dea019f89d
fix: some threat levels adjusted
2018-07-07 13:00:23 -06:00
6a014a3dc8
MSHTA spwaned by SVCHOST as seen in LethalHTA
...
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
2018-07-06 19:52:58 +02:00
ed470feb21
Merge pull request #99 from yt0ng/master
...
Detects ImageLoad by uncommon Image
2018-07-06 10:11:02 -06:00
b21afc3bc8
user subTee was removed from Twitter
2018-07-04 17:29:05 +02:00
f84c33d005
Known powershell scripts names for exploitation
...
Detects the creation of known powershell scripts for exploitation
2018-07-04 17:24:18 +02:00
7867838540
fix: typo in rule description
2018-07-03 05:05:44 -06:00
e7465d299f
fix: false positive with MsMpEng.exe and svchost.exe as child process
2018-07-03 05:05:44 -06:00
42941ee105
Detects ImageLoad by uncommon Image
...
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
2018-07-01 15:47:17 +02:00
9e0abc5f0b
Adjusted rules to the new specs reg "not null" usage
2018-06-28 09:30:31 +02:00
a61052fc0a
Rule fixes
2018-06-27 18:47:52 +02:00
fc72bd16af
Fixed bugs
2018-06-27 09:20:41 +02:00
f4b150def8
Rule: Powershell remote thread creation in Rundll32
2018-06-25 15:23:19 +02:00
1a1011b0ad
Merge pull request #96 from yt0ng/master
...
Detects the creation of a schtask via PowerSploit Default Configuration
2018-06-23 17:15:14 +02:00
c59d0c7dca
Added additional options
2018-06-23 15:54:31 +02:00
cc3fd9f5d0
Detects the creation of a schtask via PowerSploit Default Configuration
...
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
2018-06-23 15:45:58 +02:00
d1d4473505
Rule: ADS with executable
...
https://twitter.com/0xrawsec/status/1002478725605273600
2018-06-03 02:08:57 +02:00
49877a6ed0
Moved and renamed rule
2018-04-18 16:53:11 +02:00
cf237cf658
"author" should be a string and not a list, according to the specification
2018-04-16 23:42:51 +02:00
d8bbf26f2c
Added msiexec to rule in order to cover new threats
...
https://twitter.com/DissectMalware/status/984252467474026497
2018-04-12 09:12:50 +02:00
58517907ad
Improved rule to provide support for for old sysmon \REGISTRY syntax
2018-04-11 20:15:17 +02:00
0ffd226293
Moved new rule to sysmon folder
2018-04-11 20:11:54 +02:00
52d405bb1b
Improved shell spawning rule
2018-04-11 20:09:42 +02:00
a9c7fe202e
Rule: Windows shell spawning suspicious program
2018-04-09 08:37:30 +02:00
e53826e167
Extended Sysmon Office Shell rule
2018-04-09 08:37:30 +02:00
f113832c04
Merge pull request #69 from jmallette/rules
...
Create cmdkey recon rule
2018-04-08 23:23:30 +02:00
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
dacc6ae3d3
Fieldname case: Commandline -> CommandLine
2018-03-25 23:08:28 +02:00
e141a834ff
Rule: Ping hex IP address
...
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
2018-03-23 17:00:00 +01:00
97204d8dc0
Renamed rule
2018-03-20 15:04:11 +01:00
e9fcfcba7f
Improved NetNTLM downgrade rule
2018-03-20 15:03:55 +01:00
a7eb4d3e34
Renamed rule
2018-03-20 11:12:35 +01:00
b84bbd327b
Rule: NetNTLM Downgrade Attack
...
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 11:07:21 +01:00
a6d293e31d
Improved tscon rule
2018-03-20 10:54:04 +01:00
8fb6bc7a8a
Rule: Suspicious taskmgr as LOCAL_SYSTEM
2018-03-19 16:36:39 +01:00
af8be8f064
Several rule updates
2018-03-19 16:36:15 +01:00
648ac5a52e
Rules: tscon.exe anomalies
...
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
2018-03-17 19:14:13 +01:00
49c12f1df8
Add missing binaries
2018-03-16 10:52:43 +01:00
a257b7d9d7
Rule: Stickykey improved
2018-03-16 09:10:07 +01:00
0460e7f18a
Rule: Suspicious process started from taskmgr
2018-03-15 19:54:03 +01:00
f5494c6f5f
Rule: StickyKey-ike backdoor usage
2018-03-15 19:53:34 +01:00
5ae5c9de19
Rule: Outlook spawning shells to detect Turla like C&C via Outlook
2018-03-10 09:04:11 +01:00
aff46be8a3
Create cmdkey recon rule
2018-03-08 13:25:05 -05:00
8ee24bf150
WMI persistence rules derived from blog article
...
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
2018-03-07 23:05:10 +01:00
8041f77abd
Merged similar rules
2018-03-06 23:19:11 +01:00
84645f4e59
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
1001afb038
Rule: CVE-2015-1641
2018-02-22 16:59:40 +01:00
25dc3e78be
Lowered severity of rule - prone to false positives
2018-02-22 16:59:11 +01:00
9020a9aa32
Fixed file names "vuln" > "exploit"
2018-02-22 13:29:19 +01:00
5d763581fa
Adding status "experimental" to that rule
2018-02-22 13:28:01 +01:00
0be687d245
Rule: Detect CVE-2017-0261 exploitation
2018-02-22 13:27:20 +01:00
Florian Roth