SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00

Author	SHA1	Message	Date
$frack113$ frack113	d819d726eb	Merge pull request #2112 from austinsonger/macos_suspicious_macos_firmware_activity.yml macos_suspicious_macos_firmware_activity.yml	2021-10-02 07:09:11 +02:00
webboy2015	87df79302d	Update win_lolbas_execution_of_nltest.exe Changed condition as follows: detection: selection: EventID: 4689 ProcessName\|endswith: nltest.exe Status: "0x0" condition: selection Included field - SubjectDomainName	2021-10-01 12:55:37 -07:00
zakibro	d40b42fc2c	Update lnx_auditd_clipboard_image_collection.yml fixing a typo	2021-10-01 18:54:12 +02:00
Pawel Mazur	e67770d7ea	New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool	2021-10-01 18:43:03 +02:00
$frack113$ frack113	19a834e317	Merge pull request #2111 from TareqAlKhatib/master Corrected Technique	2021-10-01 15:17:01 +02:00
Tareq Alkhatib	0d22601112	Added Compromise Infrastructure: Web Services technique	2021-10-01 08:40:59 -04:00
Austin Songer	04acba9c77	Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-09-30 19:58:21 -05:00
Austin Songer	d55ffe721e	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:19:18 -05:00
Austin Songer	e274df1b13	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:18:38 -05:00
Austin Songer	b14d9e3826	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:16:02 -05:00
Austin Songer	7f0ad710fd	Delete process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:15:40 -05:00
Austin Songer	18d65387b5	Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:15:03 -05:00
Austin Songer	3d7f96ddd7	Create process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:14:34 -05:00
Austin Songer	00513ff2c5	Create macos_suspicious_macos_firmware_activity.yml	2021-09-30 18:47:15 -05:00
Tareq Alkhatib	b0b95ce32b	Corrected Technique	2021-09-30 16:34:14 -04:00
$frack113$ frack113	e900945761	Update win_trust_discovery.yml	2021-09-30 19:26:14 +02:00
zaicurity	76224b0fb2	Added alternative nltest command parameter Same as recent change to "Recon Activity with NLTEST" (see commit `a2418e4d2c`) Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/	2021-09-30 18:12:19 +02:00
$frack113$ frack113	1c842037cf	Merge pull request #2109 from Karneades/patch-1 Add fp note to powershell winapi rule	2021-09-30 17:45:03 +02:00
$frack113$ frack113	6eea77ae38	Merge pull request #2105 from frack113/powershell powershell_susp_zip_compress add 4104	2021-09-30 17:40:13 +02:00
Andreas Hunkeler	82ba266a53	Add fp note to powershell winapi rule	2021-09-30 16:38:39 +02:00
$frack113$ frack113	29d66a965c	add 4104	2021-09-30 10:03:11 +02:00
webboy2015	056067086c	Create win_lolbas_execution_of_nltest.exe.yaml The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".	2021-09-29 14:33:36 -07:00
$frack113$ frack113	84ec2f582a	Merge pull request #2100 from kidrek/sysmon_delete_prefetch Add new rule - sysmon_delete_prefetch - AntiForensic	2021-09-29 17:53:33 +02:00
$frack113$ frack113	ed1a1caa2e	Merge pull request #2098 from frack113/fix_tags fix tags in win_susp_mpcmdrun_download.yml	2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller)	2ae2c35a7f	mispelled 'mshta.exe' in selection_base it said 'mhsta.exe' and it should say 'mshta.exe'	2021-09-29 07:47:12 -05:00
$frack113$ frack113	17ad95cd12	Update sysmon_delete_prefetch.yml	2021-09-29 10:58:00 +02:00
