641f3031bd
Update win_susp_copy_lateral_movement.yml
2020-10-05 14:27:39 +11:00
3516819bf8
Delete win_net_use_admin_share.yml
2020-10-05 14:00:36 +11:00
c675be41e2
Create win_net_use_admin_share.yml
2020-10-05 13:57:50 +11:00
bc947fefc1
Create win_susp_wsl_lolbin.yml
2020-10-05 13:36:40 +11:00
00cf61cc5b
Added explorer.exe LOLbin, OSCD
2020-10-04 23:47:16 +03:00
05d2de4c26
- Cleaned up some more rules where 'service: sysmon' was combined with category
...
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent
modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
modified: rules/windows/malware/mal_azorult_reg.yml
modified: rules/windows/powershell/powershell_suspicious_profile_create.yml
modified: rules/windows/process_creation/sysmon_cmstp_execution.yml
modified: rules/windows/process_creation/win_apt_chafer_mar18.yml
modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml
modified: rules/windows/process_creation/win_hktl_createminidump.yml
modified: rules/windows/process_creation/win_mal_adwind.yml
modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml
2020-10-02 10:45:29 +02:00
8b74abe0bc
- Created new categories for sysmon events
...
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
2020-09-30 20:44:14 +02:00
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns
...
WannaCry Killswitch domain DNS query
2020-09-29 09:27:21 +02:00
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master
...
Sigma rule to detect AdFind.exe execution
2020-09-27 09:50:41 +02:00
8020fe3c40
false positive condition
2020-09-26 17:03:29 +02:00
60795f7050
Update win_susp_adfind.yml
...
Fear that a simple adfind.exe causes too many false positives
2020-09-26 17:02:39 +02:00
dbdd758365
Duplicate Rule
...
we already have a rule for that
2020-09-26 17:01:32 +02:00
d4dd0600ad
Fix logsource service to process_creation
2020-09-26 21:45:23 +07:00
c756fc8576
Detect Suspicious AdFind Execution
2020-09-26 21:34:06 +07:00
7b1ef9ea64
fixing test runner issues
2020-09-15 15:45:33 -06:00
6ed36b0e41
fixed issues with tabs and duplicate tags
2020-09-15 08:52:00 -06:00
da9b32bdd6
we
2020-09-15 06:24:44 -06:00
8ce73bd8df
Fixed issues with tags and missing files
2020-09-15 06:10:57 -06:00
378d9c94cf
Merge branch 'master' of https://github.com/socprime/sigma into pr-981
2020-09-15 12:14:49 +02:00
249c255435
No Idea why these files are deleted
2020-09-13 22:00:30 -06:00
1fc202fe5d
fix typos, update tags
2020-09-13 15:46:45 +02:00
49ba107dce
Fixed Title
2020-09-10 17:36:37 +07:00
f7d5240d40
Added UID, fixed rule description
2020-09-10 17:20:16 +07:00
1b6c6ec5bf
Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender
2020-09-10 17:16:06 +07:00
de5444a81e
Merge pull request #989 from oscd-initiative/master
...
[OSCD Initiative][ATT&CK tags update]
2020-09-08 13:27:58 +02:00
6f96bbbe65
Merge pull request #977 from barvhaim/patch-1
...
Update win_new_service_creation.yml typo
2020-09-07 09:39:28 +02:00
37751fc3a1
Merge pull request #978 from barvhaim/patch-2
...
Update sysmon_apt_muddywater_dnstunnel.yml typo
2020-09-07 09:39:11 +02:00
98c412044a
att&ck tags review: windows/process_creation part 5
...
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-07 02:00:41 +04:00
7ae76b8d99
Revert "att&ck tags review: windows/process_creation part 5"
...
This reverts commit e94c47e74e
2020-09-07 01:28:08 +04:00
e94c47e74e
att&ck tags review: windows/process_creation part 5
...
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-07 01:19:41 +04:00
961e4eef4c
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
e1529b445e
docs: added MITRE ATT&CK tags
2020-09-05 09:17:23 +02:00
12a6ad224c
Merge branch 'master' into rule-devel
2020-09-05 09:13:34 +02:00
22465037ac
Update win_susp_mpcmdrun_download.yml
2020-09-04 16:50:57 +02:00
3283e33cbc
Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml
2020-09-04 16:49:44 +02:00
df532be142
Added ID field using UUID generated value
2020-09-04 16:38:52 +02:00
2c69815b7b
Removed empty ID field
2020-09-04 16:32:41 +02:00
e0baa097a8
Initial creation
2020-09-04 16:00:23 +02:00
22547e188b
some fixes and additions
2020-09-03 13:30:21 +02:00
720ac0d998
fix: syntax bug in rule
2020-09-03 09:18:28 +02:00
198469bed3
Merge branch 'master' into rule-devel
2020-09-02 17:40:12 +02:00
423f81c912
Update win_mouse_lock.yml
2020-09-02 14:49:37 +02:00
73bc514f60
fix: 1 of them / one selection
2020-09-02 12:34:35 +02:00
11e0f794d9
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
7c6c5263ab
fix duplication of key modified in win_malware_emotet.yml
2020-09-01 17:09:54 +00:00
8ed3eb1494
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
65d201b1e4
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
e04b896cbc
fix tags
2020-08-29 21:34:20 +02:00
a95c4347d9
fixed typo in tag
2020-08-29 20:19:46 +03:00
6092bfcec1
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
svch0stz