37294d023f
Suspicious svchost.exe executions
2018-10-30 09:37:40 +01:00
580692aab4
Improved procdump on lsass rule
2018-10-30 09:37:40 +01:00
ff98991c80
Fixed rule
2018-10-18 16:20:51 +02:00
a2da73053d
Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9
2018-10-18 16:16:57 +02:00
732de3458f
Merge pull request #186 from megan201296/patch-15
...
Update sysmon_cmstp_com_object_access.yml
2018-10-18 15:49:06 +02:00
fdd0823e07
Merge pull request #187 from megan201296/patch-16
...
Additional MITRE ATT&CK Tagging
2018-10-18 15:38:11 +02:00
fd34437575
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
fdd264d946
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
7311d727ba
Rule: AV alerts - password dumper
2018-09-09 11:04:27 +02:00
84b8eb5154
Rule: AV alerts - exploiting frameworks
2018-09-09 11:04:27 +02:00
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel
...
Suspicious SYSVOL Domain Group Policy Access
2018-09-08 15:56:54 +02:00
6f5a73b2e2
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
68896d9294
style: renamed rule files to all lower case
2018-09-08 10:25:20 +02:00
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1
...
Create win_susp_powershell_hidden_b64_cmd.yml
2018-09-08 10:23:05 +02:00
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml
...
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
2018-09-07 20:23:11 -07:00
3154be82f3
Added .yml extension and fix typo
2018-09-06 20:28:22 -05:00
30fc4bd030
powershell xor commandline
...
New rule to detect -bxor usage in a powershell commandline.
2018-09-05 09:21:15 +02:00
49f7da6412
style: changed title casing and minor fixes
2018-09-04 16:15:41 +02:00
3c240be8a8
fix: more duplicate 'tag' keys in rules
2018-09-04 16:15:02 +02:00
9c878bef79
fix: duplicate 'tag' key in rule
2018-09-04 16:05:21 +02:00
afadda8c04
Suspicious SYSVOL Domain Group Policy Access
2018-09-04 15:52:25 +02:00
d94c1d2046
fix: duplicate 'tag' key in rule
2018-09-04 14:56:55 +02:00
9cb78558d3
Rule: excluded false positives in rule
2018-09-03 12:02:42 +02:00
b57f3ded64
Rule: GRR false positives
2018-09-03 11:50:34 +02:00
2a0fcf6bea
Rule: PowerShell encoded command JAB
2018-09-03 10:08:29 +02:00
7a3890ad76
Rule: SysInternals EULA accept improved and renamed
2018-08-30 13:16:28 +02:00
d83f124f5f
Rule: Suspicious communication endpoints
2018-08-30 10:12:12 +02:00
e70395744b
Rule: Improved Github communication rule
2018-08-30 10:12:12 +02:00
d17cc5c07d
Merge pull request #157 from yt0ng/development
...
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 22:37:00 +02:00
75d72344ca
Added Detection of Sysinternals Tools via eulaaccepted registry key
2018-08-28 17:36:22 +02:00
Florian Roth