security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d884b6452f042bce0da96e7be2e0fb6289ceff5
sigma-rules/rules/windows
T
History
Samirbous 9d884b6452 [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) 
* [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Added 2 more known vulnerable programs Dism.exe and w3wp.exe

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* linted

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2020-09-22 22:39:35 +02:00
..
command_and_control_certutil_network_connection.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
[New Rule] Remote File Download via MpCmdRun (#247)
2020-09-22 14:44:48 +02:00
command_and_control_teamviewer_remote_file_copy.toml
[New Rule] Remote File Copy via TeamViewer (#241)
2020-09-22 14:43:32 +02:00
credential_access_credential_dumping_msbuild.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
[New Rule] Microsoft IIS Service Account Password Dumped (#167)
2020-09-22 13:58:57 +02:00
credential_access_mimikatz_memssp_default_logs.toml
[New Rule] Mimikatz Memssp Logs File Detected (#228)
2020-09-22 14:37:40 +02:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_clearing_windows_event_logs.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_code_injection_conhost.toml
[New Rule] Code Injection - Suspicious Conhost Child Process (#226)
2020-09-22 14:35:56 +02:00
defense_evasion_cve_2020_0601.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_encoding_or_decoding_files_via_certutil.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_by_script.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_renamed.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
[New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253)
2020-09-22 22:39:35 +02:00
defense_evasion_execution_suspicious_psexesvc.toml
[New Rule] - Suspicious PsExec Execution (#134)
2020-09-22 13:52:01 +02:00
defense_evasion_execution_via_trusted_developer_utilities.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_injection_msbuild.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
[New Rule] Suspicious Elastic Endpoint Parent Process (#214)
2020-09-22 14:34:11 +02:00
defense_evasion_masquerading_renamed_autoit.toml
[New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234)
2020-09-22 14:39:04 +02:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
[New Rule] Suspicious WerFault Child Process (#212)
2020-09-22 14:32:04 +02:00
defense_evasion_masquerading_werfault.toml
[New Rule] Potential Process Masquerading as WerFault (#210)
2020-09-22 14:30:34 +02:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_modification_of_boot_config.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_suspicious_managedcode_host_process.toml
[New Rule] Suspicious managed code hosting process (#204)
2020-09-22 14:27:03 +02:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
[New Rule] - Executable File Created by a System Critical Process (#183)
2020-09-22 14:23:37 +02:00
defense_evasion_via_filter_manager.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
discovery_net_command_system_account.toml
[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123)
2020-09-22 13:47:22 +02:00
discovery_process_discovery_via_tasklist_command.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
discovery_whoami_command_activity.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_command_prompt_connecting_to_the_internet.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_command_shell_started_by_powershell.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_command_shell_started_by_svchost.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_html_help_executable_program_connecting_to_the_internet.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_local_service_commands.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_msbuild_making_network_connections.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_mshta_making_network_connections.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_msxsl_network.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_psexec_lateral_movement_command.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_register_server_program_connecting_to_the_internet.toml
[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123)
2020-09-22 13:47:22 +02:00
execution_script_executing_powershell.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_dotnet_compiler_parent_process.toml
[New Rule] Suspicious .Net Compiler Parent Process (#208)
2020-09-22 14:28:41 +02:00
execution_suspicious_ms_office_child_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_ms_outlook_child_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_pdf_reader.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_unusual_dns_service_children.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_unusual_dns_service_file_writes.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_unusual_network_connection_via_rundll32.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_unusual_process_network_connection.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_via_compiled_html_file.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_via_hidden_shell_conhost.toml
[New Rule] - Execution via Hidden Shell (#154)
2020-09-22 13:56:19 +02:00
execution_via_net_com_assemblies.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
[New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132)
2020-09-22 13:48:54 +02:00
lateral_movement_direct_outbound_smb_connection.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
lateral_movement_dns_server_overflow.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
persistence_adobe_hijack_persistence.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_local_scheduled_task_commands.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_priv_escalation_via_accessibility_features.toml
[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123)
2020-09-22 13:47:22 +02:00
persistence_system_shells_via_services.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_user_account_creation.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_via_application_shimming.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
[New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150)
2020-09-22 13:54:51 +02:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
[New Rule] UAC Bypass via DiskCleanup Task Hijack (#160)
2020-09-22 13:57:37 +02:00
privilege_escalation_uac_bypass_event_viewer.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Unusual Parent-Child Relationship (#185)
2020-09-22 14:25:27 +02:00