b7ac36e6ab
Merge branch 'master' into rule-devel
2020-07-01 09:04:46 +02:00
f2587791f2
rule: suspicious rar flags
2020-07-01 09:04:26 +02:00
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
...
New Rule: Suspicious powershell parent process
2020-06-30 10:00:28 +02:00
9c74018e12
Added new rule for pwsh_xor_cmd (sysmon)
2020-06-29 22:18:25 +02:00
5e740fd7b2
Added new rule for pwsh_xor_cmd (sysmon)
2020-06-29 22:13:49 +02:00
5a11ef90d0
rule reorganized
2020-06-29 21:24:47 +02:00
1a088425f9
Fix rules.
2020-06-29 20:42:35 +02:00
bb214f5832
rule: Explorer Root Flag Process Tree Break
2020-06-29 12:07:15 +02:00
b091e3b1c4
Update for new method
...
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
2020-06-22 01:06:34 +03:00
e1225784f7
fix: fixed indentation
2020-06-19 09:54:08 +02:00
62632db818
refactor: added variant to IE rule
2020-06-19 09:53:35 +02:00
5cb6f5da9d
fix: title adjusted
2020-06-19 09:39:11 +02:00
b8a5cd4787
Disabled IE Security Features
2020-06-19 09:37:10 +02:00
da060bfb90
Ke3chang rule
2020-06-19 09:36:54 +02:00
b343df2225
Further subtechnique updates
2020-06-17 11:31:40 -06:00
5c0bb0e94f
Fixed indentation
2020-06-16 15:01:13 -06:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash
...
Fix match for double-backslash
2020-06-15 20:19:56 +02:00
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation
...
Fix logsource field name from service->category
2020-06-15 20:18:53 +02:00
f196046b3d
Fix match for double-backslash
...
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
2020-06-15 13:39:50 -04:00
422b2bffd7
Fix rules with incorrect escaping of wildcars
...
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
8d58c8f5c8
Fix logsource field name from service->category
...
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
2020-06-15 13:18:05 -04:00
40f0fd989d
- moved to "process_creation" folder instead of "sysmon"
...
- renamed .yml file
2020-06-11 19:21:17 +02:00
97c45f9d46
Merge pull request #812 from tliffick/master
...
added new rules for malware
2020-06-10 17:37:19 +02:00
96309d247b
fix: cosmetic fault
2020-06-10 16:41:03 +02:00
6e4aa01baa
Cosmetics
2020-06-10 16:36:17 +02:00
13c7d40a22
Cosmetics
2020-06-10 16:35:41 +02:00
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel
...
merged Cyb3rWarD0g's rules
2020-06-06 16:27:59 +02:00
d3e261862d
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel
...
Rule devel
2020-06-06 14:19:37 +02:00
2e77e65285
rule: Covenant launchers
2020-06-05 11:03:28 +02:00
6c8c0cd85d
Removed incorrect technique
2020-06-03 17:51:57 -04:00
a2ca199e7d
added rules for Lazaurs and hhsgov
2020-06-03 17:38:03 -04:00
4ed512011a
All Rules use 'TargetFilename' instead of 'TargetFileName'.
...
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00
7f2fa05ed3
Merge pull request #802 from Neo23x0/rule-devel
...
ComRAT and KazuarRAT
2020-05-28 11:16:44 +02:00
39b41b5582
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
4ca81b896d
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
3681b8cb56
Extended Windows processes
2020-05-26 13:56:51 +02:00
f9f814f3b3
Shortened title
2020-05-26 13:06:27 +02:00
a241792e10
Reduce FP of legitime processes
...
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe
All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.
Python 2.7, 3.3 and 3.7 does not have any file characteristics.
So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
2020-05-26 12:58:15 +02:00
6fcf3f9ebf
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
28652e4648
Add Windows Server 2008 and Windows Vista support
...
It did not support the command `netsh advfirewall firewall add`
2020-05-25 10:02:13 +02:00
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml
...
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.
Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
2020-05-25 09:50:47 +02:00
9cd9a301c2
Merge pull request #791 from SanWieb/master
...
added rule for Netsh RDP port opening
2020-05-23 16:50:31 +02:00
10ca3006f5
move rule where needed
2020-05-23 10:07:55 -04:00
d310805ed9
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
9a7f462d79
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel
...
refactor: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:54:43 +02:00
34006d0794
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
57c8e63acd
refactore: split up rule for CVE-2020-1048 into 2 rules
2020-05-23 09:09:58 +02:00
Florian Roth