8f684ddd06
Rule: FP in WMI persistence with SCCM
2019-02-05 15:57:54 +01:00
3ef930b094
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
6440bc962b
CACTUSTORCH detection
2019-02-01 23:27:53 +01:00
c9ec469180
style: cosmetics - removed empty lines at file end
2019-01-29 12:54:07 +01:00
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework
...
Rule testing framework
2019-01-23 23:16:46 +01:00
ecffe28933
Correct MITRE tag
2019-01-22 21:26:07 +03:00
cc6e0baef1
rule: extended certutil rule to include verifyctl and allows renamed certutil
...
https://twitter.com/egre55/status/1087685529016193025
2019-01-22 16:20:06 +01:00
f759e8b07c
Rule: Suspicious Program Location Process Starts
2019-01-15 15:40:51 +01:00
604d88cf1e
Rule: WMI Event Subscription
2019-01-12 12:03:36 +01:00
63f96d58b4
Rule: Renamed PowerShell.exe
2019-01-12 12:03:36 +01:00
b7eb79f8da
Rule: UserInitMprLogonScript persistence method
2019-01-12 12:03:36 +01:00
8b94860ee6
Corrected class B private IP range to prevent false negatives
2019-01-04 12:50:41 +03:00
925ffae9b8
Removed Outlook detection which is a subset of the Office one
2019-01-02 07:47:44 +03:00
0a5e79b1e0
Fixed the RC section to use rc.exe instead of oleview.exe
2019-01-01 13:30:26 +03:00
f318f328d6
Corrected reference to references as per Sigma's standard
2018-12-25 16:25:12 +03:00
99f773dcf6
Rule: false positive reduction in rule
2018-12-17 10:02:55 +01:00
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
b5d78835b6
Removed overlapping rule with sysmon_office_shell.yml
2018-12-11 13:37:47 +01:00
8c577a329f
Improve Rule & Updated HELK SIGMA Standardization Config
...
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.
SIGMA HELK standardization config updated to match latest HELK Common Information Model
2018-12-08 11:30:21 +03:00
87ce07088f
Update sysmon_plugx_susp_exe_locations.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location
This impats Elastalert integration since you cannot have two rules with the same name
2018-12-05 07:58:13 +03:00
900db72557
Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master
2018-12-04 23:35:23 +01:00
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype
...
changed .yaml files to .yml for consistency
2018-12-03 09:00:14 +01:00
2ebbdebe46
rule: Cobalt Strike beacon detection via Remote Threat Creation
...
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
2018-11-30 10:25:05 +01:00
60538e2e12
changed .yaml files to .yml for consistency
2018-11-20 21:07:36 -08:00
23eddafb39
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
732de3458f
Merge pull request #186 from megan201296/patch-15
...
Update sysmon_cmstp_com_object_access.yml
2018-10-18 15:49:06 +02:00
fdd0823e07
Merge pull request #187 from megan201296/patch-16
...
Additional MITRE ATT&CK Tagging
2018-10-18 15:38:11 +02:00
fd34437575
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
fdd264d946
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
6f5a73b2e2
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
49f7da6412
style: changed title casing and minor fixes
2018-09-04 16:15:41 +02:00
7a3890ad76
Rule: SysInternals EULA accept improved and renamed
2018-08-30 13:16:28 +02:00
d83f124f5f
Rule: Suspicious communication endpoints
2018-08-30 10:12:12 +02:00
e70395744b
Rule: Improved Github communication rule
2018-08-30 10:12:12 +02:00
d17cc5c07d
Merge pull request #157 from yt0ng/development
...
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 22:37:00 +02:00
75d72344ca
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 17:36:22 +02:00
6e7208553a
Revert "removing for new pull request"
...
This reverts commit ca7e8d6468
2018-08-27 23:39:29 +02:00
Florian Roth