valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,928 Commits 20 Branches 25 Tags 21 MiB
64f5af4c45
Commit Graph

3390 Commits

Author SHA1 Message Date
Arnim Rupp
b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth
cf37abee4d
docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp
5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth
a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth
c571285fd8
Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth
63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth
19171f5bed
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy
3f519ffa20
Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
GlebSukhodolskiy
da5ec4e952
Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy
befcad2df7
Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy
6ebcb10abd
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy
3bf1663503
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
yugoslavskiy
2985836e36
Merge pull request #1140 from omkar72/oscd-5 
[OSCD] adding shortened commands for Netsh in the existing rule
 2021-01-06 00:24:43 +03:00
yugoslavskiy
d25ca9b280
Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy
7889df6644
Merge pull request #1227 from stvetro/oscd-runscripthelper 
[OSCD] - Runscripthelper.exe runs script (LoLBin)
 2021-01-06 00:24:00 +03:00
yugoslavskiy
0ed153237e
Merge pull request #1226 from stvetro/oscd-winword 
[OSCD] - Force winword.exe to load DLL (LoLBin)
 2021-01-06 00:23:52 +03:00
yugoslavskiy
1d2f027035
Merge pull request #1224 from stvetro/oscd 
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
 2021-01-06 00:23:45 +03:00
yugoslavskiy
f4578b0698
Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy
23519e47cd
Merge pull request #1222 from feedb/oscd 
[OSCD] zer0w
 2021-01-06 00:23:25 +03:00
yugoslavskiy
93718975fb
Merge pull request #1221 from grikos/OSCD_117_128 
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
 2021-01-06 00:23:13 +03:00
yugoslavskiy
cd62929bb0
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream 
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
 2021-01-06 00:23:06 +03:00
yugoslavskiy
70eff4b1fc
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy
a5bbccf16c
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative 
[OSCD] Always Install Elevated Alternative
 2021-01-06 00:22:37 +03:00
yugoslavskiy
066be03c19
Merge pull request #1212 from aleqs4ndr/oscd-2020 
[OSCD] Added a rule to detect possible Zerologon exploitation
 2021-01-06 00:21:12 +03:00
yugoslavskiy
29fe6e46d8
Merge pull request #1211 from zipa-original/win_persistence_telemetry 
[OSCD] Added a rule to detect abusing windows telemetry for persistence
 2021-01-06 00:20:51 +03:00
yugoslavskiy
c71e0ae0ea
Merge pull request #1209 from vburov/patch-15 
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
 2021-01-06 00:19:41 +03:00
yugoslavskiy
38661bbc10
Merge pull request #1208 from NikitaStormwind/RTT(17) 
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
 2021-01-06 00:19:20 +03:00
yugoslavskiy
2cf1994763
Merge pull request #1206 from w0rk3r/oscd5 
[OSCD] Windows - Suspicious Service DACL Modification
 2021-01-06 00:18:53 +03:00
yugoslavskiy
aad2838f58
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2 
[OSCD] Always Install Elevated - Slide 50 - Rule 2
 2021-01-06 00:18:44 +03:00
yugoslavskiy
0b7babaa84
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1 
[OSCD] Always Install Elevated - Slide 50 - Rule 1
 2021-01-06 00:18:26 +03:00
yugoslavskiy
