4036 Commits

Author	SHA1	Message	Date
phantinuss	994701bd8e	CobaltStrike injected AMSI bypass	2021-08-04 11:28:58 +02:00
phantinuss	9833cc34e5	direct syscall to NtOpenProcess	2021-07-28 15:14:30 +02:00
Florian Roth	ee85fdfa3f	Merge pull request #1749 from SigmaHQ/rule-devel ... CobaltStrike Process Patterns and minor fixes	2021-07-27 12:52:22 +02:00
Florian Roth	5d039dd138	rule: Cobalt Strike patterns	2021-07-27 11:24:40 +02:00
Florian Roth	90ca1a8ad2	fix: bug in author field (cannot be a list)	2021-07-27 10:14:53 +02:00
Florian Roth	1a538371c9	fix: bug in author field (not list)	2021-07-27 10:14:03 +02:00
Florian Roth	9f27ab5426	Merge pull request #1738 from JohnLaTwC/patch-4 ... cover evasions from unicode substitutions	2021-07-27 08:05:48 +02:00
Florian Roth	e49f4c86b6	Merge pull request #1726 from austinsonger/aws_route_53_domain_transferred_to_another_account.yml ... Aws route 53 domain transferred to another account.yml	2021-07-27 08:02:27 +02:00
Florian Roth	21c4d241a1	HiveNightmare and Relay attack tools adjustments	2021-07-26 10:59:35 +02:00
John Lambert	2b57f95e72	Update win_grabbing_sensitive_hives_via_reg.yml	2021-07-24 18:17:27 -05:00
John Lambert	da6e747547	cover evasions from unicode substitutions ... Add variations to cover unicode substitutions to avoid evasion. > Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze	2021-07-24 10:33:15 -05:00
Florian Roth	7cacc57313	Merge pull request #1733 from SigmaHQ/rule-devel ... New hive file pattern for C# version of HiveNightmare	2021-07-24 16:41:51 +02:00
Florian Roth	9771943116	refactor: new file pattern SeriousSAM	2021-07-24 16:13:36 +02:00
Florian Roth	ae80f747ae	fix: adding experimental status	2021-07-24 12:34:33 +02:00
Florian Roth	a090feecf5	Merge pull request #1732 from SigmaHQ/rule-devel ... Relay attack tools and impacket binaries	2021-07-24 12:33:48 +02:00
Florian Roth	c0bc51e849	Merge pull request #1731 from frack113/more_check ... Update test_rules.py	2021-07-24 11:10:00 +02:00
Florian Roth	3eb37c014c	rule: Impacket tools and Relay attack tools	2021-07-24 11:08:35 +02:00
Florian Roth	07223baaeb	fix: typo in date value	2021-07-24 10:22:07 +02:00
frack113	ffcd3a2112	Add test_optional_related test_optional_fields test_optional_falsepositives	2021-07-24 09:41:04 +02:00
Florian Roth	772cf4f5e4	Merge pull request #1730 from SigmaHQ/rule-devel ... fix: avoid false positives with MSF psexec rule	2021-07-23 19:49:45 +02:00
Florian Roth	880a87ce91	fix: avoid false positives with MSF psexec rule	2021-07-23 18:33:38 +02:00
Florian Roth	7ede42f78d	Merge pull request #1729 from SigmaHQ/rule-devel ... add additional filename pattern to HiveNightmare rule	2021-07-23 10:40:33 +02:00
Florian Roth	c0138d5ced	add additional filename pattern to HiveNightmare rule	2021-07-23 10:39:41 +02:00
Florian Roth	fa344987c0	Merge pull request #1703 from hieuttmmo/master ... Suspicious behaviours related to SOURGUM	2021-07-23 10:32:25 +02:00
Florian Roth	7c42a9d6cb	Merge pull request #1728 from SigmaHQ/rule-devel ... HiveNightmare file creation, other rule improvements	2021-07-23 10:21:35 +02:00
Tran Trung Hieu	77b4a37916	Update the references	2021-07-23 14:58:51 +07:00
Florian Roth	38b9e942c1	Merge pull request #1724 from austinsonger/master ... sysmon_dns_over_https_enabled.yml	2021-07-23 09:52:24 +02:00
Florian Roth	5b95ef0872	Merge pull request #1725 from frack113/add_new_test ... Add check for status and level	2021-07-23 09:51:37 +02:00
Florian Roth	cc8899ea62	Merge pull request #1717 from frack113/netcat ... [OSCD] sysmon_netcat_execution.yml T1095	2021-07-23 09:51:23 +02:00
Florian Roth	d00ca03cb6	increased level to high	2021-07-23 09:51:00 +02:00
Florian Roth	5955efa750	adjusted timestamp	2021-07-23 09:45:50 +02:00
Florian Roth	d9dc442f4e	rule: HiveNightmare	2021-07-23 09:41:00 +02:00
Austin Songer	a4b78ef4f0	Delete sysmon_dns_over_https_enabled.yml	2021-07-22 21:48:28 -05:00
Austin Songer	d7783ea9d7	Update sysmon_dns_over_https_enabled.yml	2021-07-22 12:42:53 -05:00
frack113	aff5264096	Add check for status and level	2021-07-22 19:25:51 +02:00
Austin Songer	2929f8915e	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:27:41 -05:00
Austin Songer	44630b215e	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:22:56 -05:00
Austin Songer	4ddcea0714	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:09:41 -05:00
Austin Songer	d093fea6a5	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:07:02 -05:00
Austin Songer	6e8df1e9d2	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:05:54 -05:00
Austin Songer	edf1740ec4	Update sysmon_dns_over_https_enabled.yml	2021-07-22 11:05:31 -05:00
Austin Songer	c7685e1c18	Create sysmon_dns_over_https_enabled.yml	2021-07-22 11:04:15 -05:00
Florian Roth	edfd082754	Merge pull request #1716 from frack113/elk_keyword_rule ... powershell_nishang_malicious_commandlets Elk keywords trouble	2021-07-22 15:01:13 +02:00
Florian Roth	cbc7a746d4	feat: some often used ncat command line strings	2021-07-22 15:00:50 +02:00
Florian Roth	7a8fcf4237	Merge pull request #1718 from frack113/powercat ... [OSCD] powershell_powercat.yml T1095	2021-07-22 14:53:34 +02:00
Florian Roth	132bd8fdd8	Merge pull request #1720 from frack113/redcanary_t1411_001 ... [OSCD] powershell_suspicious_mail_acces.yml T1114.001	2021-07-22 14:53:21 +02:00
Florian Roth	583cae058e	Merge pull request #1723 from phantinuss/master ... Add sysmon_status and sysmon_error category to thor logsource; logical rule fix	2021-07-22 14:53:01 +02:00
Florian Roth	9f2f6db598	Merge pull request #1721 from frack113/update_test ... Update date and modified test	2021-07-22 11:10:25 +02:00
Florian Roth	1cfb0e4689	Update win_mal_flowcloud.yml	2021-07-22 11:09:45 +02:00
phantinuss	3c85bba998	fix: according to the reference the condition should be or; it would never match otherwise anyways	2021-07-22 09:59:04 +02:00