Florian Roth
a0625ad074
Merge branch 'master' into rule-devel
2021-08-17 12:29:55 +02:00
Florian Roth
9684c4e55f
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-08-17 12:03:54 +02:00
Florian Roth
80b3acfce9
fix: false positive with Xen / Oracle scripts
2021-08-17 12:03:49 +02:00
frack113
63733a623e
Merge pull request #1861 from austinsonger/aws_eks_cluster_modified_or_deleted.yml
...
aws_eks_cluster_created_or_deleted.yml
2021-08-17 06:25:18 +02:00
frack113
2521ae2ed1
Merge pull request #1859 from austinsonger/gcp_vpn_tunnel_modified_or_deleted.yml
...
gcp_vpn_tunnel_modified_or_deleted.yml
2021-08-17 06:24:49 +02:00
frack113
accb675ed5
fix error space
2021-08-16 20:36:55 +02:00
Austin Songer
80062ff5cd
Update aws_eks_cluster_created_or_deleted.yml
2021-08-16 12:42:14 -05:00
Austin Songer
cfb863a98e
Update aws_eks_cluster_created_or_deleted.yml
2021-08-16 11:52:22 -05:00
frack113
dfd9e6d8f0
Merge pull request #1857 from frack113/fix_HostApplication
...
Update definition for powershell-classic rule
2021-08-16 17:18:24 +02:00
frack113
eb406ba36f
Merge pull request #1844 from frack113/cleanup
...
Add more compliance test
2021-08-16 17:17:25 +02:00
Austin Songer
ed507b82f4
Update and rename aws_eks_cluster_modified_or_deleted.yml to aws_eks_cluster_created_or_deleted.yml
2021-08-16 09:58:48 -05:00
Austin Songer
c7831a3d70
Update gcp_vpn_tunnel_modified_or_deleted.yml
2021-08-16 09:45:31 -05:00
Florian Roth
d2790f2450
fix: missing "|all" modifier
2021-08-16 16:14:48 +02:00
frack113
e1b99db149
fix duplicate uuid
2021-08-16 15:50:14 +02:00
Florian Roth
669308a37a
Merge pull request #1855 from frack113/coti_sqlcmd
...
Rule to detect Coti sqlcmd
2021-08-16 14:27:24 +02:00
Florian Roth
141ca03c9b
Merge pull request #1853 from secDre4mer/contileak
...
feat: Add some rules to detect Conti behaviour
2021-08-16 14:18:43 +02:00
Florian Roth
3028eb68b6
refactoring: procdump rules
2021-08-16 13:55:00 +02:00
frack113
911579023c
fix powershell_alternate_powershell_hosts.yml
2021-08-16 13:30:45 +02:00
frack113
2dbf9af27d
add definition to powershell-classic
2021-08-16 12:56:24 +02:00
frack113
fda11e3608
fix very bad cut and paste
2021-08-16 11:22:50 +02:00
frack113
a861f55e5c
fix title
2021-08-16 11:15:32 +02:00
frack113
a70607bce7
add process_creation_coti_sqlcmd.yml
2021-08-16 11:08:19 +02:00
Florian Roth
79bc89b344
rule: av hacktool events
2021-08-16 10:57:03 +02:00
Florian Roth
f8bedfa759
docs: added link to leak file on VT
2021-08-16 10:12:35 +02:00
frack113
dc9bb22a00
fix duplicate id
2021-08-16 09:29:22 +02:00
Max Altgelt
78e2c0da92
fix: Clean up duplicated ID
2021-08-16 09:26:45 +02:00
frack113
fb80b35141
fix condition
2021-08-16 09:21:38 +02:00
frack113
5b09dff1fb
cleanup win_malware_conti_shadowcopy.yml
2021-08-16 09:21:04 +02:00
frack113
ed424c55c8
fix selection
2021-08-16 09:20:25 +02:00
frack113
26d632bf05
fix condition
2021-08-16 09:19:46 +02:00
frack113
e8723e892a
clean-up powershell_invoke_nightmare.yml
2021-08-16 09:19:10 +02:00
frack113
f69868b5aa
Merge pull request #1834 from secDre4mer/master
...
Correct incorrect message / keyword usage
2021-08-16 09:16:33 +02:00
Max Altgelt
5b60e0ea5a
feat: Add some rules to detect Conti behaviour
...
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
2021-08-16 09:13:51 +02:00
Max Altgelt
d2a35edae9
fix: Remove powershell_alternate_hosts from PR
...
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
2021-08-16 08:42:17 +02:00
frack113
c57ded1ecd
Merge pull request #1852 from austinsonger/gcp_dns_zone_modified_or_deleted.yml
...
gcp_dns_zone_modified_or_deleted.yml
2021-08-16 07:37:28 +02:00
frack113
d710818eb2
Merge pull request #1851 from austinsonger/gcp_dlp_re-identifies_sensitive_information.yml
...
gcp_dlp_re-identifies_sensitive_information.yml
2021-08-16 07:37:02 +02:00
frack113
0973c51ef5
Merge pull request #1850 from austinsonger/aws_efs_fileshare_modified_or_deleted.yml
...
aws_efs_fileshare_modified_or_deleted.yml
2021-08-16 07:36:43 +02:00
frack113
20fd75e18e
Merge pull request #1849 from austinsonger/aws_efs_fileshare_mount_modified_or_deleted.yml
...
aws_efs_fileshare_mount_modified_or_deleted.yml
2021-08-16 07:36:24 +02:00
frack113
37b8040e76
cleanup gcp_dlp_re-identifies_sensitive_information
...
Remove list with only 1 value
2021-08-16 06:28:40 +02:00
Austin Songer
ae12f1f328
Update gcp_dlp_re-identifies_sensitive_information.yml
2021-08-15 22:57:54 -05:00
Austin Songer
2524adc6ca
Update aws_efs_fileshare_mount_modified_or_deleted.yml
2021-08-15 22:54:11 -05:00
Austin Songer
fb117d5714
Update aws_efs_fileshare_mount_modified_or_deleted.yml
2021-08-15 22:52:53 -05:00
Austin Songer
5a22d07392
Update aws_efs_fileshare_modified_or_deleted.yml
2021-08-15 22:52:41 -05:00
Austin Songer
ebf2b7a313
Update aws_efs_fileshare_modified_or_deleted.yml
2021-08-15 22:49:01 -05:00
Austin Songer
85dc62070b
Update gcp_dlp_re-identifies_sensitive_information.yml
2021-08-15 16:02:12 -05:00
Austin Songer
219be99847
Update gcp_dns_zone_modified_or_deleted.yml
2021-08-15 16:02:04 -05:00
Austin Songer
e4314aa4b8
Update gcp_dns_zone_modified_or_deleted.yml
2021-08-15 16:01:10 -05:00
Austin Songer
3c770c6e4d
Update gcp_dlp_re-identifies_sensitive_information.yml
2021-08-15 15:55:46 -05:00
Austin Songer
a37ec60f76
Update gcp_dlp_re-identifies_sensitive_information.yml
2021-08-15 15:44:20 -05:00
Austin Songer
dae3d3b446
Update gcp_dlp_re-identifies_sensitive_information.yml
2021-08-15 15:42:15 -05:00