fc1fa23440
Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy
8e50eeb4a9
Merge pull request #1187 from nsaddler/lolbas108 
[OSCD] LOLBAS Manage-bde.yml
 2021-01-06 00:18:02 +03:00
yugoslavskiy
cfbd10ab8b
Merge pull request #1186 from nsaddler/lolbas107_2 
[OSCD] LOLBAS CL_Mutexverifiers - powershell
 2021-01-06 00:17:54 +03:00
yugoslavskiy
e91d48cc93
Merge pull request #1185 from nsaddler/lolbas107_1 
[OSCD] LOLBAS CL_Mutexverifiers - process_creation
 2021-01-06 00:17:46 +03:00
yugoslavskiy
9d1c695204
Merge pull request #1184 from nsaddler/lolbas106_1 
[OSCD] LOLBAS CL_Invocation - powershell
 2021-01-06 00:17:10 +03:00
yugoslavskiy
def4a7dbb9
Merge pull request #1183 from nsaddler/lolbas106 
[OSCD] LOLBAS CL_Invocation - process_creation
 2021-01-06 00:17:01 +03:00
yugoslavskiy
6f2e8c56b2
Merge pull request #1182 from nsaddler/lolbas80 
[OSCD] LOLBAS wab.yml
 2021-01-06 00:16:53 +03:00
yugoslavskiy
e1fd69f548
Merge pull request #1179 from SanWieb/OSCD_regedit_3 
[OSCD] regedit.exe LOLbas 72 [3]
 2021-01-06 00:16:45 +03:00
yugoslavskiy
8e6b77fc4f
Merge pull request #1177 from OpalSec/oscd 
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
 2021-01-06 00:16:34 +03:00
yugoslavskiy
95d8a9daf0
Merge pull request #1174 from uncleAntik/update 
[OSCD] LOLBin vsjitdebugger.exe #136
 2021-01-06 00:16:20 +03:00
yugoslavskiy
252345ca00
Merge pull request #1173 from uncleAntik/fix 
[OSCD] LOLBin te.exe #133
 2021-01-06 00:16:12 +03:00
yugoslavskiy
1fd0afc58e
Merge pull request #1167 from tas-kmanager/mt-oscd-sigma547-43 
[OSCD] Add Accesschk tool usage rule
 2021-01-06 00:14:08 +03:00
yugoslavskiy
5ade9208d5
Merge pull request #1166 from drdoc/oscd 
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
 2021-01-06 00:12:34 +03:00
yugoslavskiy
5ec4e42569
Merge pull request #1165 from w0rk3r/oscd3 
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
 2021-01-06 00:12:22 +03:00
yugoslavskiy
46eb01f3c5
Merge pull request #1164 from GlebSukhodolskiy/oscd_reg 
[OSCD] Modified Rule "Autorun Keys Modification"
 2021-01-06 00:11:58 +03:00
yugoslavskiy
4c8e0b201d
Merge pull request #1162 from uncleAntik/131 
[OSCD] LOLBin sqltoolsps.exe #131
 2021-01-06 00:11:33 +03:00
yugoslavskiy
b56a7181ce
Merge pull request #1157 from invrep-de/oscd 
[OSCD] Bad Opsec Powershell Artifacts
 2021-01-06 00:11:24 +03:00
yugoslavskiy
319ebd158c
Merge pull request #1155 from sn0w0tter/oscd2 
[OSCD] LOLBAS atbroker suspicious creation of ATs
 2021-01-06 00:11:13 +03:00
yugoslavskiy
d2087c276c
Merge pull request #1151 from zinint/1009-27-2 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (Services)
 2021-01-06 00:10:55 +03:00
yugoslavskiy
0bd955f097
Merge branch 'oscd' into oscd-5 2021-01-06 00:09:47 +03:00
yugoslavskiy
1f0d081c01
Merge pull request #1144 from NikitaStormwind/regular28(3) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (Services)
 2021-01-05 23:23:00 +03:00
yugoslavskiy
1cfc0d17ef
Merge pull request #1141 from omkar72/oscd-6 
[OSCD] suspicious clr logs creation
 2021-01-05 23:22:36 +03:00
yugoslavskiy
82e5d031b0
Merge pull request #1139 from omkar72/oscd-4 
[OSCD] script applications loading .net dll
 2021-01-05 23:17:25 +03:00
yugoslavskiy
a82c559816
Merge pull request #1130 from vburov/patch-13 
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
 2021-01-05 23:16:24 +03:00
yugoslavskiy
dd7a95ac74
Merge pull request #1081 from cy1337/patch-1 
[OSCD] Added nltest LOLBIN
 2021-01-05 23:16:14 +03:00
yugoslavskiy
f2c6011c6b
Merge pull request #1126 from skirankumar/master 
