SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
Florian Roth	bc74ac1f8a	Update win_susp_rasdial_activity.yml	2020-08-18 14:40:37 +02:00
Florian Roth	fd23a18241	Merge pull request #982 from tungn12/master Carbon black mapping wrong and fix wild card	2020-08-18 14:33:22 +02:00
Florian Roth	0ba9383774	Merge pull request #984 from EccoTheFlintstone/fix_fp3 SIGMA ASEP: remove some false positives	2020-08-18 14:29:35 +02:00
ecco	de4810233c	remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64	2020-08-18 05:28:37 -04:00
tung12	1921e9dd89	Fix wild card and some escaped characters	2020-08-18 15:57:13 +07:00
SOC Prime	d3ba1e4fb8	Add sysmon backend	2020-08-18 11:20:22 +03:00
SOC Prime	8fead9f864	Merge pull request #4 from Neo23x0/master Repositories synchronization	2020-08-18 11:12:15 +03:00
Florian Roth	da54e89f30	Merge pull request #976 from diskurse/rule-devel Rule devel	2020-08-17 15:02:31 +02:00
Florian Roth	8a02541b0a	style: removed lists where unnecessary	2020-08-17 15:02:16 +02:00
Florian Roth	6dc8dbb6d8	style: removed lists where unnecessary	2020-08-17 15:01:52 +02:00
tung12	172f7b371e	Change mapped Image to path	2020-08-17 15:05:44 +07:00
Bar Haim	bd96b1c5ad	Update win_susp_rasdial_activity.yml `rasdial` is an `exe`, and probably appear as `rasdial.exe` `LIKE` is more fit in this case	2020-08-16 16:17:49 +03:00
Bar Haim	c7dc9df87e	Update sysmon_apt_muddywater_dnstunnel.yml	2020-08-16 12:39:04 +03:00
Bar Haim	4168f1e430	Update win_new_service_creation.yml	2020-08-16 11:44:40 +03:00
Thomas Patzke	3d9855dd06	Merge pull request #975 from scottdermott/master + Adding Mitre Sub-Techniques and python update script to fetch latest from Mitre CTI	2020-08-13 13:18:57 +02:00
Cian Heasley	b378b3d62b	win_mouse_lock.yml In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.	2020-08-13 12:09:07 +01:00
Cian Heasley	6fa5a6c93d	Delete win_mouse_lock.yml	2020-08-13 12:08:04 +01:00
Cian Heasley	b8b4ab5a2a	win_mouse_lock.yml In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.	2020-08-13 12:07:34 +01:00
Cian Heasley	d1e9f01d23	win_dnscat2_powershell_implementation.yml The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.	2020-08-13 12:06:48 +01:00
Dermott, Scott J	7e6828dd40	+ Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI	2020-08-13 10:24:44 +01:00
Florian Roth	2e29c07e83	Merge pull request #928 from duzvik/master Create sysmon_abusing_azure_browser_sso.yml	2020-08-12 17:15:27 +02:00
Florian Roth	61a05ee054	reordered fields, changed indentation	2020-08-12 16:44:37 +02:00
Thomas Patzke	01125ffd3b	Fixed: Elastalert backend handling of conditional field mappings	2020-08-11 23:29:18 +02:00
Thomas Patzke	d73447c111	Merge pull request #939 from ktecv2000/master add wmi persistence script event consumer false positive	2020-08-05 23:28:26 +02:00
Thomas Patzke	f827a557f2	Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule	2020-08-05 23:26:14 +02:00
Thomas Patzke	9b2f8ce1f9	Merge pull request #953 from barvhaim/master STIX Backend added and updated fields mapping	2020-08-05 23:25:17 +02:00
Florian Roth	98ca8b4ce9	Merge pull request #968 from zinint/master ATT&CK mapping update suggestions for \linux\	2020-08-05 00:37:36 +02:00
Timur Zinniatullin	72fdf0da45	Update lnx_auditd_susp_cmds.yml	2020-08-04 20:00:30 +03:00
Timur Zinniatullin	4e688233d7	ATT&CK mapping update suggestions for \linux\	2020-08-04 19:48:18 +03:00
Florian Roth	4529e4cd52	Merge pull request #966 from Neo23x0/rule-devel rule: TAIDOOR malware load	2020-08-04 14:54:24 +02:00
Florian Roth	052379a512	fix: tightened TAIDOOR rule	2020-08-04 14:37:18 +02:00
Florian Roth	c4953409aa	rule: TAIDOOR malware load https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a	2020-08-04 14:31:29 +02:00
Florian Roth	fa36adfe6d	Merge pull request #965 from IPv777/patch-2 .002 = SMB/Windows Admin Shares	2020-08-03 18:05:12 +02:00
IPv777	a52583dc68	.002 = SMB/Windows Admin Shares	2020-08-03 17:43:14 +02:00
Florian Roth	732c1fa356	Merge pull request #964 from Neo23x0/rule-devel New rules	2020-08-03 15:28:45 +02:00
Florian Roth	5625f471d7	Merge pull request #963 from diskurse/rule-devel win_webshell_regeorg.yml	2020-08-03 13:51:16 +02:00
Florian Roth	3abc3d0a76	docs: add FP condition	2020-08-03 13:50:47 +02:00
Florian Roth	6f7aecbe06	fix: preventive change to avoid FPs	2020-08-03 13:49:52 +02:00
Cian Heasley	de33b953ba	Add files via upload Webshell ReGeorg Detection Via Web Logs	2020-08-03 12:20:04 +01:00
Florian Roth	df3bfb1b37	rule: Winnti Pipemon	2020-07-30 18:55:47 +02:00
bar	8352eefe22	STIX Support keywords (value without field)	2020-07-28 18:52:02 +03:00
bar	53f36d2ab6	Merge remote-tracking branch 'upstream/master'	2020-07-28 16:24:51 +03:00
Florian Roth	5abf101c0b	Merge pull request #954 from Neo23x0/rule-devel Rule devel	2020-07-28 10:22:52 +02:00
Florian Roth	8970d03f6f	Merge pull request #952 from Neo23x0/devel feat: Detect duplicate rule tags	2020-07-28 10:21:59 +02:00
bar	565f77c199	Added STIX target to README.md	2020-07-27 15:35:30 +03:00
bar	de475bb500	updated STIX mapping for more rule fields	2020-07-27 14:36:30 +03:00
Florian Roth	80f4b4ec71	fix: rules with duplicate tags	2020-07-27 11:44:47 +02:00
Florian Roth	051e2ce905	feat: detect duplicate tags	2020-07-27 11:37:58 +02:00
Thomas Patzke	481b695eff	Merge pull request #950 from barvhaim/master STIX Backend bug-fix and mapping updates	2020-07-26 18:33:35 +02:00
bar	32cf352236	Merge remote-tracking branch 'upstream/master'	2020-07-26 14:56:06 +03:00

... 2 3 4 5 6 ...

3984 Commits