6dc36c8749
Update win_eventlog_cleared.yml
...
Experimental Rule is a duplicate of https://github.com/Neo23x0/sigma/blob/bfc7012043317632265a897c8a4901f266cda992/rules/windows/builtin/win_susp_eventlog_cleared.yml . I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
2018-12-05 05:40:00 +03:00
c8990962d2
Update win_rare_service_installs.yml
...
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
2018-12-05 05:33:56 +03:00
f0b23af10d
Update win_rare_schtasks_creations.yml
...
Count(taskName) not being taken by elastalert integration with Sigmac
2018-12-05 05:10:08 +03:00
900db72557
Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master
2018-12-04 23:35:23 +01:00
3861dd5912
Rule: APT29 campaign against US think tanks
...
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
2018-12-04 17:04:03 +01:00
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype
...
changed .yaml files to .yml for consistency
2018-12-03 09:00:14 +01:00
9f1df6164b
adding new rules detecting recently active APTs
2018-12-03 09:42:29 +02:00
2ebbdebe46
rule: Cobalt Strike beacon detection via Remote Threat Creation
...
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
2018-11-30 10:25:05 +01:00
f6ad36f530
Fixed rule
2018-11-29 00:00:18 +01:00
7ba1fe4309
Turla PNG Dropper Service Name
2018-11-23 08:46:20 +01:00
e7762c71ce
Merge remote-tracking branch 'origin/master'
2018-11-22 19:14:12 +01:00
ec83ab5e13
APT28 Zebrocy rule
...
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
2018-11-22 19:14:07 +01:00
a1940c6eaa
Simplified rule
2018-11-21 22:34:04 +01:00
60538e2e12
changed .yaml files to .yml for consistency
2018-11-20 21:07:36 -08:00
a31acd6571
fix: fixed procdump rule
2018-11-17 09:10:26 +01:00
fd06cde641
Rule: Detect base64 encoded PowerShell shellcode
...
https://twitter.com/cyb3rops/status/1063072865992523776
2018-11-17 09:10:09 +01:00
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
cd5950749e
revert to upstream
2018-11-15 08:45:25 +03:00
742192b452
Merge pull request #4 from Neo23x0/master
...
fetch updates from upstream
2018-11-15 08:32:33 +03:00
b92c032c2d
Linux JexBoss back connect shell
2018-11-08 23:21:36 +01:00
9bfdcba400
Update win_alert_ad_user_backdoors.yml
...
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
2018-11-05 21:08:19 -05:00
37294d023f
Suspicious svchost.exe executions
2018-10-30 09:37:40 +01:00
580692aab4
Improved procdump on lsass rule
2018-10-30 09:37:40 +01:00
ff98991c80
Fixed rule
2018-10-18 16:20:51 +02:00
a2da73053d
Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9
2018-10-18 16:16:57 +02:00
732de3458f
Merge pull request #186 from megan201296/patch-15
...
Update sysmon_cmstp_com_object_access.yml
2018-10-18 15:49:06 +02:00
fdd0823e07
Merge pull request #187 from megan201296/patch-16
...
Additional MITRE ATT&CK Tagging
2018-10-18 15:38:11 +02:00
3c3b14a26b
rule: new malware UA
2018-10-10 15:27:58 +02:00
fd34437575
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
fdd264d946
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
54678fcb36
Rule: CertUtil UA
...
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
Roberto Rodriguez