Florian Roth
|
f8785e722f
|
docs: changed title and description of rule
|
2019-08-30 12:03:42 +02:00 |
|
Florian Roth
|
ba46d6b4de
|
docs: added reference to rule
|
2019-08-30 11:55:02 +02:00 |
|
Florian Roth
|
398ef9c6aa
|
rules: teardown implant, apt28 ua
|
2019-08-30 11:53:55 +02:00 |
|
Florian Roth
|
fe8f040863
|
Merge pull request #429 from weev3/master
Control Panel Item, MITRE_ID=T1196
|
2019-08-27 14:24:56 +02:00 |
|
Florian Roth
|
ca2019b57f
|
fix: typo in MITRE tag
|
2019-08-27 12:32:56 +02:00 |
|
Florian Roth
|
6b7cd94197
|
Changes
|
2019-08-27 12:23:42 +02:00 |
|
weev3
|
d42a51372d
|
Control Panel Item, MITRE_ID=T1196
|
2019-08-27 14:55:55 +06:30 |
|
Steven Goossens
|
cb088e4911
|
Remove quotes from around the fields to make the query semantically correct
|
2019-08-26 12:43:26 +00:00 |
|
Steven Goossens
|
ad19f05e2c
|
Include mapped names rather then signature names
|
2019-08-26 12:06:20 +00:00 |
|
Steven Goossens
|
37caccd52e
|
Includes the trial condition so generic query is generated whenever the fields are not defined
|
2019-08-26 11:48:40 +00:00 |
|
Steven Goossens
|
895682aef2
|
Implementing the fields to be selected
|
2019-08-26 10:57:43 +00:00 |
|
Thomas Patzke
|
59a6a0c523
|
Added ATT&CK technique to rule test
|
2019-08-25 10:13:11 +02:00 |
|
Florian Roth
|
70a26a6132
|
fix: fixed MITRE tags
|
2019-08-24 13:58:54 +02:00 |
|
Florian Roth
|
c321fc2680
|
rule: csc.exe suspicious source folder
|
2019-08-24 13:53:15 +02:00 |
|
Florian Roth
|
b32ed3c817
|
rules: encoded FromBase64String keyword
|
2019-08-24 13:53:05 +02:00 |
|
Florian Roth
|
87ce52f6fe
|
fix: fixed wrong MITRE tag
|
2019-08-23 23:19:39 +02:00 |
|
Florian Roth
|
5bd242cb21
|
rule: encoded IEX
|
2019-08-23 23:13:36 +02:00 |
|
Thomas Patzke
|
68fb56f503
|
Merge pull request #345 from ki11oFF/patch-1
Detection of usage mimikatz trough WinRM
|
2019-08-23 23:04:07 +02:00 |
|
Thomas Patzke
|
945f45ebd7
|
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
|
2019-08-23 23:01:25 +02:00 |
|
Thomas Patzke
|
fc08e3c5b7
|
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
Win susp add sid history improvement
|
2019-08-23 22:58:46 +02:00 |
|
Thomas Patzke
|
9d3232cf90
|
Merge pull request #424 from import-au/master
Support for Malicious cmdlets in ATP
|
2019-08-23 22:57:06 +02:00 |
|
Florian Roth
|
cc01f76e99
|
docs: minor changes
|
2019-08-22 14:22:55 +02:00 |
|
Florian Roth
|
c291038ebe
|
rule: renamed powershell
|
2019-08-22 14:22:55 +02:00 |
|
agold
|
0984293d0c
|
Support for Malicious cmdlets in ATP
|
2019-08-20 14:33:08 -07:00 |
|
Florian Roth
|
1bfe925f6b
|
Merge pull request #422 from EccoTheFlintstone/master
Windows process suspicious parents: filter NULL values to remove false positives
|
2019-08-20 11:59:16 +02:00 |
|
ecco
|
d0a24f4409
|
filter NULL values to remove false positives
|
2019-08-20 05:10:41 -04:00 |
|
Thomas Patzke
|
50874c2323
|
Merge pull request #420 from svent/improve_qradar_backend
Improve qradar backend
|
2019-08-13 08:38:16 +02:00 |
|
svent
|
1ea6d00a39
|
Fix QRadar field name escaping and handling
|
2019-08-12 23:47:43 +02:00 |
|
svent
|
826c1e3942
|
Fix QRadar backend config
|
2019-08-12 23:47:43 +02:00 |
|
Thomas Patzke
|
e1b1db8cca
|
Merge pull request #416 from NVISO-BE/es-dsl-wildcard-fix
Correctly escape slashes within es-dsl wildcard queries (issue #387)
|
2019-08-11 23:19:59 +02:00 |
|
Thomas Patzke
|
2f97300ea2
|
Pipenv packaging
|
2019-08-09 14:43:29 +02:00 |
|
Florian Roth
|
f328734274
|
Merge pull request #417 from Karneades/patch-2
improve(rule): add Empire links and userland match
|
2019-08-09 14:36:17 +02:00 |
|
Karneades
|
18bbec4bcd
|
improve(rule): add Empire links and userland match
Add default task name and powershell task command to match what the rule name says: detects default config.