kidrek	da4a8a0ffd	Fix title field error	2021-09-29 09:49:58 +02:00
kidrek	d3fc6b118d	Add new rule - sysmon_delete_prefetch - AntiForensic	2021-09-29 09:42:17 +02:00
$frack113$ frack113	4a66ea04bd	fix tags	2021-09-29 08:26:05 +02:00
zaicurity	a2418e4d2c	Added alternative command parameter Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/	2021-09-28 17:39:21 +02:00
$frack113$ frack113	c27084dd0c	Merge pull request #2094 from frack113/backend_sysmon Fix logsource not a string	2021-09-28 16:22:58 +02:00
$frack113$ frack113	c3222945ef	Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml win_sysmon_driver_unload.yml	2021-09-28 16:22:43 +02:00
$frack113$ frack113	f8ec71c00c	Merge pull request #2072 from austinsonger/aws_attached_malicious_lambda_layer.yml aws_attached_malicious_lambda_layer.yml	2021-09-28 13:08:01 +02:00
Austin Songer	0d07a78a2d	Update aws_attached_malicious_lambda_layer.yml	2021-09-27 23:41:19 -05:00
Austin Songer	3e7b3073cf	Update win_sysmon_driver_unload.yml	2021-09-27 23:30:30 -05:00
Florian Roth	1da59d9175	Merge pull request #2092 from SigmaHQ/rule-devel docs: changed description	2021-09-27 23:13:09 +02:00
Florian Roth	4161cd909f	docs: changed description	2021-09-27 23:12:18 +02:00
Florian Roth	10b70edff0	Merge pull request #2091 from SigmaHQ/rule-devel NOBELIUM FoggyWeb backdoor loading	2021-09-27 23:09:18 +02:00
Florian Roth	b227f8459d	fix: typo in filename	2021-09-27 22:37:20 +02:00
Florian Roth	ada966c5be	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-09-27 22:34:30 +02:00
Florian Roth	cee44e6688	renamed files: lowercase	2021-09-27 22:33:30 +02:00
Florian Roth	97bb6a0257	rule: NOBELIUM FoggyWeb	2021-09-27 22:28:25 +02:00
$frack113$ frack113	bcf40fa4e4	Fix logsource not a string	2021-09-27 18:59:05 +02:00
Florian Roth	5ef1c913cf	fix: wrong condition https://github.com/SigmaHQ/sigma/issues/2089	2021-09-27 18:33:57 +02:00
$frack113$ frack113	6bce0f967a	Merge pull request #2079 from zakibro/master New Rule - Linux - Auditd - Clipboard Collection	2021-09-27 08:34:30 +02:00
zakibro	6a2785492d	Update lnx_auditd_clipboard_collection.yml Changes after suggestion.	2021-09-27 07:59:43 +02:00
Florian Roth	f196e3174d	refactor: moved last global rule to unsupported	2021-09-26 10:54:11 +02:00
MetallicHack	d888ce67bc	Create azure_ad_user_added_to_sensitive_role.yml	2021-09-25 21:57:10 +02:00
Florian Roth	93bff7f49d	docs: new ID	2021-09-25 11:37:39 +02:00
Florian Roth	31ef53738d	refactor: removed old Joomla rules, made generic path traversal	2021-09-25 11:37:02 +02:00
$frack113$ frack113	7dc574bc01	Merge pull request #2078 from kidrek/win_process_dump_rdrleakdiag add new rule win_process_dump_rdrleakdiag	2021-09-25 07:55:52 +02:00
$frack113$ frack113	8fe222a92c	Merge pull request #2077 from frack113/remove_re Convert re to endswith	2021-09-25 07:55:22 +02:00
Sittikorn S	7c8df0eb55	Update web_cve_2021_22005_vmware_file_upload.yml	2021-09-25 08:05:00 +07:00
kidrek	267da51745	The issues have been fixed	2021-09-24 22:18:00 +02:00
Pawel Mazur	4bbe4962b0	New Rule - Linux - Auditd - Clipboard Collection	2021-09-24 18:40:10 +02:00
kidrek	ecd4719a20	add new rule win_process_dump_rdrleakdiag	2021-09-24 18:22:06 +02:00
Sittikorn S	dea89ad324	Update and rename web_cve_2021_22005_vmware_file_upload to web_cve_2021_22005_vmware_file_upload.yml	2021-09-24 21:35:04 +07:00