[OSCD]Sysmon_silenttrinity_stager_msbuild_activity.yml
 2021-01-05 23:14:20 +03:00
yugoslavskiy
1c1c38e091
Merge pull request #1119 from uncleAntik/oscd 
[OSCD] sqlps.exe LOLbin
 2021-01-05 23:14:02 +03:00
yugoslavskiy
07ac09f9aa
Merge pull request #1114 from NikitaStormwind/regular29(3) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (Services)
 2021-01-05 23:13:48 +03:00
yugoslavskiy
220a4873c7
Merge pull request #1109 from NikitaStormwind/regular31(3) 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (Services)
 2021-01-05 23:13:38 +03:00
yugoslavskiy
9803dc8baa
Merge pull request #1108 from NikitaStormwind/regular30(3) 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)
 2021-01-05 23:13:27 +03:00
yugoslavskiy
39991a8ab6
Merge pull request #1106 from stvetro/2020 
[OSCD] Suspicious ftp.exe usage (LOLBin)
 2021-01-05 23:13:03 +03:00
yugoslavskiy
804db42b7a
Merge pull request #1105 from Vasilisa-L/OSCD_rasautou 
[OSCD] Rasautou.exe LOLbin
 2021-01-05 23:12:48 +03:00
yugoslavskiy
794cd7aaeb
Merge pull request #1104 from Vasilisa-L/OSCD_rpcping 
[OSCD] rpcping lolbin
 2021-01-05 23:12:35 +03:00
yugoslavskiy
05b03afddb
Merge pull request #1103 from concorde18/oscd_win_susp_diskshadow 
[OSCD] win_susp_diskshadow
 2021-01-05 23:10:55 +03:00
yugoslavskiy
d48bac226f
Merge pull request #1099 from NikitaStormwind/regular31(2) 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (process_creation)
 2021-01-05 23:10:46 +03:00
yugoslavskiy
32aea9ad2b
Merge pull request #1098 from NikitaStormwind/regular31 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
 2021-01-05 23:10:28 +03:00
yugoslavskiy
ae3c0d0801
Merge pull request #1095 from esebese/task136 
[OSCD]win_pe_exec_vsjitdebugger.yml added
 2021-01-05 23:10:18 +03:00
yugoslavskiy
aa9182593a
Merge pull request #1087 from Vasilisa-L/OSCD_pester.bat 
[OSCD] 109: Pester.bat
 2021-01-05 23:09:47 +03:00
yugoslavskiy
1992b1ac9f
Merge pull request #1074 from semanurguneysu/oscd 
[OSCD] Create sysmon_abusing_debug_privilege.yml
 2021-01-05 23:06:57 +03:00
yugoslavskiy
b5c78212ad
Merge pull request #1076 from nsaddler/oscd5 
[OSCD] Powershell without powershell.exe Rule Added
 2021-01-05 23:06:37 +03:00
yugoslavskiy
c7e9522f29
Merge pull request #1077 from uchakin/oscd 
[OSCD] UAC bypass added
 2021-01-05 23:06:24 +03:00
yugoslavskiy
ff373b0f33
Update win_nltest_query.yml 2021-01-05 23:03:41 +03:00
yugoslavskiy
bceb3c8af0
Merge pull request #1047 from grikos/sigma/oscd 
[OSCD] Registry modify via VBoxDrvInst
 2021-01-05 23:00:20 +03:00
yugoslavskiy
87e5e5a7fc
Merge pull request #1069 from nsaddler/oscd3 
[OSCD] Powershell Script Installed as a Service Rule added
 2021-01-05 22:58:21 +03:00
Florian Roth
40e0e3bc99
Merge pull request #1193 from w0rk3r/oscd_rules_improvement 
[OSCD] Windows Rules - Review for improvements on selections and logic
 2020-12-31 12:10:15 +01:00
Florian Roth
ab408750ac
Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth
9ecaeb715f
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
ZikyHD
8a6b182fee
Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD
ece829bb25
Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
Florian Roth
43033ab874
Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu
d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu
4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse
fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse
bf539fd1fe Revert "Fix bug changing the logsource service to category" 
This reverts commit 0f51e53d0e.
