Got trigger happy, first time doing this, please dont cruicify me.
2019-05-17 17:40:32 +03:00
34d9b4b365
Update win_susp_process_creations.yml
...
Tested the type method redirecting to a file and dumping the hashes out with pwdump.
Used the wmic method to create the shadow copy.
2019-05-17 16:10:43 +03:00
3c8be3d48b
Update win_susp_vssadmin_ntds_activity.yml
2019-05-17 15:19:03 +03:00
8b14a5673d
Update win_susp_vssadmin_ntds_activity.yml
...
Updated with SAM and SYSTEM for esentutl
2019-05-17 15:18:01 +03:00
d90c0ea990
Create powershell_nishang_malicious_commandlets.yml
2019-05-16 17:51:45 +03:00
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
b6c4e64a9b
fixed attack category number 2->3
2019-05-12 11:59:13 +02:00
2778558ae3
added rule .bash_profile and .bashrc T1156
2019-05-12 02:07:13 +02:00
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection
...
New C2 DNS Tunneling Sigma Detection Rule
2019-05-10 00:12:39 +02:00
46c789105b
Fix and ordering
2019-05-10 00:08:26 +02:00
595f22552d
Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep
2019-05-10 00:05:06 +02:00
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
f51e918a2e
Small rule change
2019-05-09 23:57:55 +02:00
31946426a5
Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1
2019-05-09 23:54:18 +02:00
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00
378ba5b38f
Transformed rule
...
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs
Fixed Typo
Changes to title and description
2019-05-09 23:48:36 +02:00
Florian Roth