b60671397d
Update win_lm_namedpipe.yml
2020-01-13 10:50:35 +01:00
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma
...
Added sigma rule to detect external devices or USB drive
2019-12-13 21:50:01 +01:00
b771dd3d3b
Rule name conflicts in Elastalert output
2019-12-09 16:14:28 +00:00
ad7d5d2a39
Added WMI login rule
2019-12-04 11:13:04 +01:00
e8c1c97f3e
Added rule for failed code integrity checks
2019-12-03 15:08:26 +01:00
c47af5169c
Increased SID history rule severity
2019-12-03 14:28:46 +01:00
76578927e8
Added domain trust rule
2019-12-03 14:28:20 +01:00
21ef152e3a
Update win_external_device.yml
2019-11-20 16:19:45 -06:00
2bfd4ea654
Added MITRE tags
2019-11-20 16:18:03 -06:00
5c5d28acdc
Create win_external_device
2019-11-20 16:07:29 -06:00
04288771a1
fix: bugfix in RottenPotato rule - wrong identifier
2019-11-15 11:50:03 +01:00
7e6031705e
rule: RottenPotato attack pattern
2019-11-15 11:44:18 +01:00
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
5f6a4225ec
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
9835950f04
rule: SID to AD object rule level adjusted
2019-11-09 12:49:54 +01:00
68fd20cb66
fix: bound windows event log rules to message field
...
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 11:25:29 +01:00
98f0d01b2e
rule: mimikatz use extended
2019-10-11 18:50:33 +02:00
ec5bb71049
fix: Mimikatz DC Sync rule FP description and level
2019-10-08 17:45:10 +02:00
14971a7b9c
fix: FPs with Mimikatz DC Sync rule
2019-10-08 17:44:00 +02:00
60ef593a6f
Fixed wrong backslash escaping of *
...
Fixes issue #466
2019-10-07 22:14:44 +02:00
36bcd1c54e
Merge pull request #443 from EccoTheFlintstone/aduserbck
...
fix FP : field null value can be '-'
2019-09-25 17:43:22 +02:00
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
...
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix
...
Ruler fix
2019-09-25 17:26:55 +02:00
a644b938a0
fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)
2019-09-23 05:44:26 -04:00
6a7f7e0f76
add microsoft reference for events fields names
2019-09-23 05:21:30 -04:00
d48b63a235
ruler rule field name fix for eventID 4776
2019-09-23 05:17:35 -04:00
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
fe93d84015
fix FP : field null value can be '-'
2019-09-06 05:14:58 -04:00
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
...
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
...
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
9143e89f3e
Rule: renamed and reworked hacktool Ruler rule
2019-07-26 14:49:09 +02:00
2c57b443e4
docs: modification date in rule
2019-07-17 09:21:35 +02:00
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix
...
Win susp dhcp config failed fix
2019-07-17 09:20:25 +02:00
e8b9a6500e
author string modified
2019-07-17 07:02:59 +03:00
a295334355
win_susp_dhcp_config_failed fixed
2019-07-17 07:01:58 +03:00
bb1c040b1b
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-07-17 06:19:18 +03:00
803f2d4074
changed logic to detect events related to sid history adding
2019-07-17 04:28:21 +03:00
310e3b7a44
rules/windows/builtin/win_susp_add_sid_history.yml improved
2019-07-17 03:55:02 +03:00
e2050404bc
prevent EventID collision for dhcp
...
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
2019-07-16 15:30:52 -04:00
15e2f5df5f
fixed typos
2019-06-29 15:35:59 +03:00
960cd69d50
Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4
2019-06-19 23:34:25 +02:00
d7443d71a4
Create win_pass_the_hash_2.yml
...
alternative detection methods
2019-06-14 18:08:36 +03:00
f70549ec54
First Pass
2019-06-13 23:15:38 -05:00
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
sbousseaden