Sittikorn S	f903640b73	Update web_cve_2021_22005_vmware_file_upload	2021-09-24 21:29:43 +07:00
Sittikorn S	16452ca80e	Create web_cve_2021_22005_vmware_file_upload	2021-09-24 21:21:09 +07:00
$frack113$ frack113	ef75695647	convert re to endswith	2021-09-24 15:39:56 +02:00
Austin Songer	8203a2d5f2	Update aws_attached_malicious_lambda_layer.yml	2021-09-23 08:40:26 -05:00
Austin Songer	fdc45505e0	Create aws_attached_malicious_lambda_layer.yml	2021-09-23 08:38:02 -05:00
Austin Songer	b9123422b8	Delete aws_attached_malicious_lambda_layer.yml	2021-09-23 08:37:34 -05:00
Austin Songer	9e9fd4c23d	Create aws_attached_malicious_lambda_layer.yml	2021-09-23 08:37:20 -05:00
$frack113$ frack113	aa96f21d0f	fix filename	2021-09-23 14:52:56 +02:00
$frack113$ frack113	934e391159	fix filename	2021-09-23 14:51:59 +02:00
$frack113$ frack113	44feb3ddf6	fix filename	2021-09-23 14:46:13 +02:00
$frack113$ frack113	89776b8c14	fix filename	2021-09-23 14:44:51 +02:00
$frack113$ frack113	8b5f62bdb7	fix filename	2021-09-23 14:41:16 +02:00
$frack113$ frack113	c029e62c64	fix filename	2021-09-23 14:37:34 +02:00
Florian Roth	bb2e6acd40	Merge pull request #1926 from pbssubhash/master Adding CVE's Exploitation attempt detection: Year - 2010	2021-09-23 14:08:15 +02:00
$frack113$ frack113	e9260679d4	Merge pull request #2064 from SigmaHQ/rule-devel Changed tags in lnx_clear_syslog.yml	2021-09-23 13:55:18 +02:00
$frack113$ frack113	c59b0eb543	Merge pull request #2063 from frack113/last_global Split Last Global Rules	2021-09-23 13:54:57 +02:00
Florian Roth	3107ede1c4	Merge branch 'pr/2065'	2021-09-23 09:18:15 +02:00
$frack113$ frack113	688903192d	Merge branch 'fix_filename_test' of https://github.com/frack113/sigma into fix_filename_test	2021-09-23 08:01:19 +02:00
$frack113$ frack113	605fa2dd80	update filename	2021-09-23 07:58:50 +02:00
$frack113$ frack113	cce90a669a	Merge pull request #2067 from austinsonger/aws_suspicious_saml_activity.yml aws_suspicious_saml_activity.yml	2021-09-23 06:34:18 +02:00
$frack113$ frack113	525a310c86	Merge pull request #2068 from austinsonger/typos Typos	2021-09-23 06:32:49 +02:00
Austin Songer	53f426342c	Update win_file_winword_cve_2021_40444.yml	2021-09-22 22:26:05 -05:00
Austin Songer	ab613af365	Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml	2021-09-22 22:24:24 -05:00
Austin Songer	6942b9c5e8	Update aws_suspicious_saml_activity.yml	2021-09-22 20:16:50 -05:00
Austin Songer	d1337bbfbf	Create aws_suspicious_saml_activity.yml	2021-09-22 20:15:36 -05:00
Austin Songer	097c6c3537	Update okta_user_account_locked_out.yml	2021-09-22 19:54:46 -05:00
Austin Songer	05d454d794	Update okta_unauthorized_access_to_app.yml	2021-09-22 19:54:39 -05:00
Austin Songer	26b99a44c0	Update okta_security_threat_detected.yml	2021-09-22 19:54:32 -05:00
Austin Songer	f55b9ef024	Update okta_policy_rule_modified_or_deleted.yml	2021-09-22 19:54:23 -05:00
Austin Songer	100eb06e7a	Update okta_policy_modified_or_deleted.yml	2021-09-22 19:54:15 -05:00
Austin Songer	9d910d823a	Update okta_network_zone_deactivated_or_deleted.yml	2021-09-22 19:54:09 -05:00
Austin Songer	ea73c692d7	Update okta_mfa_reset_or_deactivated.yml	2021-09-22 19:54:02 -05:00
Austin Songer	f673eb413e	Update okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-22 19:53:56 -05:00
