54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
123a23adae
win_susp_failed_logon_source rule
2020-05-06 22:24:02 +02:00
473c31232e
add additional reference
2020-05-05 19:25:33 +02:00
0e1fa5c135
Update win_possible_dc_shadow.yml
2020-05-05 18:14:32 +02:00
55d018255c
Update win_possible_dc_shadow.yml
2020-05-05 16:52:08 +02:00
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml
2020-05-05 16:51:35 +02:00
f27aa4bfee
Update win_possible_dc_sync.yml
2020-05-05 16:50:13 +02:00
db810b342f
Delete win_possible_dc_shadow.yml
2020-05-05 16:48:39 +02:00
e3f21805f3
Update win_possible_dc_shadow.yml
2020-05-05 16:43:56 +02:00
0f4cc9d365
Create win_possible_dc_shadow.yml
2020-05-05 16:40:52 +02:00
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
5cbe008350
Casing
2020-04-14 13:39:22 +02:00
1f918253e8
Add additional reference
2020-04-13 11:09:36 -05:00
9cdb3a4a64
Fix typo
2020-04-13 11:09:00 -05:00
61b9234d7f
Update win_user_driver_loaded.yml
...
removed internal field
2020-04-09 11:28:19 +02:00
e913db0dca
Update win_user_driver_loaded.yml
...
CI
2020-04-08 18:54:59 +02:00
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
fe5dbece3d
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
8dcbfd9aca
Add AD User Enumeration
...
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.
This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.
Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.
False positives may include administrators performing the initial
configuration of new users.
2020-03-31 09:40:07 +02:00
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes
...
Minor fixes to several rules
2020-03-28 13:27:05 +01:00
3f577c98e7
Title capalized
2020-03-26 17:03:33 +01:00
39a3af04ce
Fixed title length
2020-03-26 16:56:06 +01:00
ddacde9e6b
add LDAPFragger detections
2020-03-26 15:13:36 +01:00
3c74d8b87d
Add correct Source to detection to avoid FP
2020-03-24 19:49:24 +01:00
4b572f3ccb
newline in description - typo
2020-03-14 14:58:58 -04:00
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1
...
MMC Lateral Movement Rule 1
2020-03-07 11:02:16 +01:00
2e184382f5
fix: eventid in process_creation rules
2020-03-07 10:43:47 +01:00
b040c129be
fix: author field starting with an '@' symbol
2020-03-07 10:38:02 +01:00
ae56db97ff
mmc lateral movement detection 1
...
see https://github.com/Neo23x0/sigma/issues/576
2020-03-04 14:57:41 -05:00
d4b5dd5749
Exclude Azure AD sync accounts from AD Replication rule
2020-03-02 16:43:20 +01:00
19d383989c
fix: keyword expression in rule
2020-02-29 16:03:31 +01:00
fa6458b70f
rule: two rules to detect CVE-2020-0688 exploitation
2020-02-29 15:45:45 +01:00
61d31c3f3a
Fixed tagging
2020-02-20 23:51:12 +01:00
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
7f3f1944d9
fix redundancy
2020-02-18 01:10:56 +03:00
01d6c3b58d
Fixes
2020-02-16 23:24:00 +01:00
f118839664
Further fixes and deduplications
...
From suggestions of @yugoslavskiy in issue #554 .
2020-02-16 14:03:07 +01:00
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel
...
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 18:25:19 +01:00
03ecb3b8dc
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
1213712978
Merge branch 'master' into patch-1
2020-01-31 14:32:27 +01:00
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3
...
Created win_susp_local_anon_logon_created.yml
2020-01-31 14:30:54 +01:00
8c4aadb423
Merge branch 'master' into Renamed_Files
2020-01-31 08:49:10 +01:00
e3d61d5579
Missing ID
2020-01-31 07:31:56 +01:00
82cae6d63c
Merge pull request #604 from Neo23x0/devel
...
New tests, colorized test output and rule cleanup
2020-01-31 07:07:13 +01:00
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
ecco