Florian Roth
dd857c4470
Cosmetics
...
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
2018-07-25 07:37:17 +02:00
Florian Roth
cf7f5c7473
Changes
...
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right?
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
2018-07-25 07:35:59 +02:00
yt0ng
b415fc8d42
Possible SafetyKatz Dump of debug.bin
...
https://github.com/GhostPack/SafetyKatz
2018-07-24 23:51:46 +02:00
Lurkkeli
db82322d17
Update powershell_NTFS_Alternate_Data_Streams
2018-07-24 20:03:07 +02:00
Lurkkeli
0e9c5bb14a
Update sysmon_rundll32_net_connections.yml
2018-07-24 20:01:47 +02:00
Lurkkeli
fd8c5c5bf6
Update powershell_NTFS_Alternate_Data_Streams
2018-07-24 20:00:21 +02:00
Lurkkeli
ad580635ea
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 19:49:08 +02:00
Thomas Patzke
afe8bd6a57
Merge pull request #129 from nbareil/patch-1
...
use yaml.safe_load()
2018-07-24 11:22:24 +02:00
Nicolas Bareil
6728a5ccaa
use yaml.safe_load()
2018-07-24 11:14:01 +02:00
Thomas Patzke
0fa914139c
Merge pull request #128 from ntim/master
...
Tagged windows powershell, other and malware rules.
2018-07-24 11:05:50 +02:00
ntim
c99dc9f643
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
Thomas Patzke
bfc7012043
Merge pull request #127 from dspautz/master
...
Add tags to windows builtin rules
2018-07-24 08:24:39 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master
2018-07-24 08:23:37 +02:00
Thomas Patzke
1601b00862
Merge pull request #125 from james0d0a/attack_tags
...
windows builtin mitre attack tags
2018-07-24 08:18:47 +02:00
Thomas Patzke
01e7675e24
Merge pull request #124 from samsson/patch-1
...
ATT&CK tagging
2018-07-24 07:58:50 +02:00
Thomas Patzke
30d255ab6f
Fixed tag
2018-07-24 07:58:25 +02:00
Thomas Patzke
baaf8006bc
Merge pull request #123 from yt0ng/sysmon
...
added additional binaries and attack tactics/techniques
2018-07-24 07:57:30 +02:00
Thomas Patzke
ee330bf7fb
Merge pull request #121 from sekuryti/sekuryti-CVE-2018-2894--rule-changes
...
Update web_cve_2018_2894_weblogic_exploit.yml
2018-07-24 07:56:53 +02:00
David Spautz
e275d44462
Add tags to windows builtin rules
2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267
windows builtin mitre attack tags
2018-07-23 21:34:20 -07:00
Thomas Patzke
1abb13c5d9
Split parser - Copy condition
2018-07-24 00:13:37 +02:00
Thomas Patzke
a8501cb446
Split parser - Copy exceptions
2018-07-24 00:08:23 +02:00
Thomas Patzke
983ee6eeb9
Splitting parser - copying collections
2018-07-24 00:06:02 +02:00
Thomas Patzke
54f5870658
Removed debugging code
2018-07-24 00:04:24 +02:00
Thomas Patzke
b76fa884ec
Changed copyright notices accordingly
2018-07-24 00:01:16 +02:00
Lurkkeli
1898157df5
ATT&CK tagging
...
Added tag for technique t1015
2018-07-23 23:57:15 +02:00
yt0ng
16160dfc80
added additional binaries and attack tactics/techniques
2018-07-23 15:47:56 +02:00
Florian Roth
1134051fba
Update web_cve_2018_2894_weblogic_exploit.yml
...
Ah, we could do it this way *.js*
2018-07-23 06:19:25 -06:00
Florian Roth
03a64cca74
Update web_cve_2018_2894_weblogic_exploit.yml
...
We try to avoid false positives
2018-07-23 06:18:38 -06:00
MATTHEW CARR
dfb77e936d
Update web_cve_2018_2894_weblogic_exploit.yml
...
To detect all possible extensions .jspx, .jsw, .jsv, and .jspf
2018-07-23 07:41:47 +02:00
Florian Roth
0f1b440b91
Rule: widened the CVE-2018-2894 WebLogic rule
...
https://twitter.com/lo_security/status/1021148314308358144
2018-07-22 20:36:10 -06:00
Florian Roth
ffb0cf5ed5
Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop
2018-07-22 15:09:45 -06:00
Florian Roth
5f48fa64ff
Merge pull request #120 from suleymanozarslan/master
...
Further ATT&CK tagging
2018-07-22 12:11:31 -06:00
Suleyman Ozarslan
e6cbc17c12
ATT&CK tagging of Scheduled Task Creation
2018-07-22 15:56:47 +03:00
Suleyman Ozarslan
8d9b12be07
ATT&CK tagging of Default PowerSploit Schtasks Persistence
2018-07-22 15:53:56 +03:00
Süleyman Özarslan
28705b3790
Merge pull request #2 from Neo23x0/master
...
merge
2018-07-22 15:47:36 +03:00
Thomas Patzke
fbde251ebc
Added missing exception import in ES backend
2018-07-22 09:26:25 +02:00
Thomas Patzke
91e6b8ca6b
Merging refactoring changes into master
2018-07-22 09:23:07 +02:00
Thomas Patzke
cf175d7b7e
Removal from sigma.backends.qradar
2018-07-22 09:14:50 +02:00
Thomas Patzke
097660c678
Splitting backends - Copy qradar.py
2018-07-22 09:12:29 +02:00
Thomas Patzke
c8e21b3f24
Fixing after split
...
* Fixing imports
* Discovery in new sub modules
2018-07-21 01:09:02 +02:00
Thomas Patzke
b85aec6157
Merging backend split branches
2018-07-21 00:59:50 +02:00
Thomas Patzke
3e2184ac61
Removal from sigma.backends.elasticsearch
2018-07-21 00:37:36 +02:00
Thomas Patzke
408a961e59
Merge pull request #119 from suleymanozarslan/master
...
Further ATT&CK tagging
2018-07-20 09:06:20 +02:00
Suleyman Ozarslan
080892b5ab
ATT&CK tagging of MSHTA Spawning Windows Shell
2018-07-20 09:53:55 +03:00
Suleyman Ozarslan
76f277d5fe
ATT&CK tagging of Malicious Named Pipe rule
2018-07-20 09:41:54 +03:00
Suleyman Ozarslan
7e74527344
ATT&CK software tag is added to Bitsadmin Download rule
2018-07-20 09:35:35 +03:00
Süleyman Özarslan
9f607a7c43
Merge pull request #1 from Neo23x0/master
...
mere forks
2018-07-20 09:33:37 +03:00
Florian Roth
1e61adfad1
rule: Changed Registry persistence Explorer RUN key rule
2018-07-19 16:27:19 -06:00
Florian Roth
83d6f12ce3
rule: Registry persistence in Explorer RUN key pointing to suspicious folder
2018-07-19 16:27:19 -06:00