Austin Songer	1effd8b187	Update okta_application_modified_or_deleted.yml	2021-09-22 19:53:49 -05:00
Austin Songer	ccd9f8d6dc	Update okta_api_token_revoked.yml	2021-09-22 19:53:43 -05:00
Austin Songer	6401f9b4d9	Update okta_api_token_created.yml	2021-09-22 19:53:36 -05:00
Austin Songer	ecb18ec149	Update okta_admin_role_assigned_to_user_or_group.yml	2021-09-22 19:53:28 -05:00
Austin Songer	74452347fb	Update okta_user_account_locked_out.yml	2021-09-22 19:52:43 -05:00
Austin Songer	275ebf7884	Update okta_unauthorized_access_to_app.yml	2021-09-22 19:52:36 -05:00
Austin Songer	2ab5ba0a0c	Update okta_security_threat_detected.yml	2021-09-22 19:52:29 -05:00
Austin Songer	1aec430291	Update okta_policy_rule_modified_or_deleted.yml	2021-09-22 19:52:23 -05:00
Austin Songer	cead26637b	Update okta_policy_modified_or_deleted.yml	2021-09-22 19:52:17 -05:00
Austin Songer	e1eb8c6222	Update okta_network_zone_deactivated_or_deleted.yml	2021-09-22 19:52:10 -05:00
Austin Songer	38e09f061d	Update okta_mfa_reset_or_deactivated.yml	2021-09-22 19:52:04 -05:00
Austin Songer	12f76cdf6b	Update okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-22 19:51:58 -05:00
Austin Songer	11732970fc	Update okta_application_modified_or_deleted.yml	2021-09-22 19:51:51 -05:00
Austin Songer	8dfae4c785	Update okta_api_token_revoked.yml	2021-09-22 19:51:44 -05:00
Austin Songer	1a64dc03a1	Update okta_api_token_created.yml	2021-09-22 19:51:31 -05:00
Austin Songer	f186235d8f	Update okta_admin_role_assigned_to_user_or_group.yml	2021-09-22 19:51:25 -05:00
$frack113$ frack113	3ac0d93f5b	Merge pull request #2062 from Pooch11/win-apt-greenbug-fix win-apt-greenbug-fix small change to B64encoded value of '/server='	2021-09-22 20:05:37 +02:00
$frack113$ frack113	6e6d57b019	fix filename	2021-09-22 18:45:08 +02:00
unknown	9924cc3946	win-apt-greenbug-fix amend b64 value of /server= as seen in IOC	2021-09-22 10:33:04 -04:00
$frack113$ frack113	ab5f5f95bc	fix filename	2021-09-22 16:27:05 +02:00
$frack113$ frack113	3c906b52a0	fix filename	2021-09-22 16:21:07 +02:00
Florian Roth	b7b0bd4275	Update lnx_clear_syslog.yml	2021-09-22 09:46:05 +02:00
$frack113$ frack113	7b995f2d99	Merge pull request #2057 from secDre4mer/master Add two rules	2021-09-22 09:15:32 +02:00
$frack113$ frack113	ac639bb9ec	Merge pull request #2060 from zakibro/master New Rule - Linux - Auditd - Screencapture with Import Tool	2021-09-22 08:41:50 +02:00
$frack113$ frack113	045e87058b	add definition	2021-09-22 08:40:08 +02:00
unknown	3ace73f9fd	win-apt-greenbug-fix - change modified date as well	2021-09-21 16:59:32 -04:00
unknown	993bf46550	win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria	2021-09-21 16:56:01 -04:00
$frack113$ frack113	db9e6124e3	fix too many blank lines	2021-09-21 20:24:02 +02:00
$frack113$ frack113	6e08ba55c4	fix error	2021-09-21 20:16:26 +02:00
$frack113$ frack113	7a52da3b40	split global cleartext_protocols.yml	2021-09-21 19:56:47 +02:00
$frack113$ frack113	e377e4e96f	split global net_high_dns_bytes_out.yml	2021-09-21 19:53:25 +02:00
$frack113$ frack113	6777ca7a82	split global net_high_dns_requests_rate.yml	2021-09-21 19:51:11 +02:00
$frack113$ frack113	00f3055035	split global net_susp_network_scan.yml	2021-09-21 19:47:28 +02:00
$frack113$ frack113	b5e91d7185	fix field name and date	2021-09-21 19:41:46 +02:00
