security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6519a2474a55fd279f3e4bb16afdb50bfa2a23e
sigma-rules/rules/windows
T
History
Samirbous c6519a2474 [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146) 
* [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity

Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300

* Update privilege_escalation_printspooler_service_suspicious_file.toml

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added references and changed file name to extension as it was closed as bug issue by endpoint dev team

* Update privilege_escalation_printspooler_service_suspicious_file.toml

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2020-09-29 21:11:43 +02:00
..
command_and_control_certutil_network_connection.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
command_and_control_remote_file_copy_mpcmdrun.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
command_and_control_teamviewer_remote_file_copy.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
credential_access_credential_dumping_msbuild.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
credential_access_iis_apppoolsa_pwd_appcmd.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
credential_access_iis_connectionstrings_dumping.toml
[New Rule] Microsoft IIS Connection Strings Decryption (#165)
2020-09-29 11:45:41 +02:00
credential_access_mimikatz_memssp_default_logs.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_clearing_windows_event_logs.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_code_injection_conhost.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_cve_2020_0601.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_encoding_or_decoding_files_via_certutil.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_execution_msbuild_started_by_script.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_execution_msbuild_started_renamed.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_execution_suspicious_explorer_winword.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_execution_suspicious_psexesvc.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_execution_via_trusted_developer_utilities.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_iis_httplogging_disabled.toml
[New Rule] - Defense Evasion IIS HttpLogging Disabled (#142)
2020-09-29 11:39:04 +02:00
defense_evasion_injection_msbuild.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_masquerading_renamed_autoit.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_masquerading_werfault.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_modification_of_boot_config.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_sdelete_like_filename_rename.toml
[New Rule] - Potential Secure File Deletion using SDelete utility (#162)
2020-09-29 18:46:29 +02:00
defense_evasion_suspicious_managedcode_host_process.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_unusual_system_vp_child_program.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
defense_evasion_via_filter_manager.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
discovery_net_command_system_account.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
discovery_process_discovery_via_tasklist_command.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
discovery_whoami_command_activity.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_command_prompt_connecting_to_the_internet.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_command_shell_started_by_powershell.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_command_shell_started_by_svchost.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_command_shell_started_by_unusual_process.toml
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
execution_html_help_executable_program_connecting_to_the_internet.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_local_service_commands.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_msbuild_making_network_connections.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_mshta_making_network_connections.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_msxsl_network.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_psexec_lateral_movement_command.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_register_server_program_connecting_to_the_internet.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_script_executing_powershell.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_dotnet_compiler_parent_process.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_suspicious_ms_office_child_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_ms_outlook_child_process.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_suspicious_pdf_reader.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_unusual_dns_service_children.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_unusual_dns_service_file_writes.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_unusual_network_connection_via_rundll32.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_unusual_process_network_connection.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_via_compiled_html_file.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
execution_via_hidden_shell_conhost.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
execution_via_net_com_assemblies.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
execution_via_xp_cmdshell_mssql_stored_procedure.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
lateral_movement_direct_outbound_smb_connection.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
lateral_movement_dns_server_overflow.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
lateral_movement_gpo_schtask_service_creation.toml
[New Rule] - Creation of a new GPO Scheduled Task or Service (#126)
2020-09-29 10:54:24 +02:00
persistence_adobe_hijack_persistence.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_local_scheduled_task_commands.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
persistence_priv_escalation_via_accessibility_features.toml
[Rule Tuning] - Tuning of 3 Existing Windows Rules (#123)
2020-09-22 13:47:22 +02:00
persistence_system_shells_via_services.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_user_account_creation.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
persistence_via_application_shimming.toml
Add ECS 1.6.0 schema for validation testing (#220)
2020-08-27 11:54:49 -05:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
persistence_via_update_orchestrator_service_hijack.toml
[New Rule] - Persistence via Update Orchestrator Service Hijack (#152)
2020-09-29 18:53:05 +02:00
privilege_escalation_printspooler_service_suspicious_file.toml
[New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146)
2020-09-29 21:11:43 +02:00
privilege_escalation_printspooler_suspicious_spl_file.toml
[New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148)
2020-09-29 10:17:36 +02:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-23 22:03:29 -08:00
privilege_escalation_uac_bypass_event_viewer.toml
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
privilege_escalation_unusual_parentchild_relationship.toml
[Rule Tuning] Unusual Parent-Child Relationship (#185)
2020-09-22 14:25:27 +02:00