daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel
...
Suspicious SYSVOL Domain Group Policy Access
2018-09-08 15:56:54 +02:00
6f5a73b2e2
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
68896d9294
style: renamed rule files to all lower case
2018-09-08 10:25:20 +02:00
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1
...
Create win_susp_powershell_hidden_b64_cmd.yml
2018-09-08 10:23:05 +02:00
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml
...
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
2018-09-07 20:23:11 -07:00
3154be82f3
Added .yml extension and fix typo
2018-09-06 20:28:22 -05:00
49f7da6412
style: changed title casing and minor fixes
2018-09-04 16:15:41 +02:00
3c240be8a8
fix: more duplicate 'tag' keys in rules
2018-09-04 16:15:02 +02:00
9c878bef79
fix: duplicate 'tag' key in rule
2018-09-04 16:05:21 +02:00
afadda8c04
Suspicious SYSVOL Domain Group Policy Access
2018-09-04 15:52:25 +02:00
d94c1d2046
fix: duplicate 'tag' key in rule
2018-09-04 14:56:55 +02:00
9cb78558d3
Rule: excluded false positives in rule
2018-09-03 12:02:42 +02:00
b57f3ded64
Rule: GRR false positives
2018-09-03 11:50:34 +02:00
2a0fcf6bea
Rule: PowerShell encoded command JAB
2018-09-03 10:08:29 +02:00
7a3890ad76
Rule: SysInternals EULA accept improved and renamed
2018-08-30 13:16:28 +02:00
d83f124f5f
Rule: Suspicious communication endpoints
2018-08-30 10:12:12 +02:00
e70395744b
Rule: Improved Github communication rule
2018-08-30 10:12:12 +02:00
d17cc5c07d
Merge pull request #157 from yt0ng/development
...
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 22:37:00 +02:00
75d72344ca
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 17:36:22 +02:00
a722fcd2b0
Merge pull request #156 from yt0ng/yt0ng-devel
...
Adding LSASS Access Detected via Attack Surface Reduction
2018-08-27 23:50:42 +02:00
ee15b451b4
Fixed log source name
2018-08-27 23:45:30 +02:00
6e7208553a
Revert "removing for new pull request"
...
This reverts commit ca7e8d6468
2018-08-27 23:39:29 +02:00
2f256aa1ef
Adding LSASS Access Detected via Attack Surface Reduction
2018-08-27 10:38:45 +02:00
87e39b8768
Fixed rules
2018-08-26 22:30:47 +02:00
60a5922582
Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master
2018-08-26 22:12:19 +02:00
5b3175d1d6
Rule: Suspicious procdump use on lsass process
2018-08-26 19:53:57 +02:00
df9f6688eb
Added Deskop Location, RunOnce and ATTCK
...
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
2018-08-25 17:32:34 +02:00
eda6f3b9ca
rules/windows/sysmon/sysmon_powershell_DLL_execution.yml
2018-08-25 16:33:54 +02:00
c7d4b4853d
removing sysmon_powershell_AMSI_bypass.yml
2018-08-23 10:17:19 +02:00
f47a5c2206
fix: Author list to string
2018-08-23 09:40:28 +02:00
49af499353
Merge pull request #151 from nikseetharaman/workflow_compiler
...
Add Microsoft Workflow Compiler Sysmon Detection
2018-08-23 08:24:35 +02:00
9235175e26
Fixed rule
...
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
2018-08-23 08:20:28 +02:00
73535e58a5
Merge pull request #153 from megan201296/patch-10
...
Add ATT&CK Matrix tags
2018-08-23 08:06:58 +02:00
d647a7de07
Merge pull request #154 from megan201296/patch-11
...
Add MITRE ATT&CK tagging
2018-08-23 08:06:39 +02:00
5de3cd71a4
Merge pull request #149 from yt0ng/development
...
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
2018-08-22 17:19:10 +02:00
040ba0338d
fix: Added Event ID in second selection
2018-08-22 17:03:13 +02:00
Florian Roth