Commit Graph

2030 Commits

Author SHA1 Message Date
Florian Roth
f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth
ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth
398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth
fe8f040863
Merge pull request #429 from weev3/master
Control Panel Item, MITRE_ID=T1196
2019-08-27 14:24:56 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes 2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Steven Goossens
cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens
ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
Steven Goossens
37caccd52e Includes the trial condition so generic query is generated whenever the fields are not defined 2019-08-26 11:48:40 +00:00
Steven Goossens
895682aef2 Implementing the fields to be selected 2019-08-26 10:57:43 +00:00
Thomas Patzke
59a6a0c523 Added ATT&CK technique to rule test 2019-08-25 10:13:11 +02:00
Florian Roth
70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1
Detection of usage mimikatz trough WinRM
2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement
Win susp add sid history improvement
2019-08-23 22:58:46 +02:00
Thomas Patzke
9d3232cf90
Merge pull request #424 from import-au/master
Support for Malicious cmdlets in ATP
2019-08-23 22:57:06 +02:00
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
agold
0984293d0c Support for Malicious cmdlets in ATP 2019-08-20 14:33:08 -07:00
Florian Roth
1bfe925f6b
Merge pull request #422 from EccoTheFlintstone/master
Windows process suspicious parents: filter NULL values to remove false positives
2019-08-20 11:59:16 +02:00
ecco
d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Thomas Patzke
50874c2323
Merge pull request #420 from svent/improve_qradar_backend
Improve qradar backend
2019-08-13 08:38:16 +02:00
svent
1ea6d00a39 Fix QRadar field name escaping and handling 2019-08-12 23:47:43 +02:00
svent
826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Thomas Patzke
e1b1db8cca
Merge pull request #416 from NVISO-BE/es-dsl-wildcard-fix
Correctly escape slashes within es-dsl wildcard queries (issue #387)
2019-08-11 23:19:59 +02:00
Thomas Patzke
2f97300ea2 Pipenv packaging 2019-08-09 14:43:29 +02:00
Florian Roth
f328734274
Merge pull request #417 from Karneades/patch-2
improve(rule): add Empire links and userland match
2019-08-09 14:36:17 +02:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match
Add default task name and powershell task command to match what the rule name says: detects default config.
2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Michiel Meersmans
0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Florian Roth
abd233d66f
Merge pull request #415 from deralexxx/patch-1
Add Contribute section
2019-08-06 12:22:41 +02:00
Florian Roth
6513828cc1
Fix 2019-08-06 12:22:31 +02:00
Florian Roth
1fa2e59014
Extended contribution section 2019-08-06 12:22:03 +02:00
Alexander J
4d78b6c037
Add Contribute section
As @Neo23x0 was writing in Twitter, more contribution is needed, so a Contribute section seems reasonable to tell people how they can contribute.

https://twitter.com/cyb3rops/status/1158660279825252352
2019-08-06 11:36:54 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5
Ryuk Ransomware commands from real case
2019-08-06 10:29:00 +02:00
Florian Roth
9c85d5e80f
Merge pull request #406 from tuckner/master
Fix ala parsing issues
2019-08-06 10:28:07 +02:00
Florian Roth
ecf2a6be80
Merge pull request #413 from Karneades/patch-1
Fix small typos in file breaking-changes
2019-08-06 10:27:35 +02:00
Karneades
6617dee59a
Fix small typos in file breaking-changes 2019-08-06 09:57:00 +02:00
Thomas Patzke
940c36a4cd Fixed build
Missing package specification
2019-08-05 23:42:33 +02:00
Florian Roth
83841ea117
Merge pull request #411 from nikotin69/master
compliance rules by SOC prime
2019-08-05 20:53:02 +02:00
Florian Roth
302ae9c5d0
Added level 2019-08-05 19:51:22 +02:00
Florian Roth
4dbf392562
Title, Level adjusted 2019-08-05 19:48:56 +02:00
Florian Roth
fdb9b351d0
Level to low 2019-08-05 19:48:21 +02:00
Florian Roth
317c0bd07a
Removed "Detects" keyword from title 2019-08-05 19:47:46 +02:00