Florian Roth
|
53cc80c8f4
|
Windows Supicious Process Creation
- Bugfix in selection name
- New keyword expressions
|
2017-03-26 23:25:47 +02:00 |
|
Florian Roth
|
b0c8ffb051
|
Combined vssadmin rule
|
2017-03-26 01:27:26 +01:00 |
|
Florian Roth
|
800262a738
|
Renamed and double removed
|
2017-03-26 01:27:08 +01:00 |
|
Florian Roth
|
c1a6a542db
|
Rule: Windows 4688 process creation rule
|
2017-03-26 01:26:34 +01:00 |
|
Florian Roth
|
5c4a13af71
|
Rules: Linux commands and log entries of interest
|
2017-03-25 19:59:45 +01:00 |
|
Florian Roth
|
c8cc857b7c
|
Improved the linux suspicious keywords rule
|
2017-03-25 19:23:10 +01:00 |
|
Florian Roth
|
1a5ae7a0e2
|
Merge pull request #23 from MHaggis/master
wmic and net
|
2017-03-25 17:46:17 +01:00 |
|
Michael Haag
|
5ea6fad999
|
net.exe and wmic.exe
Suspicious execution of net and wmic
|
2017-03-25 06:48:23 -07:00 |
|
Michael Haag
|
5f6f8f3313
|
Merge remote-tracking branch 'Neo23x0/master'
|
2017-03-25 06:21:09 -07:00 |
|
Thomas Patzke
|
9698e8fdf7
|
Changed Logpoint SubjectAccountName mapping to conditional mapping
|
2017-03-25 00:27:29 +01:00 |
|
Thomas Patzke
|
c978e19d88
|
Conditional field mappings
|
2017-03-25 00:21:44 +01:00 |
|
Thomas Patzke
|
a4465ce844
|
Added 1:n field mapping
MultiFieldMapping
|
2017-03-24 00:58:11 +01:00 |
|
Thomas Patzke
|
5009794591
|
Changes to field mappings
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
(SigmaParser.parse_definition)
|
2017-03-24 00:48:32 +01:00 |
|
Florian Roth
|
699c638ee2
|
Bugfix: Wrong Event ID and extended description
|
2017-03-23 11:50:30 +01:00 |
|
Florian Roth
|
d377884972
|
Rule: Rare scheduled tasks creations
|
2017-03-23 11:45:10 +01:00 |
|
Florian Roth
|
10ee36f26c
|
Updated Eventvwr UAC evasion
|
2017-03-22 14:40:55 +01:00 |
|
Florian Roth
|
7e180365ab
|
PowerShell Classic Log in Splunk Config Example
|
2017-03-22 11:17:46 +01:00 |
|
Florian Roth
|
fa37f5afcf
|
Rules: PowerShell Downgrade Attacks
|
2017-03-22 11:17:46 +01:00 |
|
Thomas Patzke
|
4ff792fbcf
|
Merge pull request #18 from benno001/patch-1
LogPoint windows mapping
|
2017-03-21 22:56:39 +01:00 |
|
Florian Roth
|
3bfa9ed121
|
Bugfix: Minor fix cause Sysmon uses SID as Software key
|
2017-03-21 10:44:53 +01:00 |
|
Florian Roth
|
b1da8c5b32
|
Bugfix: Fixed UAC bypass rules
|
2017-03-21 10:42:22 +01:00 |
|
Florian Roth
|
7ce958a3ed
|
Bugfixes and improvements
|
2017-03-21 10:24:20 +01:00 |
|
Florian Roth
|
f9be5b99ad
|
Rule: Suspicious task creation description changed
|
2017-03-21 10:23:53 +01:00 |
|
Florian Roth
|
6932fcec65
|
Rule: Linux shell more suspicious keywords
|
2017-03-21 10:23:12 +01:00 |
|
Florian Roth
|
055992eb05
|
Bugfix: PowerShell rules log source inconstency
