Tareq AlKhatib
|
075df83118
|
Converted to use the new process_creation data source
|
2019-03-09 20:57:59 +03:00 |
|
mrblacyk
|
99595a7f89
|
Added missing tags and some minor improvements
|
2019-03-05 23:25:49 +01:00 |
|
Florian Roth
|
5b92790e3f
|
Rule: WMI Persistence - FPs
|
2019-02-05 14:35:23 +01:00 |
|
ntim
|
c99dc9f643
|
Tagged windows powershell, other and malware rules.
|
2018-07-24 10:56:41 +02:00 |
|
Florian Roth
|
0ffd226293
|
Moved new rule to sysmon folder
|
2018-04-11 20:11:54 +02:00 |
|
Florian Roth
|
b065c2c35c
|
Simplified rule
|
2018-04-11 19:03:35 +02:00 |
|
Karneades
|
fa6677a41d
|
Remove @ in author
Be nice to Travis: "error syntax error: found character '@' that cannot start any token"
|
2018-04-11 15:21:42 +02:00 |
|
Karneades
|
be3c27981f
|
Add rule for Windows registry persistence mechanisms
|
2018-04-11 15:13:00 +02:00 |
|
Thomas Patzke
|
ada1ca94ea
|
JPCERT rules
* Addition of ntdsutil.exe rule
* Added new link to existing rules
|
2018-03-08 00:10:19 +01:00 |
|
Thomas Patzke
|
8ee24bf150
|
WMI persistence rules derived from blog article
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
|
2018-03-07 23:05:10 +01:00 |
|
Thomas Patzke
|
84645f4e59
|
Simplified rule conditions with new condition constructs
|
2018-03-06 23:14:43 +01:00 |
|
SherifEldeeb
|
48441962cc
|
Change All "str" references to be "list"to mach schema update
|
2018-01-28 02:24:16 +03:00 |
|
SherifEldeeb
|
112a0939d7
|
Change "reference" to "references" to match new schema
|
2018-01-28 02:12:19 +03:00 |
|
Florian Roth
|
aca70e57ec
|
Massive Title Cleanup
|
2018-01-27 10:57:30 +01:00 |
|
Thomas Patzke
|
986c9ff9b7
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
|
Florian Roth
|
f46e86fbb1
|
WMI persistence modified
|
2017-08-24 18:27:40 +02:00 |
|
Florian Roth
|
332f7d27da
|
Win WMI Persistence
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
|
2017-08-22 10:02:54 +02:00 |
|
Florian Roth
|
d1f1bd59da
|
Changed level of PsExec events to 'low'
|
2017-06-17 08:50:16 +02:00 |
|
Thomas Patzke
|
4fcdcc3967
|
Added rule for PsExec
|
2017-06-12 23:57:06 +02:00 |
|
Florian Roth
|
59499f926e
|
Bugfix: Taskscheduler log source definition
|
2017-03-17 16:09:31 +01:00 |
|
Florian Roth
|
bcc250e1c7
|
Added missing description
|
2017-03-17 08:43:21 +01:00 |
|
Florian Roth
|
e46ecd2aff
|
Rule: Rare scheduled task installs
|
2017-03-17 08:41:27 +01:00 |
|