Florian Roth
|
a5fe7af25f
|
Cobalt Strike Service Installation
|
2021-05-26 18:05:38 +02:00 |
|
Jonhnathan
|
1b32a5c0f3
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:54 -03:00 |
|
Jonhnathan
|
93087d2130
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:35 -03:00 |
|
Jonhnathan
|
d3afed53ac
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:04 -03:00 |
|
Jonhnathan
|
7007287832
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:58:23 -03:00 |
|
Jonhnathan
|
2e139b4264
|
Update win_protected_storage_service_access.yml
|
2021-05-22 00:57:25 -03:00 |
|
Jonhnathan
|
085218b25a
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:57:01 -03:00 |
|
Jonhnathan
|
3fb5f1c47e
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:32 -03:00 |
|
Jonhnathan
|
943e2c8c88
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:03 -03:00 |
|
Jonhnathan
|
9765fcbd0c
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:55:29 -03:00 |
|
Jonhnathan
|
e23147111b
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:54:57 -03:00 |
|
Florian Roth
|
a0efd7a4dc
|
Merge pull request #1494 from Karneades/patch-1
Add keyword WinRM to remote powershell rules
|
2021-05-21 10:35:18 +02:00 |
|
Andreas Hunkeler
|
d8ec5fa6af
|
Add modified field in WinRM rule
|
2021-05-21 09:28:45 +02:00 |
|
Florian Roth
|
a30391f3b4
|
Merge pull request #1495 from SigmaHQ/rule-devel
rule refactoring: Cobalt Strike service start
|
2021-05-20 17:43:29 +02:00 |
|
Andreas Hunkeler
|
b46f65965d
|
Add keyword WinRM to remote powershell network rule
|
2021-05-20 17:02:17 +02:00 |
|
Florian Roth
|
ebac8a098f
|
rule refactoring: Cobalt Strike service start
|
2021-05-20 10:05:12 +02:00 |
|
frack113
|
cccfb3e59e
|
file_event is a category
|
2021-05-12 09:05:52 +02:00 |
|
Florian Roth
|
7d7f8c90ec
|
Merge pull request #1443 from icthieves/patch-3
Update win_scm_database_privileged_operation.yml
|
2021-05-11 15:00:20 +02:00 |
|
Florian Roth
|
980ea97217
|
Merge pull request #1444 from icthieves/patch-2
Update win_scm_database_handle_failure.yml
|
2021-05-11 15:00:09 +02:00 |
|
Florian Roth
|
384f40aa5b
|
Merge pull request #1464 from d4rk-d4nph3/master
Added rule for Moriya rootkit
|
2021-05-06 18:15:53 +02:00 |
|
Florian Roth
|
453fa0f299
|
Update win_moriya_rootkit.yml
|
2021-05-06 15:24:21 +02:00 |
|
Florian Roth
|
79c11a5cba
|
Update win_moriya_rootkit.yml
|
2021-05-06 14:59:28 +02:00 |
|
Bhabesh Rai
|
e5f95cac0c
|
Added rule for Moriya rootkit
|
2021-05-06 17:29:20 +05:45 |
|
phantinuss
|
254a3bb122
|
new rules detecting the creation of a local hidden user
|
2021-05-05 15:12:07 +02:00 |
|
Ian Thieves
|
65294d97c4
|
Update win_scm_database_handle_failure.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:28:16 -07:00 |
|
Ian Thieves
|
8efa10465e
|
Update win_scm_database_privileged_operation.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:25:16 -07:00 |
|
Florian Roth
|
c7ce9154d1
|
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
|
2021-04-23 16:52:25 +02:00 |
|
Josh Brower
|
dfc1218e6a
|
false positive - added Azure AD Connect
|
2021-04-20 08:24:38 -04:00 |
|
Josh Brower
|
2486a85a1f
|
Added MS Threat Docs for 4616 to references
|
2021-04-19 08:15:42 -04:00 |
|
Florian Roth
|
7039209a7a
|
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
|
2021-04-19 11:32:02 +02:00 |
|
Florian Roth
|
53c6a7c54e
|
refactor: tightened filter
|
2021-04-19 09:30:32 +02:00 |
|
Florian Roth
|
941d47bc28
|
Merge pull request #1416 from sycophantic/master
Remove extra spaces
|
2021-04-15 13:20:49 +02:00 |
|
Steven
|
a8d8165541
|
Yet another syntax fix
|
2021-04-15 09:25:04 +02:00 |
|
Steven
|
9f5e8a02a4
|
Fix parse errors
|
2021-04-15 02:46:41 +02:00 |
|
Steven
|
8301b9c221
|
Fix selection vs selection_1 in rule files
|
2021-04-15 02:41:04 +02:00 |
|
Steven
|
ecbd730dad
|
Fix syntax errors in some rules
|
2021-04-15 02:07:43 +02:00 |
|
Steven
|
d263b937b4
|
Clean-up service: sysmon as it will be replaced by filling the category
|
2021-04-15 02:02:25 +02:00 |
|
Steven
|
850a002840
|
Merge branch 'master' of https://github.com/SigmaHQ/sigma
|
2021-04-15 01:25:48 +02:00 |
|
Roberto Rodriguez
|
db0e969121
|
HybridConnectionMgr Service Activity
|
2021-04-12 16:26:15 -04:00 |
|
Florian Roth
|
4abebd98d9
|
Merge pull request #1418 from SigmaHQ/rule-devel
Fixing false positives with newest OSCD rules
|
2021-04-09 17:26:02 +02:00 |
|
Florian Roth
|
65a11dde52
|
fix: rules causing too many false positives
|
2021-04-09 15:55:14 +02:00 |
|
Thomas Patzke
|
3fef2a10b8
|
Merge branch 'pr-1158'
|
2021-04-08 23:01:54 +02:00 |
|
sycophantic
|
86b9652086
|
Remove extra spaces
|
2021-04-08 13:57:21 -04:00 |
|
Thomas Patzke
|
a10db2df89
|
Fixes&improvements
|
2021-04-08 01:06:40 +02:00 |
|
Thomas Patzke
|
d1de168295
|
Merge branch 'oscd'
|
2021-04-06 00:05:35 +02:00 |
|
Florian Roth
|
48265ad71a
|
Merge pull request #1398 from SigmaHQ/rule-devel
MSExchange Management log mapping, some fixes
|
2021-03-20 17:21:31 +01:00 |
|
Florian Roth
|
525f4b6a6b
|
Merge pull request #1388 from Cyb3rPandaH/master
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
|
2021-03-20 08:53:04 +01:00 |
|
Florian Roth
|
334dd9a058
|
Update win_set_oabvirtualdirectory_externalurl.yml
|
2021-03-20 08:34:02 +01:00 |
|
Florian Roth
|
dd4a1ac393
|
fix: prone to FPs - use is unclear
https://regex101.com/r/tss5TZ/1
|
2021-03-18 16:44:49 +01:00 |
|
Florian Roth
|
d30e87d543
|
fix: lsass access - FPs with AV / EDR software
|
2021-03-18 09:04:03 +01:00 |
|