1e7a47440f
Install Root Certificate
2020-10-05 20:21:20 +03:00
364ef1e61f
[OSCD] Security Eventlog Cleared
...
Adding new changes to main
2020-10-05 22:30:09 +05:30
f455146a29
Detecting use PsExec via Pipe Creation/Access to pipes RULE ( #29 #30 )
2020-10-05 18:08:20 +03:00
53f0261a62
Add Stored Credentials in Fake Files rule
2020-10-05 10:39:21 -04:00
815aa3c719
Edited win_susp_pcwutl
2020-10-05 14:00:21 +03:00
b147fc3296
Update win_susp_explorer.yml
...
Added known-fp
2020-10-05 13:22:43 +03:00
39f955d24d
Revert "Create win_susp_pester.yml"
...
This reverts commit 577daa378a
2020-10-05 13:14:35 +03:00
577daa378a
Create win_susp_pester.yml
2020-10-05 12:22:50 +03:00
ffc768e262
Create win_susp_pcwutl.yml
2020-10-05 11:30:24 +03:00
85962665fd
Update win_susp_explorer.yml
2020-10-05 10:49:54 +03:00
a02f4840e5
Update win_susp_logon_explicit_credentials.yml
2020-10-05 15:31:30 +11:00
0249d330f5
Update win_susp_logon_explicit_credentials.yml
2020-10-05 15:23:23 +11:00
c34cde7938
Create win_susp_logon_explicit_credentials.yml
...
❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml
(source="WinEventLog:Security" (EventCode="4648" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\winrs.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost"))
2020-10-05 15:17:39 +11:00
c82d5ac08e
Create win_net_use_admin_share.yml
2020-10-05 14:43:45 +11:00
60bd6a3692
Update win_susp_copy_lateral_movement.yml
2020-10-05 14:35:20 +11:00
dd2ab4082d
Update win_susp_copy_lateral_movement.yml
2020-10-05 14:33:00 +11:00
641f3031bd
Update win_susp_copy_lateral_movement.yml
2020-10-05 14:27:39 +11:00
6fc476b2a2
Delete win_remote_schtask.yml
2020-10-05 13:40:57 +10:30
99e52a6f7a
Create win_remote_service.yml
2020-10-05 13:37:55 +10:30
3516819bf8
Delete win_net_use_admin_share.yml
2020-10-05 14:00:36 +11:00
c675be41e2
Create win_net_use_admin_share.yml
2020-10-05 13:57:50 +11:00
ad5b128d0d
Delete win_remote_service.yml
2020-10-05 13:26:12 +10:30
79d9cbe2c7
Create win_remote_service.yml
2020-10-05 13:23:00 +10:30
03b350ff0b
Create win_remote_schtask.yml
2020-10-05 13:15:48 +10:30
bc947fefc1
Create win_susp_wsl_lolbin.yml
2020-10-05 13:36:40 +11:00
00cf61cc5b
Added explorer.exe LOLbin, OSCD
2020-10-04 23:47:16 +03:00
1fc4a97ded
Update target list in readme page
2020-10-02 17:18:06 -07:00
77cb49d057
Keep empty sysmon directory so tests will still run
2020-10-02 11:25:30 +02:00
18e0af986a
- Fix for sysmon_ads_executable.yml
2020-10-02 10:54:15 +02:00
05d2de4c26
- Cleaned up some more rules where 'service: sysmon' was combined with category
...
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent
modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
modified: rules/windows/malware/mal_azorult_reg.yml
modified: rules/windows/powershell/powershell_suspicious_profile_create.yml
modified: rules/windows/process_creation/sysmon_cmstp_execution.yml
modified: rules/windows/process_creation/win_apt_chafer_mar18.yml
modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml
modified: rules/windows/process_creation/win_hktl_createminidump.yml
modified: rules/windows/process_creation/win_mal_adwind.yml
modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml
2020-10-02 10:45:29 +02:00
0c9a82af89
- Remove 'service: sysmon' since defining the categories made the rules generic
2020-10-02 09:37:52 +02:00
8fabffee56
Merge pull request #2 from Neo23x0/master
...
Added new rule
2020-10-02 09:37:31 +02:00
c56cd2dfff
Merge pull request #1024 from omkar72/master
...
Com hijack shell folder
2020-10-02 09:24:16 +02:00
4487d9cc7e
added event type & changed technique
2020-10-02 09:22:14 +05:30
495b05572f
Remove old file
2020-09-30 20:49:05 +02:00
8b74abe0bc
- Created new categories for sysmon events
...
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
2020-09-30 20:44:14 +02:00
18e0510e90
Merge pull request #1 from Neo23x0/master
...
Update repo
2020-09-30 17:27:40 +02:00
d3ee1aba66
docs: MITRE ATT&CK(R) trademark references removed or adjusted
...
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
cdbee4b531
Fix error with pymisp in sigma2misp
2020-09-29 12:01:33 -04:00
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns
...
WannaCry Killswitch domain DNS query
2020-09-29 09:27:21 +02:00
68a992d903
updated name
2020-09-27 21:57:19 +05:30
e7c8197e34
Updated fields & renamed
2020-09-27 21:52:59 +05:30
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml
2020-09-27 21:44:41 +05:30
3f148e6c7c
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
2020-09-27 21:19:04 +05:30
15c8721e7b
Merge pull request #1 from Neo23x0/master
...
Updating my fork
2020-09-27 19:12:36 +05:30
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master
...
Sigma rule to detect AdFind.exe execution
2020-09-27 09:50:41 +02:00
8020fe3c40
false positive condition
2020-09-26 17:03:29 +02:00
60795f7050
Update win_susp_adfind.yml
...
Fear that a simple adfind.exe causes too many false positives
2020-09-26 17:02:39 +02:00
dbdd758365
Duplicate Rule
...
we already have a rule for that
2020-09-26 17:01:32 +02:00
d4dd0600ad
Fix logsource service to process_creation
2020-09-26 21:45:23 +07:00
Ömer Günal