$frack113$ frack113	d37685d7cc	split global win_cobaltstrike_service_installs.yml	2021-09-21 19:36:34 +02:00
$frack113$ frack113	06a07605fd	split global win_mal_creddumper.yml	2021-09-21 19:31:52 +02:00
Pawel Mazur	e20e5033e7	New Rule - Linux - Auditd - Screencapture with Import Tool	2021-09-21 18:55:48 +02:00
Florian Roth	d884f774f9	Update powershell_memorydump_getstoragediagnosticinfo.yml	2021-09-21 18:01:46 +02:00
phantinuss	46febf48b0	fix: remove rule, too many FPs and no better matching criteria	2021-09-21 16:52:17 +02:00
$frack113$ frack113	dde3b17c20	split global win_mal_service_installs.yml	2021-09-21 16:17:59 +02:00
$frack113$ frack113	518d294ee9	fix id error	2021-09-21 16:06:27 +02:00
$frack113$ frack113	b9d14ef55a	split global win_metasploit_or_impacket_smb_psexec_service_install.yml	2021-09-21 16:02:47 +02:00
Max Altgelt	bf9bc03258	chore: properly name and describe rules	2021-09-21 15:59:01 +02:00
$frack113$ frack113	9dbc71ca2f	split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml	2021-09-21 15:50:06 +02:00
$frack113$ frack113	0dd549ba67	fix selection name	2021-09-21 15:25:03 +02:00
$frack113$ frack113	7c8d1ab037	split global win_moriya_rootkit.yml	2021-09-21 15:18:25 +02:00
$frack113$ frack113	a4ad7e5358	split global win_net_ntlm_downgrade.yml	2021-09-21 15:10:08 +02:00
Max Altgelt	8c3faa390c	feat: Add rule for live memory dumping	2021-09-21 15:09:12 +02:00
$frack113$ frack113	a5c8fba7a5	fix error	2021-09-21 15:01:51 +02:00
Max Altgelt	346ff26809	feat: Add rule for syslog removal	2021-09-21 14:56:12 +02:00
$frack113$ frack113	20a785bad3	split global win_powershell_script_installed_as_service.yml	2021-09-21 13:55:04 +02:00
$frack113$ frack113	8c13bd23b9	split global win_powershell_web_request	2021-09-21 13:44:19 +02:00
$frack113$ frack113	ba3c7a020a	split global win_root_certificate_installed.yml	2021-09-21 13:34:32 +02:00
$frack113$ frack113	6368a88ad3	split global win_software_discovery.yml	2021-09-21 13:28:47 +02:00
$frack113$ frack113	332bed7906	split global win_susp_eventlog_cleared.yml	2021-09-21 13:22:40 +02:00
$frack113$ frack113	99f24a95a6	split global win_susp_failed_logons_single_source.yml	2021-09-21 13:19:00 +02:00
$frack113$ frack113	06ed7c41af	split clobal win_tap_driver_installation.yml	2021-09-21 13:15:21 +02:00
$frack113$ frack113	5951ad1d9a	Merge pull request #2056 from frack113/some_global Split global rules	2021-09-21 12:42:59 +02:00
$frack113$ frack113	d5e1e97ed3	Merge pull request #2055 from frack113/split_invoke split global win_invoke_obfuscation_*	2021-09-21 12:42:41 +02:00
$frack113$ frack113	0884a70e28	fix tests.py error	2021-09-21 10:52:37 +02:00
$frack113$ frack113	4718f914e9	split global sysmon_hack_dumpert.yml	2021-09-21 10:43:42 +02:00
$frack113$ frack113	5fc82e5dc6	split global sysmon_tttracer_mod_load.yml	2021-09-21 10:39:02 +02:00
$frack113$ frack113	4c85858e12	split global sysmon_regsvr32_network_activity.yml	2021-09-21 10:33:47 +02:00
$frack113$ frack113	c0e24e9236	split global win_defender_disabled.yml	2021-09-21 10:24:52 +02:00
$frack113$ frack113	2b23118b0d	split global win_defender_exclusions.yml	2021-09-21 10:16:25 +02:00
$frack113$ frack113	318f8b714e	split global win_tool_psexec.yml	2021-09-21 10:10:48 +02:00
$frack113$ frack113	a96dd66b46	split global win_wmi_persistence.yml	2021-09-21 09:56:03 +02:00
