Florian Roth
|
99ac4f1f3d
|
fix: FPs with RedMimicry rule
|
2020-07-07 10:11:58 +02:00 |
|
Florian Roth
|
5f04fcccf5
|
fix: broken links
|
2020-07-03 11:22:06 +02:00 |
|
Florian Roth
|
9c0f9f398f
|
refactor: sysmon rule cleanup > generlization
|
2020-07-01 10:58:39 +02:00 |
|
Florian Roth
|
4231fe2efc
|
fix: remove duplicate rules in sysmon (generic rule cleanup)
|
2020-07-01 10:23:30 +02:00 |
|
Florian Roth
|
154181c6c8
|
fix: renamed files and lien break change
|
2020-07-01 09:48:48 +02:00 |
|
Florian Roth
|
d70b63b78c
|
rule: RedMimicry rules (modified)
|
2020-07-01 09:17:31 +02:00 |
|
Florian Roth
|
c3ffa0b9d3
|
fix: duplicate IDs
|
2020-06-24 17:04:04 +02:00 |
|
Florian Roth
|
b675c4c706
|
Merge branch 'master' into rule-devel
|
2020-06-19 09:24:26 +02:00 |
|
Florian Roth
|
4b0c80885f
|
Merge pull request #810 from EccoTheFlintstone/fp
add WMI module load false positives
|
2020-06-18 12:50:40 +02:00 |
|
Florian Roth
|
32ecb81630
|
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2
ATT&CK subtechniques v2
|
2020-06-18 09:10:09 +02:00 |
|
Ivan Kirillov
|
b343df2225
|
Further subtechnique updates
|
2020-06-17 11:31:40 -06:00 |
|
ecco
|
99bfa14ae0
|
add 1 more FP
|
2020-06-17 12:49:27 -04:00 |
|
Florian Roth
|
0022705373
|
fix: filter not functional
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
|
2020-06-17 16:09:44 +02:00 |
|
Ivan Kirillov
|
5c0bb0e94f
|
Fixed indentation
|
2020-06-16 15:01:13 -06:00 |
|
Ivan Kirillov
|
0fbfcc6ba9
|
Initial round of subtechnique updates
|
2020-06-16 14:46:08 -06:00 |
|
Florian Roth
|
869162a5da
|
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id
Rule lists extra Sysmon ID (11). Should just match registry events (1…
|
2020-06-15 20:19:27 +02:00 |
|
Florian Roth
|
3482e048fb
|
Merge pull request #841 from rtkbkish/fix-rule-match
Rule needs endwith, not exact match.
|
2020-06-15 20:19:12 +02:00 |
|
Brad Kish
|
dfae2a6df6
|
Rule needs endwith, not exact match.
Fix ImageLoaded filter to match with endswith, rather than exact match.
|
2020-06-15 13:54:02 -04:00 |
|
Brad Kish
|
a9c6fa904f
|
Rule lists extra Sysmon ID (11). Should just match registry events (12-14)
Remove extraneous event ID 11. It will never match.
|
2020-06-15 13:52:12 -04:00 |
|
Brad Kish
|
422b2bffd7
|
Fix rules with incorrect escaping of wildcars
A backslash before a wildcard needs to be escaped with another backslash.
|
2020-06-15 13:38:18 -04:00 |
|
Florian Roth
|
97c45f9d46
|
Merge pull request #812 from tliffick/master
added new rules for malware
|
2020-06-10 17:37:19 +02:00 |
|
Florian Roth
|
f553fb2e33
|
Cosmetics
|
2020-06-10 16:35:14 +02:00 |
|
Florian Roth
|
48e4e31713
|
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll
Fax Service DLL search order hijacking detection
|
2020-06-10 16:33:12 +02:00 |
|
Florian Roth
|
1a9da23611
|
Merge pull request #825 from NVISO-BE/sysmon_office_persistence
Office persistence by addin detection
|
2020-06-10 16:32:50 +02:00 |
|
Remco Hofman
|
8adaa2d672
|
Fixed bad indentation
|
2020-06-10 15:02:41 +02:00 |
|
Remco Hofman
|
83a6e25bcb
|
Fax Service DLL search order hijacking
|
2020-06-10 15:01:07 +02:00 |
|
Remco Hofman
|
cb8e478ac1
|
Sigma rule to detect Office persistence via addin.
