744b7602c9
Windows redcannary rules
2021-12-27 20:25:01 +01:00
1c4688cbb6
Merge branch 'master' into rule-devel
2021-12-27 17:38:21 +01:00
6540d2e924
rule: download from Microsoft domain
2021-12-27 17:22:34 +01:00
7a8f09a6b5
fix: FPs with 4688 events that can contain 'Registry'
2021-12-27 11:48:51 +01:00
b967deaabd
Windows Redcannary impact
2021-12-26 12:09:42 +01:00
4951e78c74
Merge pull request #2491 from SigmaHQ/rule-devel
...
docs: title reordered
2021-12-25 09:59:28 +01:00
1609fbb2ac
docs: title reordered
2021-12-24 09:13:25 +01:00
41b29fb3b9
Merge pull request #2490 from SigmaHQ/rule-devel
...
refactor: added curl.exe to the list
2021-12-23 17:56:08 +01:00
db3ebaf97c
refactor: added curl.exe to the list
2021-12-23 08:27:44 +01:00
2ab0582fd1
(win_susp_rundll32_activity.yml) Rule syntax error
...
es-dsl does not work properly because the rule syntax is not valid
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_activity.yml
59 to 61 lines
- CommandLine|contains|all:
- 'syssetup.dll'
- SetupInfObjectInstallAction'
should be like below
- CommandLine|contains|all:
- 'syssetup.dll'
- 'SetupInfObjectInstallAction'
2021-12-23 10:09:51 +09:00
6b233cc2ec
Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing
...
fix: FPs noticed with Aurora
2021-12-22 15:37:42 +01:00
b276ccd121
fix: FPs noticed with THOR
2021-12-22 14:51:06 +01:00
9c25a43089
rule: add new rule to detect shell spawn by Java keytool
2021-12-22 11:48:02 +01:00
0e31c23620
Merge pull request #2476 from frack113/redcannary_20211220
...
Windows Redcannary
2021-12-21 20:41:58 +01:00
b3c7ef50f5
Merge branch 'master' into aurora-false-positive-fixing
2021-12-21 14:44:55 +01:00
4c76e917df
Merge pull request #2480 from frack113/diavol
...
Add thedfirreport Diavol Ransomware rules
2021-12-21 14:10:35 +01:00
c006b9df31
fix: FPs noticed with Aurora after Nvidia driver upgrade
2021-12-21 13:47:39 +01:00
59bfca6aba
Update win_pc_sqlcmd_veeam_dump.yml
2021-12-21 13:28:47 +01:00
55b4085afc
Merge pull request #2473 from elhoim/add_mimikatz_keywords
...
Add mimikatz keywords to 3 rules
2021-12-21 13:28:15 +01:00
5c3c4830f7
Update win_pc_false_sysinternalsuite.yml
2021-12-21 13:26:50 +01:00
6e19e75ece
Update win_pc_sqlcmd_veeam_dump.yml
2021-12-21 13:24:36 +01:00
a1594e8c4a
Merge pull request #2482 from Karneades/hideSrv
...
rule: abuse of permissions to hide services
2021-12-21 13:23:20 +01:00
d5bfce1e36
Removed duplicate filter entries.
2021-12-21 10:23:23 +01:00
2ce0529792
Merge branch 'SigmaHQ:master' into add_mimikatz_keywords
2021-12-21 09:26:51 +01:00
090e0304d4
rule: abuse of permissions to hide services
2021-12-20 23:36:23 +01:00
5ac7c0a076
rule: add further reference in regsrv32 rule
2021-12-20 22:58:32 +01:00
b490086d37
Add thedfirreport Diavol Ransomware
2021-12-20 18:59:11 +01:00
75765f2aef
Update win_mimikatz_command_line.yml
2021-12-20 17:30:03 +01:00
145622afcf
change level to medium as non-tunable in the wild FPs with powershell.exe are found
2021-12-20 15:12:21 +01:00
e542c10e8e
Fix error
2021-12-20 11:35:12 +01:00
96a42f3bb5
Windows redcannary
2021-12-20 10:43:32 +01:00
b0dda59d09
Added mimikatz keywords from user published documentation to win_mimimkatz_command_line
2021-12-20 09:22:34 +01:00
147c319bff
Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly
2021-12-20 09:01:34 +01:00
f4f3f860cb
Merge pull request #2470 from frack113/redcanary_20211219
...
Windows Redcannary
2021-12-20 08:39:41 +01:00
89e1f491b3
refactor: add accepteula to flags
2021-12-19 19:43:37 +01:00
b89580488a
Windows Redcannary
2021-12-19 11:20:42 +01:00
70f3f4fa88
Create win_susp_psloglist.yml
...
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
2021-12-18 21:52:05 +01:00
6f01874e07
Create win_susp_nt_resource_kit_auditpol_usage.yml
2021-12-18 21:06:46 +01:00
91b51068ea
fix condition
...
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
2021-12-18 20:26:57 +01:00
78900a7b96
fix condition
...
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
2021-12-18 20:26:35 +01:00
61ae79bcff
Condition changed
...
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
2021-12-18 20:26:12 +01:00
4362060da6
Update process_creation_advanced_ip_scanner.yml
2021-12-18 20:24:11 +01:00
da5cb2116c
Update process_creation_advanced_ip_scanner.yml
2021-12-18 20:08:00 +01:00
8401ece3d6
Create process_creation_cleanwipe.yml
2021-12-18 20:05:49 +01:00
92e7ff882f
Create process_creation_advanced_port_scanner.yml
2021-12-18 20:00:40 +01:00
dbf3455990
Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing
...
fix: exclude *.scr screensavers
2021-12-18 19:00:20 +01:00
3f5859bac5
fix: exclude *.scr screensavers
2021-12-18 15:40:12 +01:00
68be189402
Merge pull request #2463 from Karneades/java
...
rule: add new rule for java spawning suspicious binaries
2021-12-18 07:56:53 +01:00
8a3c521a34
Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2021-12-18 07:16:16 +01:00
e20d8be164
refactor: split rule up into two, more susp sub procs
2021-12-18 06:39:14 +01:00
frack113