Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
barvhaim committed Jul 21, 2020
2 parents da30266 + 71aa8ad commit 83623f3
Show file tree
Hide file tree
Showing 22 changed files with 27 additions and 13 deletions.
1 change: 1 addition & 0 deletions rules/cloud/aws_cloudtrail_disable_logging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,6 @@ level: medium
falsepositives:
- Valid change in a Trail
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
1 change: 1 addition & 0 deletions rules/cloud/aws_config_disable_recording.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,6 @@ level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
1 change: 1 addition & 0 deletions rules/cloud/aws_guardduty_disruption.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,6 @@ level: high
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
1 change: 1 addition & 0 deletions rules/windows/builtin/win_not_allowed_rdp_access.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ status: experimental
tags:
- attack.lateral_movement
- attack.t1076
- attack.t1021.001
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
Expand Down
2 changes: 1 addition & 1 deletion rules/windows/builtin/win_rdp_localhost_login.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ tags:
- attack.lateral_movement
- attack.t1076
- car.2013-07-002
- attack.t1021
- attack.t1021.001
status: experimental
author: Thomas Patzke
logsource:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ references:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
author: Markus Neis
date: 2018/04/07
logsource:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
tags:
- attack.t1089
- attack.t1562.001
- attack.defense_evasion
logsource:
product: windows
Expand Down
1 change: 1 addition & 0 deletions rules/windows/image_load/sysmon_in_memory_powershell.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ references:
- https://github.com/p3nt4/PowerShdll
tags:
- attack.t1086
- attack.t1059.001
- attack.execution
logsource:
category: image_load
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ logsource:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
detection:
selection:
Description: 'system.management.automation'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ references:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
category: network_connection
product: windows
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
category: network_connection
product: windows
Expand Down
8 changes: 7 additions & 1 deletion rules/windows/other/win_defender_disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,13 @@ detection:
- 5010
- 5012
- 5101
condition: selection
selection2:
TargetObject:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Details: 'DWORD (0x00000001)'
condition: 1 of them
falsepositives:
- Administrator actions
level: high
1 change: 1 addition & 0 deletions rules/windows/process_access/sysmon_invoke_phantom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
- https://twitter.com/timbmsft/status/900724491076214784
tags:
- attack.t1089
- attck.t1562.001
- attack.defense_evasion
logsource:
category: process_access
Expand Down
1 change: 1 addition & 0 deletions rules/windows/process_creation/win_apt_empiremonkey.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
tags:
- attack.t1086
- attack.t1059.001
- attack.execution
date: 2019/04/02
author: Markus Neis
Expand Down
1 change: 1 addition & 0 deletions rules/windows/process_creation/win_apt_ke3chang_regadd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ tags:
- attack.g0004
- attack.t1059
- attack.t1089
- attack.t1562.001
author: Markus Neis, Swisscom
date: 2020/06/18
logsource:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ description: Detects command lines that indicate unwanted modifications to regis
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
author: Florian Roth
date: 2020/06/19
logsource:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ date: 2020/03/20
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
category: process_creation
product: windows
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ tags:
- attack.privilege_escalation
- attack.t1076
- car.2013-07-002
- attack.t1021
- attack.t1021.001
author: Florian Roth
date: 2018/03/17
modified: 2018/12/11
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
tags:
- attack.t1089
- attack.t1562.001
- attack.defense_evasion
logsource:
category: registry_event
Expand Down
5 changes: 0 additions & 5 deletions tools/config/winlogbeat-modules-enabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,6 @@ logsources:
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
category: process_creation
conditions:
winlog.event_id: '1'
windows-dns-server:
product: windows
service: dns-server
Expand Down
5 changes: 0 additions & 5 deletions tools/config/winlogbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,6 @@ logsources:
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
category: process_creation
conditions:
winlog.event_id: '1'
windows-dns-server:
product: windows
service: dns-server
Expand Down

0 comments on commit 83623f3

Please sign in to comment.