bc947fefc1
Create win_susp_wsl_lolbin.yml
2020-10-05 13:36:40 +11:00
00cf61cc5b
Added explorer.exe LOLbin, OSCD
2020-10-04 23:47:16 +03:00
77cb49d057
Keep empty sysmon directory so tests will still run
2020-10-02 11:25:30 +02:00
18e0af986a
- Fix for sysmon_ads_executable.yml
2020-10-02 10:54:15 +02:00
05d2de4c26
- Cleaned up some more rules where 'service: sysmon' was combined with category
...
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent
modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
modified: rules/windows/malware/mal_azorult_reg.yml
modified: rules/windows/powershell/powershell_suspicious_profile_create.yml
modified: rules/windows/process_creation/sysmon_cmstp_execution.yml
modified: rules/windows/process_creation/win_apt_chafer_mar18.yml
modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml
modified: rules/windows/process_creation/win_hktl_createminidump.yml
modified: rules/windows/process_creation/win_mal_adwind.yml
modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml
2020-10-02 10:45:29 +02:00
0c9a82af89
- Remove 'service: sysmon' since defining the categories made the rules generic
2020-10-02 09:37:52 +02:00
8fabffee56
Merge pull request #2 from Neo23x0/master
...
Added new rule
2020-10-02 09:37:31 +02:00
c56cd2dfff
Merge pull request #1024 from omkar72/master
...
Com hijack shell folder
2020-10-02 09:24:16 +02:00
4487d9cc7e
added event type & changed technique
2020-10-02 09:22:14 +05:30
495b05572f
Remove old file
2020-09-30 20:49:05 +02:00
8b74abe0bc
- Created new categories for sysmon events
...
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
2020-09-30 20:44:14 +02:00
18e0510e90
Merge pull request #1 from Neo23x0/master
...
Update repo
2020-09-30 17:27:40 +02:00
d3ee1aba66
docs: MITRE ATT&CK(R) trademark references removed or adjusted
...
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns
...
WannaCry Killswitch domain DNS query
2020-09-29 09:27:21 +02:00
68a992d903
updated name
2020-09-27 21:57:19 +05:30
e7c8197e34
Updated fields & renamed
2020-09-27 21:52:59 +05:30
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml
2020-09-27 21:44:41 +05:30
3f148e6c7c
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 21:19:04 +05:30
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master
...
Sigma rule to detect AdFind.exe execution
2020-09-27 09:50:41 +02:00
8020fe3c40
false positive condition
2020-09-26 17:03:29 +02:00
60795f7050
Update win_susp_adfind.yml
...
Fear that a simple adfind.exe causes too many false positives
2020-09-26 17:02:39 +02:00
dbdd758365
Duplicate Rule
...
we already have a rule for that
2020-09-26 17:01:32 +02:00
d4dd0600ad
Fix logsource service to process_creation
2020-09-26 21:45:23 +07:00
c756fc8576
Detect Suspicious AdFind Execution
2020-09-26 21:34:06 +07:00
f76f80db80
Killswitch domain
2020-09-16 20:32:31 -06:00
7b1ef9ea64
fixing test runner issues
2020-09-15 15:45:33 -06:00
6ed36b0e41
fixed issues with tabs and duplicate tags
2020-09-15 08:52:00 -06:00
2cd9b794e6
Merge pull request #1007 from d4rk-d4nph3/master
...
Windows Defender AMSI Trigger Detected
2020-09-15 15:45:00 +02:00
6cadfa5b2b
Added win_vul_cve_2020_1472 rule
2020-09-15 15:13:53 +02:00
1ddba05eb2
Second round
2020-09-15 07:02:30 -06:00
da9b32bdd6
we
2020-09-15 06:24:44 -06:00
8ce73bd8df
Fixed issues with tags and missing files
2020-09-15 06:10:57 -06:00
378d9c94cf
Merge branch 'master' of https://github.com/socprime/sigma into pr-981
2020-09-15 12:14:49 +02:00
50db6dcc69
Merge pull request #1002 from scottdermott/master
...
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
2020-09-15 08:17:02 +02:00
03c7d751c0
Windows Defender AMSI Trigger Detected
2020-09-14 18:10:38 +05:45
57cae0ded1
Fixed reference typo
2020-09-13 22:07:43 -06:00
52ab677798
Fixed my git issue
2020-09-13 22:03:04 -06:00
249c255435
No Idea why these files are deleted
2020-09-13 22:00:30 -06:00
1fc202fe5d
fix typos, update tags
2020-09-13 15:46:45 +02:00
c72ac8f73e
Merge branch 'master' of https://github.com/scottdermott/sigma
2020-09-11 16:19:54 +01:00
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
...
AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC).
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
2020-09-11 16:06:51 +01:00
49ba107dce
Fixed Title
2020-09-10 17:36:37 +07:00
f7d5240d40
Added UID, fixed rule description
2020-09-10 17:20:16 +07:00
1b6c6ec5bf
Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender
2020-09-10 17:16:06 +07:00
7d6043bd0d
rule: reworked suspicious user agents
2020-09-10 10:33:11 +02:00
ed059a9831
Added Credential Dumping by LaZagne
2020-09-09 18:27:14 +05:45
de5444a81e
Merge pull request #989 from oscd-initiative/master
...
[OSCD Initiative][ATT&CK tags update]
2020-09-08 13:27:58 +02:00
af3b93a522
Merge pull request #914 from omergunal/ogunal-2
...
New rules for Linux
2020-09-07 09:41:43 +02:00
39dfcd40ec
Merge pull request #921 from d4rk-d4nph3/master
...
Added support for Defender's PSExec and WMI ASR rules.
2020-09-07 09:40:46 +02:00
6f96bbbe65
Merge pull request #977 from barvhaim/patch-1
...
Update win_new_service_creation.yml typo
2020-09-07 09:39:28 +02:00
svch0stz