|
2020-06-10 14:52:13 +02:00 |
|
Florian Roth
|
5c835cf1f2
|
Merge pull request #813 from ozirus/patch-1
Create sysmon_apt_muddywater_dnstunnel.yml
|
2020-06-09 18:44:45 +02:00 |
|
Florian Roth
|
7a334a8d8a
|
fix: missed line
|
2020-06-09 17:30:54 +02:00 |
|
Florian Roth
|
04913a4b95
|
Aligned indentation
|
2020-06-09 17:20:25 +02:00 |
|
Florian Roth
|
6e349030d9
|
rule: suspicious camera and mic access
|
2020-06-08 10:18:44 +02:00 |
|
Florian Roth
|
0c2f2fe6df
|
Merge pull request #816 from Neo23x0/rule-devel
merged Cyb3rWarD0g's rules
|
2020-06-06 16:27:59 +02:00 |
|
Florian Roth
|
d3e261862d
|
merged Cyb3rWarD0g's rules
|
2020-06-06 15:42:22 +02:00 |
|
Florian Roth
|
72deaa98f5
|
Merge pull request #815 from Neo23x0/rule-devel
Rule devel
|
2020-06-06 14:19:37 +02:00 |
|
Florian Roth
|
3697186281
|
fix: fixed title
|
2020-06-06 14:04:40 +02:00 |
|
Florian Roth
|
246a95557b
|
fix: description over multiple lines
|
2020-06-06 13:56:48 +02:00 |
|
Florian Roth
|
d54209dcc5
|
rule: ETW disabled
|
2020-06-06 13:56:19 +02:00 |
|
Furkan ÇALIŞKAN
|
082696ee84
|
Added UUID
|
2020-06-04 18:38:42 +03:00 |
|
Furkan ÇALIŞKAN
|
e958a6a939
|
Date added
|
2020-06-04 18:34:44 +03:00 |
|
Furkan ÇALIŞKAN
|
5e373153eb
|
Title fix
|
2020-06-04 18:28:37 +03:00 |
|
Furkan ÇALIŞKAN
|
0744107fbb
|
Deleted EventID part
|
2020-06-04 18:19:08 +03:00 |
|
Furkan ÇALIŞKAN
|
1c677aa172
|
Fix title as in guideline
Fix title error as in guideline and other cosmetic changes
|
2020-06-04 18:13:32 +03:00 |
|
Furkan ÇALIŞKAN
|
bafd6bde5f
|
Convert to process_creation
Convert to process_creation
|
2020-06-04 14:45:10 +03:00 |
|
Furkan ÇALIŞKAN
|
09afae1e66
|
Create sysmon_apt_muddywater_dnstunnel.yml
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
|
2020-06-04 14:27:19 +03:00 |
|
Trent Liffick
|
3c89f46899
|
removed unwanted file
|
2020-06-03 17:43:12 -04:00 |
|
Trent Liffick
|
2af501c9f5
|
added rule for zLoader & Office
detects changes to Office macro settings & ZLoader malware
|
2020-06-03 17:40:05 -04:00 |
|
William Bruneau
|
84dd8c39c4
|
Move null values out from list in rules
|
2020-06-03 13:57:22 +02:00 |
|
Sven Scharmentke
|
4ed512011a
|
All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit fixes the incorrect spelling.
|
2020-06-03 09:00:59 +02:00 |
|
ecco
|
b1c11cc345
|
add WMI module load false positive
|
2020-06-01 03:30:27 -04:00 |
|
Florian Roth
|
e20b58c421
|
Merge pull request #806 from SanWieb/sysmon_creation_system_file
Fixed wrong field & Improve rule
|
2020-05-29 17:32:27 +02:00 |
|