 2020-12-23 15:50:49 -05:00
Daniel Masse
71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse
0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse
e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth
cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth
821af35557
Merge pull request #1313 from Neo23x0/rule-devel 
Rule devel
 2020-12-23 13:57:11 +01:00
Florian Roth
7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth
80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth
c3f891beab
Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_ 
[OSCD] Added a rule to detect potential persistence using registry keys
 2020-12-21 18:33:17 +01:00
Florian Roth
133b98ffcb
Merge pull request #1262 from invrep-de/oscd 
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
 2020-12-21 18:30:21 +01:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1 
Adding 2 rules - Conhost & office test registry persistence
 2020-12-21 18:28:59 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
Florian Roth
377454cb31
Merge pull request #1299 from tjgeorgen/patch-1 
ATT&CK subtechnique tag updates
 2020-12-21 18:24:00 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master 
Added rule for Impacket's PsExec execution
 2020-12-21 18:23:41 +01:00
Bhabesh Rai
0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth
1b0aaf62c3
Merge pull request #1266 from omkar72/ryuk 
modifying couple of rules
 2020-12-13 19:05:54 +01:00
Florian Roth
e2ade077ed
Merge pull request #1275 from bczyz1/patch-3 
update win_apt_slingshot.yml
 2020-12-13 19:04:47 +01:00
Florian Roth
612008a4d8
fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu
edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth
b6d62b7a21
Merge pull request #1302 from Neo23x0/rule-devel 
TA505 Dropper, minor fix in PowerShell Rule
 2020-12-08 10:40:07 +01:00
Florian Roth
640470cefd TA505 Loader Rule 2020-12-08 10:15:30 +01:00
Florian Roth
540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
tjgeorgen
1c6c3a36fe
include updated RDP att&ck tag 2020-12-04 11:59:23 -05:00
tjgeorgen
0eda1ab462
also update tag for folder variant 2020-12-04 11:42:05 -05:00
tjgeorgen
5208bdd65a
add new version of ATT&CK T1500 tag 2020-12-04 11:19:16 -05:00
yugoslavskiy
a028cdf1ee
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00
yugoslavskiy
7309fb7d0e
Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00
yugoslavskiy
36754ae3d5
Update win_vul_cve_2020_0688.yml 2020-12-01 02:16:22 +01:00
yugoslavskiy
0188e45925
Update win_malware_script_dropper.yml 2020-12-01 02:12:53 +01:00
yugoslavskiy
30ecc8bd26
Update win_malware_script_dropper.yml 2020-12-01 02:08:52 +01:00
yugoslavskiy
6494103839
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:54:51 +01:00
yugoslavskiy
d1b625d080
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:51:47 +01:00
yugoslavskiy
3cbc2f0aec
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:47:23 +01:00
yugoslavskiy
816ce5937c
Update win_susp_crackmapexec_execution.yml 2020-12-01 01:29:35 +01:00
Vasiliy Burov
cf8d195c5c
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-30 11:49:42 +03:00
yugoslavskiy
56f94a19f7
