frack113
ffbeec134d
Update image_load_wmiprvse_wbemcomn_dll_hijack.yml
2021-09-09 19:56:20 +02:00
Young
647f81d128
reverted changes in base.py to upstream
2021-09-09 10:55:36 -07:00
Young
03a8d93a54
Merge branch 'master' of https://github.com/Preston-Young/sigma
2021-09-09 10:41:10 -07:00
Young
c2c1b21a27
cleaning up changed files
2021-09-09 10:40:48 -07:00
Preston Young
4a98d68977
Merge branch 'SigmaHQ:master' into master
2021-09-09 10:28:16 -07:00
zakibro
458973af81
Update lnx_auditd_hidden_files_steganography.yml
...
Adding missing field: action
2021-09-09 16:52:58 +02:00
zakibro
62db796fc2
Update lnx_auditd_hidden_files_steganography.yml
...
Formatting changes
2021-09-09 16:46:41 +02:00
zakibro
0971fe1d49
Update lnx_auditd_hidden_files_steganography.yml
...
Fixing the listing issue
2021-09-09 16:27:57 +02:00
Pawel Mazur
41458d8a5a
New Rule - Linux Auditd Hidden Files - Steganography
2021-09-09 16:13:27 +02:00
frack113
d9cd1652f2
Split global sysmon rules
2021-09-09 16:11:41 +02:00
frack113
217be6cd8a
Merge pull request #2005 from frack113/tags_end
...
Add missing tags to rule
2021-09-09 15:04:26 +02:00
Florian Roth
f00aaf8461
refactor: exclude case in which upper ticks are used
2021-09-09 12:55:10 +02:00
Florian Roth
6d86c7df6c
Revert "refactor: 2nd condition in CVE-2021-40444 rule"
...
This reverts commit 015573c450
2021-09-09 09:41:03 +02:00
Florian Roth
015573c450
refactor: 2nd condition in CVE-2021-40444 rule
2021-09-09 09:33:45 +02:00
Florian Roth
e8b633f54f
Merge pull request #2006 from SigmaHQ/rule-devel
...
docs: changed level and reference in CVE-2021-40444 rule
2021-09-09 09:29:08 +02:00
Florian Roth
2777187fd9
docs: changed level and reference in CVE-2021-40444 rule
2021-09-09 08:46:34 +02:00
Florian Roth
b1f5c22805
Merge pull request #2003 from SigmaHQ/rule-devel
...
CVE-2021-40444 process pattern
2021-09-09 08:44:52 +02:00
Florian Roth
36a5d7ec04
CVE-2021-40444 false positives
2021-09-09 08:12:36 +02:00
frack113
312ffe69e2
Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
2021-09-09 06:28:48 +02:00
frack113
caa5c7af1a
Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
2021-09-09 06:27:23 +02:00
frack113
923be1064f
Merge pull request #2004 from BlackB0lt/patch-15
...
Update sysmon_dns_over_https_enabled.yml
2021-09-09 06:25:27 +02:00
Cyb3rEng
b2c44ebd6e
Changed selection1
...
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
2021-09-08 21:27:15 -06:00
Cyb3rEng
fe9b91c504
Completed changes to selection1
...
changed to the following to follow rule creation guidelines:
- Image|endswith: '\wbem\WMIC.exe'
- ProcessCommandLine|contains: 'wmic '
2021-09-08 21:26:01 -06:00
Cyb3rEng
851dfeee46
Changed selection2 condition
...
changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines
2021-09-08 21:24:18 -06:00
Cyb3rEng
77ee51dd76
Changed the category
...
