Commit Graph

2825 Commits

Author SHA1 Message Date
vitaliy0x1
5aa75a90fd added aws_root_account_usage.yml 2020-01-21 15:07:32 +02:00
vitaliy0x1
0d6642abd6 added aws_config_disable_recording.yml 2020-01-21 15:07:10 +02:00
vitaliy0x1
17c00d8a11 added aws_cloudtrail_disable_logging.yml 2020-01-21 15:06:44 +02:00
Vitaliy
ffcc2dc049
Merge pull request #1 from Neo23x0/master (fetch upstream)
fetch upstream
2020-01-20 14:18:48 +02:00
Thomas Patzke
5f1e933b93
Merge pull request #588 from timbMSFT/timb
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
2020-01-20 10:06:06 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00
Florian Roth
e9012d57f7
Merge pull request #596 from 2d4d/master
complete_cve_2019-19781
2020-01-16 12:46:25 +01:00
2d4d
e35ebcc185 complete_cve_2019-19781 2020-01-15 21:59:33 +01:00
Florian Roth
41c4a499b4 rule: added a reference 2020-01-15 21:27:40 +01:00
Florian Roth
6db20d4bad rule: windows audit cve 2020-01-15 21:23:32 +01:00
Florian Roth
5ef64e4e99 rule: changes at Shitrix rule 2020-01-13 20:15:08 +01:00
Florian Roth
a0bad54dbd
Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml
add newbm.pl
2020-01-13 14:48:38 +01:00
Thomas Patzke
7216fe400f Merge branch 'ala-rule' 2020-01-13 13:49:53 +01:00
Thomas Patzke
d95a2606f0 Merge branch 'socprime-master' into ala-rule 2020-01-13 13:48:19 +01:00
Thomas Patzke
638d461b16 Added ala-rule backend to CI testing 2020-01-13 13:47:11 +01:00
Thomas Patzke
7b62b931ce Moved ala-rule backend code into ala backend module 2020-01-13 11:24:46 +01:00
Florian Roth
e89b4b1c1f
Merge pull request #595 from sbousseaden/patch-1
Update win_lm_namedpipe.yml
2020-01-13 11:21:24 +01:00
Thomas Patzke
de690cbfbf Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-01-13 11:19:39 +01:00
sbousseaden
b60671397d
Update win_lm_namedpipe.yml 2020-01-13 10:50:35 +01:00
Florian Roth
ba7c634f1a
More changes 2020-01-13 09:59:14 +01:00
Florian Roth
7bd820c151
Changes 2020-01-13 09:56:49 +01:00
Florian Roth
53d76a69c1
Merge pull request #593 from neu5ron/updates_to_sigma_master
HELK SIGMAC fix name of network_initiated
2020-01-13 09:51:13 +01:00
sreemanshanker
8833b43cea
Merge pull request #1 from sreemanshanker/sreemanshanker-patch-1
Add files via upload
2020-01-13 13:21:29 +08:00
sreemanshanker
ffcfcb70ad
Add files via upload 2020-01-13 13:21:06 +08:00
neu5ron
d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
2d4d
364e859a6b add newbm.pl 2020-01-12 00:29:10 +01:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
2020-01-11 00:11:27 +01:00
Thomas Patzke
b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth
a29c832b6a rule: updated netscaler rule 2020-01-07 14:42:16 +01:00
Florian Roth
c9a75a8371 fix: shortened path in Citrix Netscaler rule 2020-01-07 13:00:28 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
Florian Roth
b03a43ca1b
Merge pull request #589 from 2d4d/add_cve_2019-19781
add rule for Citrix Netscaler CVE-2019-19781
2020-01-06 14:15:46 +01:00
2d4d
35fbdd1248 add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 01:48:29 +01:00
2d4d
b98e57603e add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 00:34:52 +01:00
Tim Burrell (MSTIC)
9bd0402681 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00
Tim Burrell (MSTIC)
5051334e85 Sigma queries for
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-02 14:47:55 +00:00
Florian Roth
fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Florian Roth
ed5c77e1be
Merge pull request #587 from refractionPOINT/internal-name
Adding LimaCharlie support for OriginalFileName field.
2019-12-31 08:32:51 +01:00
Maxime Lamothe-Brassard
a3ad7cb1c5 Fixed actual event tag 2019-12-30 18:15:12 -08:00
Maxime Lamothe-Brassard
9b32086d92 Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2019-12-30 15:58:18 -08:00
SOC Prime
92bc96a308
Update ala-rule.py 2019-12-30 16:26:30 +02:00
SOC Prime
f015c97dff
Update ala-rule.py 2019-12-30 16:13:27 +02:00
vh
d42409372c Azure Sentinel backend (ala) - Fixed path in query
Added new backend Azure Sentinel Rule (ala-rule)
2019-12-30 16:09:19 +02:00
Florian Roth
c007ecf90c
Merge pull request #585 from Neo23x0/devel
Devel
2019-12-30 15:08:43 +01:00
SOC Prime
9c18f20e7b
Merge pull request #3 from Neo23x0/master
latest sigmac
2019-12-30 16:02:46 +02:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
5ad793e04a
Merge pull request #582 from tvjust/patch-1
Added new sticky key attack binary
2019-12-30 14:14:20 +01:00
Florian Roth
948af2993b
Merge pull request #583 from msec1203/msec1203-submit-rule1
MS Office Doc Load WMI DLL Rule
2019-12-30 14:13:58 +01:00