ccf6c8df38
Create new rule for detecting Microsfot Defender Tampering via Registry
2021-10-18 10:07:44 +04:00
7497fdb484
Merge pull request #2129 from d4rk-d4nph3/master
...
Added rule for possible persistence via VMTools
2021-10-10 10:55:06 +02:00
a241f526ef
Added more strict path
2021-10-10 07:54:40 +05:45
4ab3ebf6b2
Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe
...
Detect suspicious named pipe connections to an AD FS WID
2021-10-09 16:47:25 +02:00
5b49b5ee17
Merge pull request #2130 from phantinuss/master
...
fix: prevent FP triggering of other sources utilising ID 1102
2021-10-08 20:14:08 +02:00
04c37d977b
fix: prevent FP triggering of other sources utilising ID 1102
2021-10-08 16:43:14 +02:00
a45e516f99
Added rule for possible persistence via VMTools
2021-10-08 13:28:35 +05:45
7f17eaeb87
added rule to detect suspicious named pipe connections to an AD FS server
2021-10-08 01:57:22 -04:00
e70d17745e
Update modified field
2021-10-07 18:42:22 +02:00
0ee777e3b4
Fix rule detection logic
...
Changed ParentImage to Image
2021-10-07 14:25:18 +03:00
6d56e400d2
Merge pull request #2121 from frack113/update_test
...
Update test adding logsource to duplicate logic test
2021-10-06 14:46:48 +02:00
80d09483d9
move to builtin
2021-10-05 07:33:50 +02:00
4f86a245f8
Order file i correct directory
2021-10-05 07:30:43 +02:00
201708c097
Merge pull request #2103 from webboy2015/patch-1
...
Create win_lolbas_execution_of_nltest.exe.yaml
2021-10-05 07:24:05 +02:00
654b5b4bff
Update win_lolbas_execution_of_nltest.yml
2021-10-04 22:08:47 +02:00
fd329f4f9b
Remove unneeded EventID
2021-10-04 21:25:57 +02:00
dc030e0128
Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
...
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-03 08:24:52 +02:00
81d1bb0e2b
Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-02 13:32:20 -05:00
f652745924
Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml
2021-10-02 07:53:19 +02:00
e6b32b90af
Update win_lolbas_execution_of_nltest.exe
2021-10-02 07:25:11 +02:00
87df79302d
Update win_lolbas_execution_of_nltest.exe
...
Changed condition as follows:
detection:
selection:
EventID: 4689
ProcessName|endswith: nltest.exe
Status: "0x0"
condition: selection
Included field - SubjectDomainName
2021-10-01 12:55:37 -07:00
19a834e317
Merge pull request #2111 from TareqAlKhatib/master
...
Corrected Technique
2021-10-01 15:17:01 +02:00
0d22601112
Added Compromise Infrastructure: Web Services technique
2021-10-01 08:40:59 -04:00
04acba9c77
Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-09-30 19:58:21 -05:00
b0b95ce32b
Corrected Technique
2021-09-30 16:34:14 -04:00
e900945761
Update win_trust_discovery.yml
2021-09-30 19:26:14 +02:00
76224b0fb2
Added alternative nltest command parameter
...
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2chttps://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
2021-09-30 18:12:19 +02:00
1c842037cf
Merge pull request #2109 from Karneades/patch-1
...
Add fp note to powershell winapi rule
2021-09-30 17:45:03 +02:00
6eea77ae38
Merge pull request #2105 from frack113/powershell
...
powershell_susp_zip_compress add 4104
2021-09-30 17:40:13 +02:00
82ba266a53
Add fp note to powershell winapi rule
2021-09-30 16:38:39 +02:00
29d66a965c
add 4104
2021-09-30 10:03:11 +02:00
056067086c
Create win_lolbas_execution_of_nltest.exe.yaml
...
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
2021-09-29 14:33:36 -07:00
84ec2f582a
Merge pull request #2100 from kidrek/sysmon_delete_prefetch
...
Add new rule - sysmon_delete_prefetch - AntiForensic
2021-09-29 17:53:33 +02:00
ed1a1caa2e
Merge pull request #2098 from frack113/fix_tags
...
fix tags in win_susp_mpcmdrun_download.yml
2021-09-29 17:06:18 +02:00
2ae2c35a7f
mispelled 'mshta.exe' in selection_base
...
it said 'mhsta.exe' and it should say 'mshta.exe'
2021-09-29 07:47:12 -05:00
17ad95cd12
Update sysmon_delete_prefetch.yml
2021-09-29 10:58:00 +02:00
da4a8a0ffd
Fix title field error
2021-09-29 09:49:58 +02:00
d3fc6b118d
Add new rule - sysmon_delete_prefetch - AntiForensic
2021-09-29 09:42:17 +02:00
4a66ea04bd
fix tags
2021-09-29 08:26:05 +02:00
a2418e4d2c
Added alternative command parameter
...
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection.
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
2021-09-28 17:39:21 +02:00
c27084dd0c
Merge pull request #2094 from frack113/backend_sysmon
...
Fix logsource not a string
2021-09-28 16:22:58 +02:00
c3222945ef
Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml
...
win_sysmon_driver_unload.yml
2021-09-28 16:22:43 +02:00
3e7b3073cf
Update win_sysmon_driver_unload.yml
2021-09-27 23:30:30 -05:00
1da59d9175
Merge pull request #2092 from SigmaHQ/rule-devel
...
docs: changed description
2021-09-27 23:13:09 +02:00
4161cd909f
docs: changed description
2021-09-27 23:12:18 +02:00
10b70edff0
Merge pull request #2091 from SigmaHQ/rule-devel
...
NOBELIUM FoggyWeb backdoor loading
2021-09-27 23:09:18 +02:00
b227f8459d
fix: typo in filename
2021-09-27 22:37:20 +02:00
ada966c5be
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-09-27 22:34:30 +02:00
cee44e6688
renamed files: lowercase
2021-09-27 22:33:30 +02:00
97bb6a0257
rule: NOBELIUM FoggyWeb
2021-09-27 22:28:25 +02:00
Tran Trung Hieu