|
2019-08-09 11:58:43 +02:00 |
|
Florian Roth
|
4fcb52d098
|
fix: removed mmc susp rule due to many FPs
|
2019-08-07 14:26:15 +02:00 |
|
Michiel Meersmans
|
0708fdd28e
|
Correctly escape slashes within es-dsl wildcard queries
|
2019-08-07 12:56:19 +02:00 |
|
Florian Roth
|
abd233d66f
|
Merge pull request #415 from deralexxx/patch-1
Add Contribute section
|
2019-08-06 12:22:41 +02:00 |
|
Florian Roth
|
6513828cc1
|
Fix
|
2019-08-06 12:22:31 +02:00 |
|
Florian Roth
|
1fa2e59014
|
Extended contribution section
|
2019-08-06 12:22:03 +02:00 |
|
Alexander J
|
4d78b6c037
|
Add Contribute section
As @Neo23x0 was writing in Twitter, more contribution is needed, so a Contribute section seems reasonable to tell people how they can contribute.
https://twitter.com/cyb3rops/status/1158660279825252352
|
2019-08-06 11:36:54 +02:00 |
|
Florian Roth
|
f6fd1df6f4
|
Rule: separate Ryuk rule created for VBurovs strings
|
2019-08-06 10:33:46 +02:00 |
|
Florian Roth
|
a8b738e346
|
Merge pull request #380 from vburov/patch-5
Ryuk Ransomware commands from real case
|
2019-08-06 10:29:00 +02:00 |
|
Florian Roth
|
9c85d5e80f
|
Merge pull request #406 from tuckner/master
Fix ala parsing issues
|
2019-08-06 10:28:07 +02:00 |
|
Florian Roth
|
ecf2a6be80
|
Merge pull request #413 from Karneades/patch-1
Fix small typos in file breaking-changes
|
2019-08-06 10:27:35 +02:00 |
|
Karneades
|
6617dee59a
|
Fix small typos in file breaking-changes
|
2019-08-06 09:57:00 +02:00 |
|
Thomas Patzke
|
940c36a4cd
|
Fixed build
Missing package specification
|
2019-08-05 23:42:33 +02:00 |
|
Florian Roth
|
83841ea117
|
Merge pull request #411 from nikotin69/master
compliance rules by SOC prime
|
2019-08-05 20:53:02 +02:00 |
|
Florian Roth
|
302ae9c5d0
|
Added level
|
2019-08-05 19:51:22 +02:00 |
|
Florian Roth
|
4dbf392562
|
Title, Level adjusted
|
2019-08-05 19:48:56 +02:00 |
|
Florian Roth
|
fdb9b351d0
|
Level to low
|
2019-08-05 19:48:21 +02:00 |
|
Florian Roth
|
317c0bd07a
|
Removed "Detects" keyword from title
|
2019-08-05 19:47:46 +02:00 |
|