Commit Graph

378 Commits

Author SHA1 Message Date
S.kiran kumar
4fa6ca01ef
Changed category. 2020-10-14 10:05:41 +05:30
S.kiran kumar
bd5e7fda14
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 21:26:44 +05:30
S.kiran kumar
27823763cb
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:14:43 +05:30
S.kiran kumar
a640c1e151
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:11:24 +05:30
S.kiran kumar
f1c9286a25
Updated minor changes
Change tags.
Change author (add "oscd.community").
Change date format.
Change logsource.
Change detection (use endswith as a modifier).
Change fields.
2020-10-12 20:06:36 +05:30
S.kiran kumar
c76eede1b8
Update silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:11:09 +05:30
S.kiran kumar
fbf5d2fdc4
Update silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:07:41 +05:30
S.kiran kumar
bddbe68235
Create silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:02:03 +05:30
S.kiran kumar
6b0b779480
Delete sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 23:00:52 +05:30
S.kiran kumar
6b10b998c9
Update sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 22:38:30 +05:30
S.kiran kumar
476ed7ec2d
Rename silenttrinity _stager _communication _c2.yml to sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 22:03:24 +05:30
S.kiran kumar
545a8c06ed
Rename Silenttrinity _Stager _Communication _C2.yml to silenttrinity _stager _communication _c2.yml 2020-10-11 21:53:45 +05:30
S.kiran kumar
9825b42de0
Rename Silenttrinity Stager Communication C2.yml to Silenttrinity _Stager _Communication _C2.yml 2020-10-11 21:38:19 +05:30
S.kiran kumar
a5bf538ad1
Rename Silenttrinity _Stager _Communication _To _C2.yml to Silenttrinity Stager Communication C2.yml 2020-10-11 21:34:55 +05:30
S.kiran kumar
7a4c2c5db5
Rename Silenttrinity Stager Communication To C2 to Silenttrinity _Stager _Communication _To _C2.yml 2020-10-11 21:16:45 +05:30
S.kiran kumar
28ccbe9034
Rename Silenttrinity stager communication to c2 to Silenttrinity Stager Communication To C2 2020-10-11 21:00:00 +05:30
S.kiran kumar
f82d163ded
Update Silenttrinity stager communication to c2 2020-10-11 20:33:08 +05:30
S.kiran kumar
f8c229bbf8
Update Silenttrinity stager communication to c2 2020-10-11 20:29:30 +05:30
S.kiran kumar
e5fd37aea6
Update Silenttrinity stager communication to c2 2020-10-11 20:25:49 +05:30
S.kiran kumar
672bf99c6b
Silenttrinity stager communication to c2 2020-10-11 19:45:58 +05:30
Florian Roth
7b63c92fc0 Rule: applying recommendation
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master
added rules for renamed wscript, cscript and paexec. Added two direct…
2019-04-17 23:59:27 +02:00
Florian Roth
daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth
65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Jason Lynch
f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Florian Roth
81693d81b6
Merge pull request #295 from sbousseaden/master
Create win_atsvc_task.yml
2019-04-04 18:32:13 +02:00
Karneades
865d971704
Remove backslashes in CommandLine for sticky key rule
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
2019-04-03 16:16:18 +02:00
sbousseaden
3d69727332
Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden
016261cacf
Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden
a85c668f6f
Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
Tareq AlKhatib
783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib
075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master
Fix rules
2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00