Changed category to file_event
2021-09-08 21:22:26 -06:00
Cyb3rEng
5bbe3dec9b
Completed changes to selection1 and selection2
...
changes were completed to remove ( * ) and stay within rule creation guide:
- Image|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
WMIcommand|contains: 'Win32_Process\:\:Create'
2021-09-08 21:14:58 -06:00
Cyb3rEng
49df2358de
Completed changes to selection1
...
completed changes to selection1 to comply with rule creation guide with no ( * ) or ( \\ )
- Image|endswith: '\wbem\WMIC.exe'
- ProcessCommandLine|contains: 'wmic '
2021-09-08 21:12:27 -06:00
Cyb3rEng
a3236e62a2
Changed selection2 conditions
...
replaced *\wbem\WMIC.exe with Image|endswith: '\wbem\WMIC.exe' and ProcessCommandLine: *wmic * with ProcessCommandLine|contains: 'wmic '
2021-09-08 21:10:47 -06:00
Cyb3rEng
1f577174f9
Changed endswith condition
...
removed double // from "\wbem\WmiPrvSE.exe"
2021-09-08 21:06:41 -06:00
Cyb3rEng
6ddc83901b
Changed Category
...
Category Changed from process_creation to file_event
2021-09-08 20:38:07 -06:00
Cyb3rEng
5ac0fded26
Merge branch 'SigmaHQ:master' into master
2021-09-08 20:26:59 -06:00
Sittikorn S
36ed5ee9d4
Update sysmon_dns_over_https_enabled.yml
2021-09-09 08:04:54 +07:00
frack113
8eb527d042
Update process_mailboxexport_share.yml
2021-09-08 20:21:02 +02:00
frack113
deb0ddfe09
fix duplicate tags
2021-09-08 20:16:53 +02:00
frack113
af8bf06b30
add missing tags
2021-09-08 20:14:49 +02:00
Florian Roth
b1540d65b9
refactor: simplified rule
2021-09-08 17:35:50 +02:00
Sittikorn S
c633e825e0
Update sysmon_dns_over_https_enabled.yml
2021-09-08 22:23:51 +07:00
Sittikorn S
847b8f49b4
Update sysmon_dns_over_https_enabled.yml
...
Remove HKEY_LOCAL_MACHINE\ and revise Firefox object
2021-09-08 22:22:53 +07:00
Florian Roth
e388bc6bfa
remove unsupported tag
2021-09-08 16:56:04 +02:00
Florian Roth
c9b4f5d326
CVE-2021-40444
2021-09-08 16:49:49 +02:00
Florian Roth
72ffe99b20
Merge pull request #2001 from SigmaHQ/rule-devel
...
filter: empty thumbprint, PetitPotam rule
2021-09-08 09:09:58 +02:00
frack113
993112c7eb
Merge pull request #2002 from frack113/missing_tag
...
Add missing Tags #1974
2021-09-08 06:26:55 +02:00
frack113
e712d9696b
Merge pull request #2000 from frack113/split_global
...
Split frack113 global rules
2021-09-08 06:26:35 +02:00
Cyb3rEng
e3b376e945
Completed Changes Based on Comments
...
Removed :
unnecessary event ID
2021-09-07 21:26:42 -06:00
Cyb3rEng
4130ceb208
Completed Changes Based on Comments
...
Removed :
unnecessary event ID
2021-09-07 21:25:52 -06:00
Cyb3rEng
8d47f9531b
Completed Changes Based on Comments
...
Removed :
unnecessary event ID
2021-09-07 21:22:01 -06:00
Cyb3rEng
13e6262055
Completed Changes Based on Comments
...
Removed :
unnecessary event ID
2021-09-07 21:20:51 -06:00
Cyb3rEng
8dc1b03fef
Completed Changes Based on Comments
...
Removed :
unnecessary event ID
2021-09-07 21:19:43 -06:00
Cyb3rEng
bd4d21c41c
Completed changes based on comments
...
Removed :
unnecessary event ID
2021-09-07 21:17:12 -06:00
Cyb3rEng
75a6e5c95b
Completed Changes as per comments
...
Removed :
unnecessary event ID
2021-09-07 21:14:06 -06:00