$frack113$ frack113	0a6ac0b171	split global powershell_alternate_powershell_hosts.yml	2021-09-21 09:52:35 +02:00
$frack113$ frack113	f5d58a0cb1	split powershell_remote_powershell_session.yml	2021-09-21 09:48:50 +02:00
$frack113$ frack113	95af26f963	split powershell_suspicious_download.yml	2021-09-21 09:46:02 +02:00
$frack113$ frack113	10d11b7890	fix 4697 fieldname	2021-09-20 22:53:59 +02:00
$frack113$ frack113	b6dc4de5e1	split global win_invoke_obfuscation_*	2021-09-20 22:42:59 +02:00
$frack113$ frack113	feee70644f	split global win_invoke_obfuscation_*	2021-09-20 22:40:33 +02:00
neu5ron	61c9c9fb20	Zeek detection for OMIGOD HTTP RCE Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>	2021-09-20 12:26:01 -04:00
Florian Roth	a18f4d3c10	Merge pull request #2053 from humpalum/master Rule for ADSelfService cve_2021_40539	2021-09-20 16:41:52 +02:00
$frack113$ frack113	6dbc369eb5	Update web_cve_2021_40539_adselfservice.yml	2021-09-20 15:51:21 +02:00
$frack113$ frack113	4424bc9c5d	Update web_cve_2021_40539_adselfservice.yml	2021-09-20 13:20:39 +02:00
Florian Roth	56069a2196	Update web_cve_2021_40539_adselfservice.yml	2021-09-20 13:07:31 +02:00
Florian Roth	8909eefb90	Merge pull request #2052 from phantinuss/pr xwizard dll sideloading	2021-09-20 12:35:42 +02:00
Tobias Michalski	2b843e58ee	fix: added references	2021-09-20 12:28:47 +02:00
Tobias Michalski	79d2144424	feat: Rule for ADSelfService cve_2021_40539	2021-09-20 12:26:46 +02:00
phantinuss	25a407e24f	Update win_dll_sideload_xwizard.yml	2021-09-20 10:56:37 +02:00
Florian Roth	6c630502dc	Update win_dll_sideload_xwizard.yml	2021-09-20 10:54:53 +02:00
$frack113$ frack113	91788e57c7	Merge pull request #2051 from frack113/double_file_name fix duplicate name file	2021-09-20 10:45:35 +02:00
phantinuss	4e794fe3e7	xwizard dll sideloading	2021-09-20 10:39:31 +02:00
$frack113$ frack113	6286cf80cc	fix duplicate name file	2021-09-20 09:31:04 +02:00
$frack113$ frack113	d5108502a2	split win_apt_chafer_mar18.yml	2021-09-19 11:48:20 +02:00
$frack113$ frack113	faff9e6db7	spli win_apt_slingshot.yml	2021-09-19 11:36:40 +02:00
$frack113$ frack113	e69ec4624a	split win_apt_gallium.yml	2021-09-19 11:24:17 +02:00
$frack113$ frack113	c43c12e557	split win_apt_turla_commands.yml	2021-09-19 11:17:50 +02:00
$frack113$ frack113	b576ad115b	split win_apt_unidentified_nov_18.yml	2021-09-19 11:11:04 +02:00
$frack113$ frack113	06de91c92a	split win_apt_wocao.yml	2021-09-19 11:07:24 +02:00
$frack113$ frack113	dc8ad15d1a	split win_exchange_transportagent.yml	2021-09-19 11:03:16 +02:00
$frack113$ frack113	deb0ad5f58	split win_hktl_createminidump.yml	2021-09-19 10:19:34 +02:00
$frack113$ frack113	18e7e16005	split win_mal_adwind.yml	2021-09-19 10:12:03 +02:00
$frack113$ frack113	416b0556b1	split win_silenttrinity_stage_use.yml	2021-09-19 10:02:05 +02:00
$frack113$ frack113	7d000f2b1d	split win_susp_winrm_AWL_bypass.yml	2021-09-19 09:41:17 +02:00
$frack113$ frack113	842e6481d8	Merge pull request #2046 from frack113/fix_Class Fix invalid registry _Class	2021-09-19 09:28:46 +02:00
Roberto Rodriguez	407289d300	Rule to detect the execution of a script via SCX RunAsprovider ExecuteScript	2021-09-18 03:50:37 -04:00
$frack113$ frack113	81bf864d94	fix detection	2021-09-17 19:56:26 +02:00
