508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00
378ba5b38f
Transformed rule
...
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs
Fixed Typo
Changes to title and description
2019-05-09 23:48:36 +02:00
8e6295e402
Windows processes with wrong parent
...
Detect scenarios when malicious program is disguised as legitimate process
2019-05-09 23:48:36 +02:00
121e21960e
Rule changes
...
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
9b67705799
Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2
2019-05-09 22:55:07 +02:00
f0b0f54500
Merge improved pull request #322
2019-04-21 23:56:36 +02:00
765fe9dcd9
Further improved Windows user creation rule
...
* Decreased level
* Fixed field names
* Added false positive possibility
2019-04-21 23:54:18 +02:00
b47900fbee
Add default path to filter for explorer in exe anomaly rule
2019-04-21 17:42:47 +02:00
dd9648b31e
Revert "New Sigma rule detecting local user creation"
2019-04-21 09:09:25 +02:00
49beb5d1a8
Integrated PR from @P4T12ICK in existing rule
...
PR #321
2019-04-21 00:28:40 +02:00
bdd184a24c
Merge pull request #322 from P4T12ICK/feature/win_user_creation
...
New Sigma rule detecting local user creation
2019-04-21 00:20:15 +02:00
80f45349ed
Modified rule
...
* Adjusted ATT&CK tagging
* Set status
2019-04-21 00:14:57 +02:00
aab3dbee4f
Rule: Detect Empire PowerShell Default Cmdline Params
2019-04-20 09:38:41 +02:00
03d8184990
Rule: Extended PowerShell Susp Cmdline Enc Commands
2019-04-20 09:38:41 +02:00
d5fa51eab9
Merge pull request #305 from Karneades/patch-3
...
Remove too loose filter in notepad++ updater rule
2019-04-19 12:40:24 +02:00
e32708154f
Merge pull request #304 from Karneades/patch-2
...
Remove too loose filter in mshta rule
2019-04-19 09:51:45 +02:00
74dd008b10
FP note for HP software
2019-04-19 09:51:32 +02:00
d75ea35295
Restrict whitelist filter in system exe anomaly rule
2019-04-18 22:06:12 +02:00
8609fc7ece
New Sigma rule detecting local user creation
2019-04-18 19:59:43 +02:00
f78413deab
Merge pull request #309 from jmlynch/master
...
added rules for renamed wscript, cscript and paexec. Added two direct…
2019-04-17 23:59:27 +02:00
4808f49e0d
More exact path
2019-04-17 23:45:15 +02:00
1a4a74b64b
fix: dot mustn't be escaped
2019-04-17 23:44:36 +02:00
76780ccce2
Too many different trusted cscript imphashes
2019-04-17 23:33:56 +02:00
7c5f985f6f
Modifications
2019-04-17 23:30:49 +02:00
4298abffb7
Modifications
2019-04-17 23:29:29 +02:00
615a802a8e
Modifications
2019-04-17 23:26:20 +02:00
0e8a46aaf7
Update win_subp_svchost rule
...
Adding rpcnet.exe as ParentImage
2019-04-16 15:00:06 +02:00
17470d1545
Rule: extended parent list for legitimate svchost starts
...
https://twitter.com/Sam0x90/status/1117768799816753153
2019-04-15 14:54:35 +02:00
daaee558a1
Rule: added date to Tom's WMI rule
2019-04-15 09:06:53 +02:00
612a7642d2
Added Local directory
2019-04-15 08:47:53 +02:00
65b81dad32
Rule: Suspicious scripting in a WMI consumer
2019-04-15 08:13:35 +02:00
1d3159bef0
Rule: Extended Office Shell rule
2019-04-15 08:13:35 +02:00
d872c52a43
Add restricted filters to notepad++ gup.exe rule
2019-04-15 08:12:12 +02:00
1e262f5055
Merge pull request #303 from Karneades/patch-1
...
Remove too loose filter in wmi spwns powershell rule
2019-04-14 23:11:57 +02:00
cb0a87e21e
Merge pull request #316 from megan201296/patch-19
...
Update win_mal_ursnif.yml
2019-04-14 23:10:16 +02:00
eb8a0636c5
Update win_mal_ursnif.yml
...
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml ). Changed to ignore the key name, confirmed that the key is still uniique.
2019-04-14 11:51:13 -05:00
75d36165fc
Remove non-generic falsepositives
...
There are tons of FPs for that... :)
2019-04-11 12:55:24 +02:00
51e65be98b
Remove loose wildcard filter in powershell encoded cmd rule
2019-04-11 12:53:12 +02:00
Florian Roth