Update win_regedit_export_keys.yml 2020-11-30 02:08:54 +01:00
yugoslavskiy
0414d7a498
Merge branch 'oscd' into master 2020-11-30 02:04:03 +01:00
Yugoslavskiy Daniil
d812a3e08e resolve conflict restoring rule win_susp_replace_lolbin.yml 2020-11-30 01:09:24 +01:00
Yugoslavskiy Daniil
98617609d6 Merge branch 'oscd' into HEAD 2020-11-30 01:07:26 +01:00
Yugoslavskiy Daniil
50623544a2 remove possible duplicate filter 2020-11-29 22:03:19 +01:00
OG
70fb078a56
Update sysmon_office_test_regadd.yml 2020-11-29 18:02:37 +05:30
OG
8e801ede32
Update win_susp_psexec_eula.yml 2020-11-29 17:45:29 +05:30
Jonhnathan
a9fde0117b
Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
yugoslavskiy
7dc5233dd9
Update win_susp_commands_recon_activity.yml 2020-11-28 18:43:04 +01:00
yugoslavskiy
5196926d60
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 18:33:21 +01:00
yugoslavskiy
39c2258848
Update sysmon_registry_persistence_search_order.yml 2020-11-28 18:30:41 +01:00
yugoslavskiy
9f8ef95571
Update win_webshell_detection.yml 2020-11-28 18:25:09 +01:00
yugoslavskiy
c761d05a17
Update win_system_exe_anomaly.yml 2020-11-28 18:03:19 +01:00
yugoslavskiy
258334d6d1
Update win_susp_wmi_execution.yml 2020-11-28 18:01:06 +01:00
Jonhnathan
95eb7424aa
Update sysmon_susp_run_key_img_folder.yml 2020-11-28 13:54:59 -03:00
Jonhnathan
f504ccc33f
Update sysmon_susp_reg_persist_explorer_run.yml 2020-11-28 13:52:36 -03:00
Jonhnathan
986800056c
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 13:50:13 -03:00
yugoslavskiy
c0c74a05df
Update win_susp_sysvol_access.yml 2020-11-28 17:49:21 +01:00
Jonhnathan
ef34c94e6a
Update sysmon_registry_persistence_search_order.yml 2020-11-28 13:49:18 -03:00
yugoslavskiy
3c75bc922a
Update win_susp_squirrel_lolbin.yml 2020-11-28 17:47:16 +01:00
Jonhnathan
06cc5049a4
Update sysmon_dns_serverlevelplugindll.yml 2020-11-28 13:46:02 -03:00
yugoslavskiy
42f27a41cb
Update win_susp_rundll32_by_ordinal.yml 2020-11-28 17:44:30 +01:00
yugoslavskiy
ca0a6547fb
Update win_susp_run_locations.yml 2020-11-28 17:42:47 +01:00
Jonhnathan
f1455e0c38
Update win_win10_sched_task_0day.yml 2020-11-28 13:42:30 -03:00
Jonhnathan
fe3ed329ef
Update win_webshell_recon_detection.yml 2020-11-28 13:41:11 -03:00
yugoslavskiy
ea550cf551
Update win_susp_regsvr32_anomalies.yml 2020-11-28 17:40:40 +01:00
Jonhnathan
f0bf3d13b5
Update win_webshell_detection.yml 2020-11-28 13:38:34 -03:00
Jonhnathan
9f4bbb7e65
Update win_webshell_detection.yml 2020-11-28 13:35:50 -03:00
yugoslavskiy
bcf62fba72
Update win_susp_ps_appdata.yml 2020-11-28 17:34:34 +01:00
yugoslavskiy
2ed4b26291
Update win_susp_procdump.yml 2020-11-28 17:33:02 +01:00
Jonhnathan
0d0f58c830
Update win_system_exe_anomaly.yml 2020-11-28 13:32:44 -03:00
yugoslavskiy
a3e436363e
Update win_susp_powershell_parent_combo.yml 2020-11-28 17:31:37 +01:00
Jonhnathan
c9b5ba10f8
Update win_susp_wmi_execution.yml 2020-11-28 13:30:34 -03:00
yugoslavskiy
c01c05b826
Update win_susp_powershell_enc_cmd.yml 2020-11-28 17:29:15 +01:00
Jonhnathan
f6117eebc7
Update win_susp_sysvol_access.yml 2020-11-28 13:27:28 -03:00
Jonhnathan
88b4d4c4e5
Update win_susp_sysvol_access.yml 2020-11-28 13:26:22 -03:00
yugoslavskiy
