diff --git a/images/Sigma_rule_example1.png b/images/Sigma_rule_example1.png index f55809c6210..179cdcf65b2 100644 Binary files a/images/Sigma_rule_example1.png and b/images/Sigma_rule_example1.png differ diff --git a/images/Sigma_rule_example2.png b/images/Sigma_rule_example2.png index b3abb10bb6b..39719a51877 100644 Binary files a/images/Sigma_rule_example2.png and b/images/Sigma_rule_example2.png differ diff --git a/images/Sigma_rule_example4.png b/images/Sigma_rule_example4.png index ff572e5ac24..50834c1a64a 100644 Binary files a/images/Sigma_rule_example4.png and b/images/Sigma_rule_example4.png differ diff --git a/images/Sigma_rule_example5.png b/images/Sigma_rule_example5.png index 5abbffb4b6c..ac9cd2edf9d 100644 Binary files a/images/Sigma_rule_example5.png and b/images/Sigma_rule_example5.png differ diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 5f27e52323e..be73985e261 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -2,7 +2,7 @@ title: Mimikatz Usage description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index a2af653f82b..62c0338a799 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -2,7 +2,7 @@ title: Relevant Anti-Virus Event description: This detection method points out highly relevant Antivirus events author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: Application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 1c37eed6637..0e6e8ee3e0e 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -3,7 +3,7 @@ description: One of the Windows Eventlogs has been cleared reference: https://twitter.com/deviouspolack/status/832535435960209408 author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: System diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index 98fab85d7ed..97f2a83de35 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -2,7 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index 1440124873b..f10e4b6601d 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -2,7 +2,7 @@ title: Multiple Failed Logins with Different Accounts from Single Source System description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: Security @@ -20,3 +20,5 @@ falsepositives: - Other multiuser systems like Citrix server farms - Workstations with frequently changing users level: medium + + diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index d92ec2eec01..df2c7f07706 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -2,7 +2,7 @@ title: Kerberos Manipulation description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index e30a97562a7..b14d5f18ab5 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -3,7 +3,7 @@ description: Detects process handle on LSASS process with certain access mask an status: experimental reference: https://twitter.com/jackcr/status/807385668833968128 logsource: - - product: windows + product: windows detection: selection: EventLog: Security @@ -15,3 +15,4 @@ detection: falsepositives: - Unkown level: high + diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 0ad63e2d012..0525bf6f699 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -3,7 +3,7 @@ status: experimental reference: https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type logsource: - - product: windows + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index fd59868374b..e7e4924ff9a 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -2,7 +2,7 @@ title: Security Eventlog Cleared description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities author: Florian Roth logsource: - - product: windows + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index a645e11c240..804976fc7cd 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -3,7 +3,7 @@ status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: - - product: sysmon + product: sysmon detection: selection: - EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index d2ce0242fb0..9f49d005791 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -3,7 +3,7 @@ status: experimental description: Detects certain DLL loads when Mimikatz gets executed reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: - - product: sysmon + product: sysmon detection: dllload1: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index cce8c240479..1853bb459b2 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -2,7 +2,7 @@ title: Password Dumper Remote Thread in LSASS description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events. author: Thomas Patzke logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index c0b756306e2..daf1b9ca95a 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -2,7 +2,7 @@ title: Suspicious Driver Load from Temp description: Detetcs a driver load from a temporary directory author: Florian Roth logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index d0e7172bcbd..b5e9b5ed818 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -3,7 +3,7 @@ status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index da6206d34a3..2ab733d7343 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -2,7 +2,7 @@ title: Java running with Remote Debugging description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index db7f9f0d951..02fdcf6d06b 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnissaince activity via web shells author: Florian Roth logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index bd499c0127d..7017adba877 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -3,7 +3,7 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke logsource: - - product: sysmon + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational