Florian Roth
|
540039cbc3
|
fix: Malicious Nishang PowerShell Commandlets FP with MDATP
|
2020-12-05 09:33:42 +01:00 |
|
Florian Roth
|
f6c0fb2d33
|
fix: FPs with notepad++ GUP rule
|
2020-11-09 16:34:12 +01:00 |
|
Florian Roth
|
c3785d6dc7
|
rule: FPs with WmiPrvSE rule
|
2020-11-05 16:44:33 +01:00 |
|
Florian Roth
|
75637324e0
|
feat: cover newest emotet campaigns
|
2020-10-23 23:44:48 +02:00 |
|
Florian Roth
|
ee789a309c
|
fix: FP with expression
|
2020-10-20 13:11:10 +02:00 |
|
Florian Roth
|
198b292c26
|
rule: emotet encoded commands
|
2020-10-20 12:51:58 +02:00 |
|
Florian Roth
|
48f1be04d4
|
fix: ping hex ip rule
|
2020-10-16 10:06:24 +02:00 |
|
Florian Roth
|
3affdd12e0
|
fix: rule title casing
|
2020-10-12 09:51:35 +02:00 |
|
Florian Roth
|
0d0cda0f86
|
docs: improved false positive notes
|
2020-10-12 09:18:42 +02:00 |
|
Florian Roth
|
e7c6794ecd
|
rule: suspicious wmic process call create + rundll32
|
2020-10-12 09:18:30 +02:00 |
|
Florian Roth
|
2e732eb01f
|
Merge branch 'master' into rule-devel
|
2020-10-12 09:13:24 +02:00 |
|
Florian Roth
|
c56cd2dfff
|
Merge pull request #1024 from omkar72/master
Com hijack shell folder
|
2020-10-02 09:24:16 +02:00 |
|
omkargudhate22
|
4487d9cc7e
|
added event type & changed technique
|
2020-10-02 09:22:14 +05:30 |
|
Florian Roth
|
c17ca6d5fe
|
Merge pull request #1018 from savvyspoon/wcry-dns
WannaCry Killswitch domain DNS query
|
2020-09-29 09:27:21 +02:00 |
|
omkargudhate22
|
68a992d903
|
updated name
|
2020-09-27 21:57:19 +05:30 |
|
omkargudhate22
|
e7c8197e34
|
Updated fields & renamed
|
2020-09-27 21:52:59 +05:30 |
|
omkargudhate22
|
ebe3dce1d7
|
Update sysmon_comhijack_uac_bypass.yml
|
2020-09-27 21:44:41 +05:30 |
|
omkar72
|
3f148e6c7c
|
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
|
2020-09-27 21:19:04 +05:30 |
|
Florian Roth
|
d7d9c0e772
|
Merge pull request #1021 from hieuttmmo/master
Sigma rule to detect AdFind.exe execution
|
2020-09-27 09:50:41 +02:00 |
|
Florian Roth
|
8020fe3c40
|
false positive condition
|
2020-09-26 17:03:29 +02:00 |
|
Florian Roth
|
60795f7050
|
Update win_susp_adfind.yml
Fear that a simple adfind.exe causes too many false positives
|
2020-09-26 17:02:39 +02:00 |
|
Florian Roth
|
dbdd758365
|
Duplicate Rule
we already have a rule for that
|
2020-09-26 17:01:32 +02:00 |
|
Tran Trung Hieu
|
d4dd0600ad
|
Fix logsource service to process_creation
|
2020-09-26 21:45:23 +07:00 |
|
Tran Trung Hieu
|
c756fc8576
|
Detect Suspicious AdFind Execution
|
2020-09-26 21:34:06 +07:00 |
|
Mike Wade
|
7b1ef9ea64
|
fixing test runner issues
|
2020-09-15 15:45:33 -06:00 |
|
Mike Wade
|
6ed36b0e41
|
fixed issues with tabs and duplicate tags
|
2020-09-15 08:52:00 -06:00 |
|
Florian Roth
|
2cd9b794e6
|
Merge pull request #1007 from d4rk-d4nph3/master
Windows Defender AMSI Trigger Detected
|
2020-09-15 15:45:00 +02:00 |
|
Remco Hofman
|
6cadfa5b2b
|
Added win_vul_cve_2020_1472 rule
|
2020-09-15 15:13:53 +02:00 |
|
Mike Wade
|
da9b32bdd6
|
we
|
2020-09-15 06:24:44 -06:00 |
|
Mike Wade
|
8ce73bd8df
|
Fixed issues with tags and missing files
|
2020-09-15 06:10:57 -06:00 |
|
Thomas Patzke
|
378d9c94cf
|
Merge branch 'master' of https://github.com/socprime/sigma into pr-981
|
2020-09-15 12:14:49 +02:00 |
|
Florian Roth
|
50db6dcc69
|
Merge pull request #1002 from scottdermott/master
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
|
2020-09-15 08:17:02 +02:00 |
|
Bhabesh Rai
|
03c7d751c0
|
Windows Defender AMSI Trigger Detected
|
2020-09-14 18:10:38 +05:45 |
|
Mike Wade
|
249c255435
|
No Idea why these files are deleted
|
2020-09-13 22:00:30 -06:00 |
|
Yugoslavskiy Daniil
|
1fc202fe5d
|
fix typos, update tags
|
2020-09-13 15:46:45 +02:00 |
|
Dermott, Scott J
|
c72ac8f73e
|
Merge branch 'master' of https://github.com/scottdermott/sigma
|
2020-09-11 16:19:54 +01:00 |
|
Scott Dermott
|
1f50e0af35
|
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC).
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
|
2020-09-11 16:06:51 +01:00 |
|
Tran Trung Hieu
|
49ba107dce
|
Fixed Title
|
2020-09-10 17:36:37 +07:00 |
|
Tran Trung Hieu
|
f7d5240d40
|
Added UID, fixed rule description
|
2020-09-10 17:20:16 +07:00 |
|
Tran Trung Hieu
|
1b6c6ec5bf
|
Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender
|
2020-09-10 17:16:06 +07:00 |
|
Bhabesh Rai
|
ed059a9831
|
Added Credential Dumping by LaZagne
|
2020-09-09 18:27:14 +05:45 |
|
Florian Roth
|
de5444a81e
|
Merge pull request #989 from oscd-initiative/master
[OSCD Initiative][ATT&CK tags update]
|
2020-09-08 13:27:58 +02:00 |
|
Florian Roth
|
39dfcd40ec
|
Merge pull request #921 from d4rk-d4nph3/master
Added support for Defender's PSExec and WMI ASR rules.
|
2020-09-07 09:40:46 +02:00 |
|
Florian Roth
|
6f96bbbe65
|
Merge pull request #977 from barvhaim/patch-1
Update win_new_service_creation.yml typo
|
2020-09-07 09:39:28 +02:00 |
|
Florian Roth
|
37751fc3a1
|
Merge pull request #978 from barvhaim/patch-2
Update sysmon_apt_muddywater_dnstunnel.yml typo
|
2020-09-07 09:39:11 +02:00 |
|
e6e6e
|
98c412044a
|
att&ck tags review: windows/process_creation part 5
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
|
2020-09-07 02:00:41 +04:00 |
|
e6e6e
|
7ae76b8d99
|
Revert "att&ck tags review: windows/process_creation part 5"
This reverts commit e94c47e74e .
|
2020-09-07 01:28:08 +04:00 |
|
e6e6e
|
e94c47e74e
|
att&ck tags review: windows/process_creation part 5
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
|
2020-09-07 01:19:41 +04:00 |
|
Alexey Lednyov
|
7834fdd750
|
att&ck tags review: windows/registry_event
|
2020-09-06 22:10:44 +03:00 |
|
ecco
|
ebc1d38027
|
fix in memory powershell false positive
|
2020-09-06 09:25:56 -04:00 |
|