$frack113$ frack113	509a4c2822	fix detection	2021-09-17 19:54:50 +02:00
$frack113$ frack113	d22382d0b9	fix detection	2021-09-17 19:52:40 +02:00
$frack113$ frack113	a1222c7716	Update sysmon_apt_oceanlotus_registry	2021-09-17 19:50:30 +02:00
Florian Roth	31021b9c32	Merge pull request #2040 from frack113/fix_win_outlook_registry_webview cleanup condition win_outlook_registry_webview.yml	2021-09-17 14:49:35 +02:00
Florian Roth	89b225e43b	Merge pull request #2041 from frack113/fix_sysmon_susp_mic_cam_access fix detection in sysmon_susp_mic_cam_access	2021-09-17 14:49:07 +02:00
Florian Roth	260578dceb	fix: wrong modified field	2021-09-17 14:29:19 +02:00
Roberto Rodriguez	c17104b2eb	updated level to high	2021-09-17 04:30:17 -04:00
Roberto Rodriguez	7618cf4672	Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell	2021-09-17 04:23:11 -04:00
$frack113$ frack113	6e4edfdf20	fix detection	2021-09-17 09:11:53 +02:00
$frack113$ frack113	ebc5ebe7ba	cleanup condition	2021-09-17 08:23:14 +02:00
$frack113$ frack113	158746a904	Merge pull request #2036 from frack113/sysmon_registry_persistence_search_order [Turla Mosquito] fix detection from references	2021-09-17 06:36:46 +02:00
$frack113$ frack113	6dd4315f36	Merge pull request #2035 from frack113/fix_bad_category Fix bad category in possible_privilege_escalation_via_service_registry_permissions	2021-09-17 06:35:29 +02:00
$frack113$ frack113	377c5a80f5	Merge pull request #2031 from frack113/lnx_global Split global linux rule	2021-09-17 06:34:59 +02:00
$frack113$ frack113	05f4f50fc2	Merge pull request #2037 from frack113/clean_win_outlook_registry_todaypage Clean win outlook registry todaypage	2021-09-17 06:34:38 +02:00
Sittikorn S	13553ef917	Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml	2021-09-17 09:53:12 +07:00
$frack113$ frack113	7a22fc6dba	clean string	2021-09-16 16:26:53 +02:00
$frack113$ frack113	c36cf428ac	clean list 1 elem	2021-09-16 16:18:30 +02:00
Florian Roth	a926439b39	fix: `default` to `(Default)`	2021-09-16 11:39:45 +02:00
$frack113$ frack113	6e981f56df	fix detection from references	2021-09-16 09:20:41 +02:00
$frack113$ frack113	8a847e0538	Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml	2021-09-15 19:05:31 +02:00
$frack113$ frack113	973e0666ac	Merge pull request #2020 from frack113/pc_global Split some global process_creation rules	2021-09-15 19:03:30 +02:00
$frack113$ frack113	3b8282c221	fix detection	2021-09-15 16:21:30 +02:00
$frack113$ frack113	33a51df46a	Update lnx_system_info_discovery.yml	2021-09-14 21:03:46 +02:00
$frack113$ frack113	a6da209507	Update lnx_auditd_system_info_discovery2.yml	2021-09-14 21:02:51 +02:00
$frack113$ frack113	a3477893de	Update lnx_auditd_network_service_scanning.yml	2021-09-14 21:02:13 +02:00
$frack113$ frack113	83531bb2ff	split global lnx_system_info_discovery.yml	2021-09-14 20:13:57 +02:00
$frack113$ frack113	38c0f83eaf	split global lnx_sudo_cve_2019_14287.yml	2021-09-14 20:07:13 +02:00
$frack113$ frack113	87e5fc48fa	split global lnx_security_tools_disabling.yml	2021-09-14 19:32:58 +02:00
$frack113$ frack113	ecefc6e913	add missing product	2021-09-14 19:29:49 +02:00
$frack113$ frack113	bc69900335	split global lnx_network_service_scanning.yml	2021-09-14 19:27:28 +02:00
$frack113$ frack113	30955c4884	split global lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml	2021-09-14 19:24:11 +02:00