|
2017-03-21 10:22:13 +01:00 |
|
Florian Roth
|
6f38a44ec1
|
Broader definition certutil.exe rule
|
2017-03-20 22:07:04 +01:00 |
|
Ben de Haan
|
c3c405a95e
|
LogPoint windows mapping
|
2017-03-20 16:57:19 +01:00 |
|
Thomas Patzke
|
1bf11dc471
|
Merge pull request #17 from benno001/master
Fixed LogPoint list behaviour
|
2017-03-20 08:58:16 +01:00 |
|
Ben de Haan
|
c94b539b14
|
Fixed LogPoint list behaviour
|
2017-03-20 08:41:29 +01:00 |
|
Florian Roth
|
2817ea2605
|
Bugfix in UAC Rule
|
2017-03-19 19:46:19 +01:00 |
|
Florian Roth
|
b2c15c2cf7
|
Rule: UAC bypass via eventvwr, minor changes
|
2017-03-19 19:34:06 +01:00 |
|
Florian Roth
|
c82da0dc5c
|
Rules: Suspicious locations and back connect ports
|
2017-03-19 15:22:27 +01:00 |
|
Thomas Patzke
|
d0bed75eb9
|
Added --output/-o parameter to sigmac
|
2017-03-18 23:15:03 +01:00 |
|
Thomas Patzke
|
889315c960
|
Changed values with placeholders to quoted strings
Values beginning with % cause YAML parse error
|
2017-03-18 23:05:16 +01:00 |
|
Florian Roth
|
f34156138f
|
Bugfix - Index
|
2017-03-18 13:57:42 +01:00 |
|
Florian Roth
|
8403e8072c
|
Merge pull request #14 from benno001/master
Added LogPoint backend
|
2017-03-18 13:30:35 +01:00 |
|
Florian Roth
|
264dab9330
|
Merge pull request #13 from yampelo/patch-2
Create sysmon_sdclt_uac_bypass.yml
|
2017-03-18 13:18:29 +01:00 |
|
Florian Roth
|
f292a259a5
|
Adjusted Windows Splunk Config
|
2017-03-18 13:12:31 +01:00 |
|
Ben de Haan
|
d18751a0ea
|
Added LogPoint backend
|
2017-03-18 11:12:06 +01:00 |
|
Thomas Patzke
|
17c484163d
|
Improved examples
|
2017-03-18 00:03:21 +01:00 |
|
Thomas Patzke
|
824f26c51c
|
Merge branch 'master' of https://github.com/Neo23x0/sigma
|
2017-03-17 23:34:19 +01:00 |
|
Thomas Patzke
|
b4f52d9cfb
|
Windows index in Splunk example configuration
|
2017-03-17 23:30:11 +01:00 |
|
Thomas Patzke
|
b865a858aa
|
Generation of conditions for configured indices
|
2017-03-17 23:28:06 +01:00 |
|
Thomas Patzke
|
56f415e42c
|
Fixed rule
|
2017-03-17 22:09:53 +01:00 |
|
Omer Yampel
|
d3bd73aefb
|
Create sysmon_sdclt_uac_bypass.yml
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
|
2017-03-17 14:31:26 -04:00 |
|
Florian Roth
|
59499f926e
|
Bugfix: Taskscheduler log source definition
|
2017-03-17 16:09:31 +01:00 |
|
Florian Roth
|
dc00baacda
|
Splunk Windows Configuration Example
|
2017-03-17 10:00:56 +01:00 |
|
Florian Roth
|
dd81b18d6e
|
Rule: Suspicious interactive console logons to servers
|
2017-03-17 09:44:24 +01:00 |
|
Florian Roth
|
bcc250e1c7
|
Added missing description
|
2017-03-17 08:43:21 +01:00 |
|
Florian Roth
|
e46ecd2aff
|
Rule: Rare scheduled task installs
|
2017-03-17 08:41:27 +01:00 |
|