Commit Graph

3498 Commits

Author SHA1 Message Date
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth
0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth
1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
ab40cdbbd7 fix: missing ATT&CK id 2020-07-01 09:57:35 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature
add win_not_allowed_rdp_access.yml rule
2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules
Windows Defender logsource and rules
2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
New Rule: Suspicious powershell parent process
2020-06-30 10:00:28 +02:00
Florian Roth
2c3f98dc83
Merge pull request #868 from HarishHary/pwsh_xor_commandline
New Rule: PowerShell xor commandline
2020-06-30 10:00:07 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke
89ed9f3763
Merge pull request #819 from cclauss/patch-2
Undefined name: from .exceptions import SigmaCollectionParseError
2020-06-28 00:37:09 +02:00
Thomas Patzke
4309082d6b
Merge pull request #818 from cclauss/patch-1
Undefined name: parser_print_help() --> parser.print_help()
2020-06-28 00:34:27 +02:00
Thomas Patzke
09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke
415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke
b1e4f44c21
Merge pull request #823 from Kuermel/master
Add more Options for XPackWatcherBackend (Elasticsearch)
2020-06-28 00:03:04 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master
Split rules based on Sysmon event ID
2020-06-28 00:00:32 +02:00
Thomas Patzke
de5e453e19
Merge pull request #831 from 404d/cbr-backend-tweaks
Add parentheses around field list groups in CB
2020-06-27 23:39:57 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
555c94bd7e
Merge pull request #861 from jaegeral/patch-4
s/straight forward/straightforward
2020-06-26 15:40:09 +02:00
Alexander J
839e06e37a
s/straight forward/straightforward
Fix a typo.
2020-06-26 12:40:06 +02:00
Florian Roth
da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth
825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel
fix: duplicate IDs
2020-06-24 17:23:13 +02:00
Florian Roth
6d7f991424
Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access
Fix quoting for AD Object WriteDAC Access
2020-06-24 17:06:15 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
Florian Roth
e2a16087c9
Merge pull request #851 from ozirus/master
Update for new method
2020-06-22 20:11:39 +02:00