Florian Roth
|
0bbf40fb14
|
refactor: include xcopy
|
2020-07-03 11:03:45 +02:00 |
|
Florian Roth
|
3bea08edfc
|
refactor: copy from/to system32 rule
|
2020-07-03 10:56:26 +02:00 |
|
Florian Roth
|
34ea706e4f
|
fix: typo in systemroot
|
2020-07-03 10:24:58 +02:00 |
|
Florian Roth
|
0fa1c1525b
|
fix: missing copy command
|
2020-07-03 10:17:34 +02:00 |
|
Florian Roth
|
1f0b1e58a9
|
fix: bugs in rule and title
|
2020-07-03 09:54:10 +02:00 |
|
Florian Roth
|
01ed87186f
|
Copy From System Root rule
|
2020-07-03 09:45:58 +02:00 |
|
Florian Roth
|
33fef8bcf5
|
DesktopImgDownLdr rules
|
2020-07-03 09:45:48 +02:00 |
|
Florian Roth
|
4c4ed1a4a2
|
fix: duplicate IDs and rule titles
|
2020-07-01 16:37:27 +02:00 |
|
Florian Roth
|
9c0f9f398f
|
refactor: sysmon rule cleanup > generlization
|
2020-07-01 10:58:39 +02:00 |
|
Florian Roth
|
4231fe2efc
|
fix: remove duplicate rules in sysmon (generic rule cleanup)
|
2020-07-01 10:23:30 +02:00 |
|
Florian Roth
|
ab40cdbbd7
|
fix: missing ATT&CK id
|
2020-07-01 09:57:35 +02:00 |
|
Florian Roth
|
154181c6c8
|
fix: renamed files and lien break change
|
2020-07-01 09:48:48 +02:00 |
|
Florian Roth
|
d70b63b78c
|
rule: RedMimicry rules (modified)
|
2020-07-01 09:17:31 +02:00 |
|
Florian Roth
|
fe71d21d97
|
style: removed new lines
|
2020-07-01 09:11:00 +02:00 |
|
Florian Roth
|
b7ac36e6ab
|
Merge branch 'master' into rule-devel
|
2020-07-01 09:04:46 +02:00 |
|
Florian Roth
|
f2587791f2
|
rule: suspicious rar flags
|
2020-07-01 09:04:26 +02:00 |
|
Florian Roth
|
ba682c5de6
|
Merge pull request #863 from qwerty1q2w/feature
add win_not_allowed_rdp_access.yml rule
|
2020-06-30 10:03:11 +02:00 |
|
Florian Roth
|
77553e11e8
|
Update win_not_allowed_rdp_access.yml
|
2020-06-30 10:03:00 +02:00 |
|
Florian Roth
|
2e3669a5a4
|
Merge pull request #865 from j91321/defender-rules
Windows Defender logsource and rules
|
2020-06-30 10:01:17 +02:00 |
|
Florian Roth
|
eb3a6e86af
|
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
New Rule: Suspicious powershell parent process
|
2020-06-30 10:00:28 +02:00 |
|
Florian Roth
|
2c3f98dc83
|
Merge pull request #868 from HarishHary/pwsh_xor_commandline
New Rule: PowerShell xor commandline
|
2020-06-30 10:00:07 +02:00 |
|
Harish SEGAR
|
9c74018e12
|
Added new rule for pwsh_xor_cmd (sysmon)
|
2020-06-29 22:18:25 +02:00 |
|
Harish SEGAR
|
5e740fd7b2
|
Added new rule for pwsh_xor_cmd (sysmon)
|
2020-06-29 22:13:49 +02:00 |
|
Harish SEGAR
|
649e4eaa63
|
Added new rule for pwsh_xor_cmd
|
2020-06-29 22:09:58 +02:00 |
|
Florian Roth
|
5a11ef90d0
|
rule reorganized
|
2020-06-29 21:24:47 +02:00 |
|
Harish SEGAR
|
1a088425f9
|
Fix rules.
