Florian Roth
78004cc29c
fix: condition contains - values without 0x
2021-03-10 18:56:05 +01:00
Florian Roth
29dec7dd8b
fix: FPs with LSASS Access from Non System Account
2021-03-10 18:51:27 +01:00
Florian Roth
40710fe89a
Merge pull request #1357 from Neo23x0/rule-devel
...
Rule FP fixes
2021-02-26 11:05:00 +01:00
jaegeral
e1f43f17c2
fixed various spelling errors all over rules and source code
2021-02-24 14:43:13 +00:00
Florian Roth
0489d4bfa4
fix: rule
2021-02-24 13:44:13 +01:00
Florian Roth
028ce2a548
fix: Sysmon NTLM downgrade attack - too many fps
2021-02-24 13:22:25 +01:00
Florian Roth
f834862833
Merge pull request #1107 from vburov/patch-10
...
Update win_susp_eventlog_cleared.yml
2021-02-18 11:19:53 +01:00
Florian Roth
a6684c66d6
Merge pull request #1110 from vburov/patch-11
...
Update win_disable_event_logging.yml
2021-02-18 11:18:32 +01:00
Florian Roth
76e6f38215
Merge pull request #1348 from bartlomiej-czyz/patch-1
...
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
2021-02-18 11:14:40 +01:00
bartlomiej-czyz
b771fb0c55
Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level
2021-02-08 12:45:59 +01:00
bartlomiej-czyz
ae15cef5e7
Rename .yaml to .yml
2021-02-03 22:20:48 +01:00
bartlomiej-czyz
3e9c177c65
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
2021-02-03 22:16:21 +01:00
David Straßegger
6a6929cfb6
implemented rule for scheduled task deletion
2021-01-22 08:09:56 +01:00
Florian Roth
7162528a1a
docs: removed CVE
2021-01-15 13:25:10 +01:00
Florian Roth
d58cdeab3a
Merge pull request #1331 from Neo23x0/rule-devel
...
rule: NTFS vulnerability
2021-01-12 09:09:33 +01:00
Florian Roth
cf37abee4d
docs: more details
2021-01-11 19:56:36 +01:00
Florian Roth
a0fccf8647
rule: NTFS vulnerability
...
https://twitter.com/jonasLyk/status/1347900440000811010
2021-01-11 14:51:26 +01:00
Arnim Rupp
d5de3fe5f9
more AV event and suspicious commands
...
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
2021-01-07 17:54:19 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master
...
Added rule for Impacket's PsExec execution
2020-12-21 18:23:41 +01:00
Bhabesh Rai
0a7e95954e
Fix for fail build
2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e
Added rule for Impacket's PsExec execution
2020-12-14 12:48:26 +05:45
Vasiliy Burov
e10771652b
Update win_disable_event_logging.yml
2020-10-09 18:27:04 +03:00
Vasiliy Burov
c77a190a6b
Update win_susp_eventlog_cleared.yml
...
Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.
2020-10-09 16:51:18 +03:00
Remco Hofman
6cadfa5b2b
Added win_vul_cve_2020_1472 rule
2020-09-15 15:13:53 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master
...
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
2020-09-15 08:17:02 +02:00
Yugoslavskiy Daniil
1fc202fe5d
fix typos, update tags
2020-09-13 15:46:45 +02:00
Dermott, Scott J
c72ac8f73e
Merge branch 'master' of https://github.com/scottdermott/sigma
2020-09-11 16:19:54 +01:00
Scott Dermott
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
...
AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC).
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
2020-09-11 16:06:51 +01:00
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master
...
[OSCD Initiative][ATT&CK tags update]
2020-09-08 13:27:58 +02:00
Florian Roth
7ddb63ec1b
fix: FPs with McAfee and CyberReason
2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil
5026438524
fix modified field
2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil
42c4079ed8
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-25 01:09:17 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel
...
feat: Detect duplicate rule tags
2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71
fix: rules with duplicate tags
2020-07-27 11:44:47 +02:00
Ryan Plas
aa548ba1a9
Add quotes due to a colon in the falsepositives string
2020-07-23 23:33:36 -04:00
Ryan Plas
e52489aaf6
Change production status to stable
2020-07-23 23:33:36 -04:00
Aidan Bracher
1fd73a23b2
Updated tags with sub-techniques
2020-07-18 03:01:34 +01:00
Aidan Bracher
4ac1058ab5
Updated tags
2020-07-18 03:01:11 +01:00
Ryan Plas
de53a08746
Merge branch 'master' of github.com:Neo23x0/sigma
2020-07-15 10:27:33 -04:00
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel
...
Live MITRE ATT&CK data from TAXI service in Test Scripts
2020-07-14 18:15:29 +02:00
Florian Roth
58b68758b4
fix: wrong MITRE ATT&CK ids used in the beta version
2020-07-14 17:53:32 +02:00
Ryan Plas
04fd598bcf
Update additional rules to have correct logsource attributes
2020-07-13 17:02:17 -04:00
Pushkarev Dmitry
efe720d44e
Added new rule. AppLocker
2020-07-13 20:51:48 +00:00
Florian Roth
f12cb7309b
fix: references is not a list
2020-07-13 17:37:03 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick
2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list
...
legitimate errors generated by Google Chrome are reported often.
Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
2020-07-08 16:44:41 +03:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master
...
Added new rules
2020-07-07 23:14:19 +02:00
Thomas Patzke
de0bb36c51
Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785
2020-07-02 23:04:59 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml
2020-06-30 10:03:00 +02:00
Pushkarev Dmitry
502ec4b417
add win_not_allowed_rdp_access.yml rule
2020-06-26 22:15:53 +00:00