66a504078b
Update win_susp_ping_hex_ip.yml 2020-11-28 17:25:52 +01:00
Jonhnathan
7aa831eac3
Remove additional backslash 2020-11-28 13:25:28 -03:00
Jonhnathan
0357472635
Update win_susp_squirrel_lolbin.yml 2020-11-28 13:24:38 -03:00
Jonhnathan
f70bd415a3
Update win_susp_run_locations.yml 2020-11-28 13:21:04 -03:00
Jonhnathan
5cbefe3737
Update win_susp_regsvr32_anomalies.yml 2020-11-28 13:18:38 -03:00
Jonhnathan
e99f63f811
Update win_susp_ps_appdata.yml 2020-11-28 13:15:24 -03:00
Jonhnathan
fc842c22b2
Update win_susp_prog_location_process_starts.yml 2020-11-28 13:11:15 -03:00
Jonhnathan
a78eb61d92
Remove additional backslash 2020-11-28 13:08:51 -03:00
Jonhnathan
27f47a8ffc
Update win_susp_procdump.yml 2020-11-28 13:08:21 -03:00
Jonhnathan
b61707e7f3
Remove additional backslash 2020-11-28 13:07:06 -03:00
Jonhnathan
c9461506f2
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:06:10 -03:00
Jonhnathan
2364e9870d
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:05:47 -03:00
Jonhnathan
f4f8174199
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:04:36 -03:00
Jonhnathan
53e1201bea
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:42 -03:00
Jonhnathan
b24945999e
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:24 -03:00
Jonhnathan
1c56dc463a
Remove additional backslash 2020-11-28 12:38:19 -03:00
Jonhnathan
198bdb9659
Remove Additional backslash 2020-11-28 12:34:06 -03:00
Jonhnathan
63adc6fc09
Update win_susp_direct_asep_reg_keys_modification.yml 2020-11-28 12:32:35 -03:00
Jonhnathan
3481b0dd9e
Update win_susp_curl_start_combo.yml 2020-11-28 12:31:55 -03:00
yugoslavskiy
245a0d3438
Update win_susp_outlook.yml 2020-11-28 13:34:57 +01:00
yugoslavskiy
36299f5139
Update win_susp_net_execution.yml 2020-11-28 13:33:30 +01:00
yugoslavskiy
501791945f
Update win_susp_msiexec_web_install.yml 2020-11-28 13:32:01 +01:00
yugoslavskiy
8293fd8e5b
Update win_susp_iss_module_install.yml 2020-11-28 13:30:27 +01:00
yugoslavskiy
1896a45572
Update win_susp_ntdsutil.yml 2020-11-28 13:28:00 +01:00
Jonhnathan
4411fc5b0e
Update win_susp_commands_recon_activity.yml 2020-11-28 09:14:56 -03:00
Jonhnathan
2bf4644b48
Update win_renamed_paexec.yml 2020-11-28 09:08:48 -03:00
Jonhnathan
4e59fc0dfd
Update win_renamed_binary_highly_relevant.yml 2020-11-28 09:08:09 -03:00
yugoslavskiy
4354303174
Update win_susp_execution_path.yml 2020-11-28 13:07:22 +01:00
yugoslavskiy
77cf5d2563
Update win_susp_exec_folder.yml 2020-11-28 13:04:05 +01:00
yugoslavskiy
201377fa29
Update win_susp_csc_folder.yml 2020-11-28 13:01:03 +01:00
yugoslavskiy
c4a35036a0
Update win_susp_csc.yml 2020-11-28 12:54:18 +01:00
yugoslavskiy
5d7f42a4a6
Update win_susp_crackmapexec_execution.yml 2020-11-28 12:53:00 +01:00
yugoslavskiy
38e7853891
Update win_susp_copy_lateral_movement.yml 2020-11-28 12:44:54 +01:00
yugoslavskiy
34e64a6570
Update win_susp_codepage_switch.yml 2020-11-28 12:42:27 +01:00
yugoslavskiy
5278fcd476
Update win_susp_cmd_http_appdata.yml 2020-11-28 12:34:28 +01:00
yugoslavskiy
fd102c1b5f
Update win_susp_certutil_encode.yml 2020-11-28 12:31:40 +01:00
yugoslavskiy
68365f29c2
Update win_susp_certutil_command.yml 2020-11-28 12:29:30 +01:00