f3fedef8f5
Changed category names and remove sysmon log source
2020-06-24 17:41:21 +02:00
e5f36dd146
Added rules files split into folders
2020-06-10 16:32:30 +02:00
5c835cf1f2
Merge pull request #813 from ozirus/patch-1
...
Create sysmon_apt_muddywater_dnstunnel.yml
2020-06-09 18:44:45 +02:00
7a334a8d8a
fix: missed line
2020-06-09 17:30:54 +02:00
04913a4b95
Aligned indentation
2020-06-09 17:20:25 +02:00
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud
...
TA410 FlowCloud malware detection
2020-06-09 17:18:39 +02:00
a9bf22750a
Fixed bad indentation
2020-06-09 16:30:17 +02:00
4ce3ea735e
TA410 FlowCloud malware detection
2020-06-09 16:21:46 +02:00
d14d391761
Octopus Scanner malware rule
2020-06-09 16:12:05 +02:00
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel
...
merged Cyb3rWarD0g's rules
2020-06-06 16:27:59 +02:00
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel
...
Rule devel
2020-06-06 14:19:37 +02:00
3697186281
fix: fixed title
2020-06-06 14:04:40 +02:00
246a95557b
fix: description over multiple lines
2020-06-06 13:56:48 +02:00
d54209dcc5
rule: ETW disabled
2020-06-06 13:56:19 +02:00
2e77e65285
rule: Covenant launchers
2020-06-05 11:03:28 +02:00
082696ee84
Added UUID
2020-06-04 18:38:42 +03:00
e958a6a939
Date added
2020-06-04 18:34:44 +03:00
5e373153eb
Title fix
2020-06-04 18:28:37 +03:00
0744107fbb
Deleted EventID part
2020-06-04 18:19:08 +03:00
1c677aa172
Fix title as in guideline
...
Fix title error as in guideline and other cosmetic changes
2020-06-04 18:13:32 +03:00
bafd6bde5f
Convert to process_creation
...
Convert to process_creation
2020-06-04 14:45:10 +03:00
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml
...
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
2020-06-04 14:27:19 +03:00
84dd8c39c4
Move null values out from list in rules
2020-06-03 13:57:22 +02:00
4ed512011a
All Rules use 'TargetFilename' instead of 'TargetFileName'.
...
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
74e16fdccd
Merge pull request #803 from gamma37/clear_cmd_history
...
Edit Clear Command History
2020-05-29 17:32:43 +02:00
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file
...
Fixed wrong field & Improve rule
2020-05-29 17:32:27 +02:00
a00f7f19a1
Add tagg Endswith
...
Prevent the trigger of {}.exe.log
2020-05-29 16:25:54 +02:00
38afd8b5de
Fixed wrong field
2020-05-28 21:52:17 +02:00
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
...
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
537bda4417
Update lnx_shell_clear_cmd_history.yml
2020-05-28 10:56:35 +02:00
5a48934822
Edit Clear Command History
...
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
2020-05-28 10:52:17 +02:00
39b41b5582
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
76dcc1a16f
rule: renamed debugview
2020-05-28 09:22:25 +02:00
ec313b6c8a
Merge pull request #801 from SanWieb/sysmon_creation_system_file
...
Rule: sysmon_creation_system_file
2020-05-27 08:49:20 +02:00
d44fc43c54
Add extension
2020-05-26 19:10:11 +02:00
f6ec724d51
Rule: sysmon_creation_system_file
2020-05-26 18:53:54 +02:00
5bb6770f53
Merge pull request #800 from SanWieb/win_system_exe_anomaly
...
Extended Windows processes: win_system_exe_anomaly
2020-05-26 14:28:47 +02:00
4ca81b896d
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
3681b8cb56
Extended Windows processes
2020-05-26 13:56:51 +02:00
0b398c5bf0
Merge pull request #798 from Neo23x0/rule-devel
...
rule: confluence exploit CVE-2019-3398 & Turla ComRAT
2020-05-26 13:31:57 +02:00
c1f4787566
Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048
...
Changes to sysmon_cve-2020-1048
2020-05-26 13:21:04 +02:00
ce1f46346f
Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access
...
Add 'Add-Content' to powershell_ntfs_ads_access
2020-05-26 13:20:40 +02:00
e131f3476e
Merge pull request #796 from EccoTheFlintstone/fp
...
add more false positives
2020-05-26 13:20:23 +02:00
b648998fd0
rule: Turla ComRAT
2020-05-26 13:18:50 +02:00
f9f814f3b3
Shortened title
2020-05-26 13:06:27 +02:00
a241792e10
Reduce FP of legitime processes
...
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe
All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.
Python 2.7, 3.3 and 3.7 does not have any file characteristics.
So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
cdf1ade625
fix: typo in selection
2020-05-26 12:27:16 +02:00
828484d7c6
rule: confluence exploit CVE-2019-3398
2020-05-26 12:09:41 +02:00
48c5f2ed09
Update to sysmon_cve-2020-1048
...
Added .com executables to detection
Second TargetObject should have been Details
2020-05-26 11:20:21 +02:00
Florian Roth