|
2020-06-29 20:42:35 +02:00 |
|
Florian Roth
|
bb214f5832
|
rule: Explorer Root Flag Process Tree Break
|
2020-06-29 12:07:15 +02:00 |
|
j91321
|
24029d998a
|
FIX: lint error for title
|
2020-06-28 11:05:19 +02:00 |
|
j91321
|
ae842a65cb
|
Windows Defender rules and logsource
|
2020-06-28 10:55:32 +02:00 |
|
Thomas Patzke
|
0ee47e118c
|
Merge branch 'pr-848'
|
2020-06-28 01:04:30 +02:00 |
|
Thomas Patzke
|
89ed9f3763
|
Merge pull request #819 from cclauss/patch-2
Undefined name: from .exceptions import SigmaCollectionParseError
|
2020-06-28 00:37:09 +02:00 |
|
Thomas Patzke
|
4309082d6b
|
Merge pull request #818 from cclauss/patch-1
Undefined name: parser_print_help() --> parser.print_help()
|
2020-06-28 00:34:27 +02:00 |
|
Thomas Patzke
|
09378b5ebf
|
Fixed unsupported attempt to index a set
|
2020-06-28 00:27:33 +02:00 |
|
Thomas Patzke
|
415f826ece
|
Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop
|
2020-06-28 00:09:39 +02:00 |
|
Thomas Patzke
|
b1e4f44c21
|
Merge pull request #823 from Kuermel/master
Add more Options for XPackWatcherBackend (Elasticsearch)
|
2020-06-28 00:03:04 +02:00 |
|
Thomas Patzke
|
d1f37bdbd4
|
Merge pull request #828 from stevengoossensB/master
Split rules based on Sysmon event ID
|
2020-06-28 00:00:32 +02:00 |
|
Thomas Patzke
|
de5e453e19
|
Merge pull request #831 from 404d/cbr-backend-tweaks
Add parentheses around field list groups in CB
|
2020-06-27 23:39:57 +02:00 |
|
Pushkarev Dmitry
|
502ec4b417
|
add win_not_allowed_rdp_access.yml rule
|
2020-06-26 22:15:53 +00:00 |
|
Florian Roth
|
555c94bd7e
|
Merge pull request #861 from jaegeral/patch-4
s/straight forward/straightforward
|
2020-06-26 15:40:09 +02:00 |
|
Alexander J
|
839e06e37a
|
s/straight forward/straightforward
Fix a typo.
|
2020-06-26 12:40:06 +02:00 |
|
Florian Roth
|
da46ff6e93
|
docs: descriptions for source configs
|
2020-06-25 13:59:51 +02:00 |
|
Florian Roth
|
825bda397d
|
desc: better descriptions in help for backends and configurations
|
2020-06-25 13:21:43 +02:00 |
|
Florian Roth
|
3decee07ba
|
fix: bugfix and cosmetics
|
2020-06-24 18:10:58 +02:00 |
|
Florian Roth
|
07c0a6558e
|
fix: wording on sysmon mapping file
|
2020-06-24 17:49:42 +02:00 |
|
Florian Roth
|
f3fedef8f5
|
Changed category names and remove sysmon log source
|
2020-06-24 17:41:21 +02:00 |
|
Florian Roth
|
4224a6517d
|
Merge pull request #859 from Neo23x0/rule-devel
fix: duplicate IDs
|
2020-06-24 17:23:13 +02:00 |
|
Florian Roth
|
6d7f991424
|
Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access
Fix quoting for AD Object WriteDAC Access
|
2020-06-24 17:06:15 +02:00 |
|
Florian Roth
|
c3ffa0b9d3
|
fix: duplicate IDs
|
2020-06-24 17:04:04 +02:00 |
|
Brad Kish
|
d385cbfa69
|
Fix quoting for AD Object WriteDAC Access
The AccessMask field needs to be quoted so that it is compared correctly.
|
2020-06-22 15:31:03 -04:00 |
|
Florian Roth
|
e2a16087c9
|
Merge pull request #851 from ozirus/master
Update for new method
|
2020-06-22 20:11:39 +02:00 |
|