$frack113$ frack113	1e4484bffb	split lnx_auditd_cve_2021_3156_sudo_buffer_overflow	2021-09-14 19:22:56 +02:00
$frack113$ frack113	b08b3e2b0d	Merge pull request #2021 from frack113/global_registry Split registry Global rules	2021-09-14 19:18:34 +02:00
$frack113$ frack113	d13af3e258	Merge pull request #2019 from frack113/normalise_name Split 2 global rules and normalyze name	2021-09-14 19:17:55 +02:00
$frack113$ frack113	7298225cbe	Merge pull request #2028 from zakibro/master New Rule - Linux - Auditd - Screen Capture with xwd	2021-09-14 09:58:11 +02:00
zakibro	e47a7d9826	Update lnx_auditd_screencaputre_xwd.yml	2021-09-13 19:08:23 +02:00
Pawel Mazur	a8f9617ccd	New Rule - Linux - Auditd - Screen Capture with xwd	2021-09-13 18:56:33 +02:00
Florian Roth	4118402127	Merge pull request #2027 from frack113/fix_reg_key Fix registry TargetObject	2021-09-13 15:59:47 +02:00
Florian Roth	680cad2a52	Merge pull request #2025 from BlackB0lt/patch-18 Update win_file_winword_cve_2021_40444.yml	2021-09-13 15:58:45 +02:00
Sittikorn S	dd9921b360	Update win_file_winword_cve_2021_40444.yml Add modified date	2021-09-13 19:41:01 +07:00
$frack113$ frack113	34111b3aaf	Merge pull request #2023 from austinsonger/okta Okta Rules	2021-09-13 14:34:52 +02:00
$frack113$ frack113	ab5d3a9da4	Merge pull request #2024 from austinsonger/azure_new_cloudshell_created.yml azure_new_cloudshell_created.yml	2021-09-13 14:34:11 +02:00
$frack113$ frack113	047ebab36b	fix HKCU	2021-09-13 14:01:39 +02:00
$frack113$ frack113	7b6ae81b8b	fix TargetObject HK	2021-09-13 13:16:16 +02:00
$frack113$ frack113	bd3b1323b4	fix TargetObject HKCU	2021-09-13 12:45:10 +02:00
Sittikorn S	edd5c2745e	Update win_file_winword_cve_2021_40444.yml change TargetFilename\|contains\|all	2021-09-13 16:05:56 +07:00
Sittikorn S	5977596e65	Update win_file_winword_cve_2021_40444.yml	2021-09-13 16:05:22 +07:00
Sittikorn S	7386904e42	Update win_file_winword_cve_2021_40444.yml Add new condition	2021-09-13 15:33:14 +07:00
Sittikorn S	9576663789	Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml Edit My Teammate	2021-09-13 15:23:38 +07:00
pbssubhash	4ae1d41983	Corrected Rules - Logsource	2021-09-13 10:16:02 +05:30
Austin Songer	8e1f36ec39	Update okta_api_token_created.yml	2021-09-12 23:34:08 -05:00
$frack113$ frack113	e4d3d313c7	Update okta_policy_rule_modified_or_deleted.yml	2021-09-13 06:33:49 +02:00
$frack113$ frack113	18223a37cd	Update okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-13 06:26:01 +02:00
Austin Songer	e1ef3857fb	Update and rename okta_user_account_lockout.yml to okta_user_account_locked_out.yml	2021-09-12 20:49:44 -05:00
Austin Songer	01c985b99a	Update and rename okta_user_account_mfa_bypass_attempt.yml to okta_mfa_reset_or_deactivated.yml	2021-09-12 20:40:33 -05:00
Austin Songer	1f5e2577cb	Delete okta_user_account_mfa_reset.yml	2021-09-12 20:34:37 -05:00
Austin Songer	bec7b5d3e7	Create okta_security_threat_detected.yml	2021-09-12 20:33:27 -05:00
Austin Songer	249d3198d3	Create okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-12 20:27:45 -05:00
Austin Songer	f759fff453	Update okta_policy_rule_modified_or_deleted.yml	2021-09-12 20:24:12 -05:00
Austin Songer	e60fbbf4b8	Update okta_network_zone_deactivated_or_deleted.yml	2021-09-12 20:22:16 -05:00

... 3 4 5 6 7 ...

6361 Commits