506 Commits

Author	SHA1	Message	Date
Florian Roth	40710fe89a	Merge pull request #1357 from Neo23x0/rule-devel ... Rule FP fixes	2021-02-26 11:05:00 +01:00
jaegeral	e1f43f17c2	fixed various spelling errors all over rules and source code	2021-02-24 14:43:13 +00:00
Florian Roth	0489d4bfa4	fix: rule	2021-02-24 13:44:13 +01:00
Florian Roth	028ce2a548	fix: Sysmon NTLM downgrade attack - too many fps	2021-02-24 13:22:25 +01:00
Florian Roth	f834862833	Merge pull request #1107 from vburov/patch-10 ... Update win_susp_eventlog_cleared.yml	2021-02-18 11:19:53 +01:00
Florian Roth	a6684c66d6	Merge pull request #1110 from vburov/patch-11 ... Update win_disable_event_logging.yml	2021-02-18 11:18:32 +01:00
Florian Roth	76e6f38215	Merge pull request #1348 from bartlomiej-czyz/patch-1 ... Create win_metasploit_or_impacket_smb_psexec_service_install.yaml	2021-02-18 11:14:40 +01:00
bartlomiej-czyz	b771fb0c55	Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level	2021-02-08 12:45:59 +01:00
bartlomiej-czyz	ae15cef5e7	Rename .yaml to .yml	2021-02-03 22:20:48 +01:00
bartlomiej-czyz	3e9c177c65	Create win_metasploit_or_impacket_smb_psexec_service_install.yaml	2021-02-03 22:16:21 +01:00
David Straßegger	6a6929cfb6	implemented rule for scheduled task deletion	2021-01-22 08:09:56 +01:00
Florian Roth	7162528a1a	docs: removed CVE	2021-01-15 13:25:10 +01:00
Florian Roth	d58cdeab3a	Merge pull request #1331 from Neo23x0/rule-devel ... rule: NTFS vulnerability	2021-01-12 09:09:33 +01:00
Florian Roth	cf37abee4d	docs: more details	2021-01-11 19:56:36 +01:00
Florian Roth	a0fccf8647	rule: NTFS vulnerability ... https://twitter.com/jonasLyk/status/1347900440000811010	2021-01-11 14:51:26 +01:00
Arnim Rupp	d5de3fe5f9	more AV event and suspicious commands ... some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?	2021-01-07 17:54:19 +01:00
Florian Roth	35ab80b39e	Merge pull request #1306 from d4rk-d4nph3/master ... Added rule for Impacket's PsExec execution	2020-12-21 18:23:41 +01:00
Bhabesh Rai	0a7e95954e	Fix for fail build	2020-12-14 12:55:08 +05:45
Bhabesh Rai	63fb31882e	Added rule for Impacket's PsExec execution	2020-12-14 12:48:26 +05:45
Vasiliy Burov	e10771652b	Update win_disable_event_logging.yml	2020-10-09 18:27:04 +03:00
Vasiliy Burov	c77a190a6b	Update win_susp_eventlog_cleared.yml ... Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.	2020-10-09 16:51:18 +03:00
Remco Hofman	6cadfa5b2b	Added win_vul_cve_2020_1472 rule	2020-09-15 15:13:53 +02:00
Florian Roth	50db6dcc69	Merge pull request #1002 from scottdermott/master ... + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)	2020-09-15 08:17:02 +02:00
Yugoslavskiy Daniil	1fc202fe5d	fix typos, update tags	2020-09-13 15:46:45 +02:00
Dermott, Scott J	c72ac8f73e	Merge branch 'master' of https://github.com/scottdermott/sigma	2020-09-11 16:19:54 +01:00
Scott Dermott	1f50e0af35	+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) ... AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC). https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028	2020-09-11 16:06:51 +01:00
Florian Roth	de5444a81e	Merge pull request #989 from oscd-initiative/master ... [OSCD Initiative][ATT&CK tags update]	2020-09-08 13:27:58 +02:00
Florian Roth	7ddb63ec1b	fix: FPs with McAfee and CyberReason	2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil	5026438524	fix modified field	2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil	42c4079ed8	att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other	2020-08-25 01:09:17 +02:00
Florian Roth	8970d03f6f	Merge pull request #952 from Neo23x0/devel ... feat: Detect duplicate rule tags	2020-07-28 10:21:59 +02:00
Florian Roth	80f4b4ec71	fix: rules with duplicate tags	2020-07-27 11:44:47 +02:00
Ryan Plas	aa548ba1a9	Add quotes due to a colon in the falsepositives string	2020-07-23 23:33:36 -04:00
Ryan Plas	e52489aaf6	Change production status to stable	2020-07-23 23:33:36 -04:00
Aidan Bracher	1fd73a23b2	Updated tags with sub-techniques	2020-07-18 03:01:34 +01:00
Aidan Bracher	4ac1058ab5	Updated tags	2020-07-18 03:01:11 +01:00
Ryan Plas	de53a08746	Merge branch 'master' of github.com:Neo23x0/sigma	2020-07-15 10:27:33 -04:00
Florian Roth	c7e412788a	Merge pull request #924 from Neo23x0/devel ... Live MITRE ATT&CK data from TAXI service in Test Scripts	2020-07-14 18:15:29 +02:00
Florian Roth	58b68758b4	fix: wrong MITRE ATT&CK ids used in the beta version	2020-07-14 17:53:32 +02:00
Ryan Plas	04fd598bcf	Update additional rules to have correct logsource attributes	2020-07-13 17:02:17 -04:00
Pushkarev Dmitry	efe720d44e	Added new rule. AppLocker	2020-07-13 20:51:48 +00:00
Florian Roth	f12cb7309b	fix: references is not a list	2020-07-13 17:37:03 +02:00
Florian Roth	e3734aaa27	fix: missing upper tick	2020-07-08 15:53:04 +02:00
GelosSnake	efae210556	adding google chrome to FP list ... legitimate errors generated by Google Chrome are reported often. Official google standpoint on this: https://support.google.com/chrome/a/thread/15440066?hl=en	2020-07-08 16:44:41 +03:00
Thomas Patzke	3c760fabc1	Merge pull request #745 from Rettila/master ... Added new rules	2020-07-07 23:14:19 +02:00
Thomas Patzke	de0bb36c51	Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785	2020-07-02 23:04:59 +02:00
Florian Roth	77553e11e8	Update win_not_allowed_rdp_access.yml	2020-06-30 10:03:00 +02:00
Pushkarev Dmitry	502ec4b417	add win_not_allowed_rdp_access.yml rule	2020-06-26 22:15:53 +00:00
Brad Kish	d385cbfa69	Fix quoting for AD Object WriteDAC Access ... The AccessMask field needs to be quoted so that it is compared correctly.	2020-06-22 15:31:03 -04:00
Ivan Kirillov	5c0bb0e94f	Fixed indentation	2020-06-16 15:01:13 -06:00