Florian Roth
b3654947bc
rule: suspicious call by ordinal (rundll32)
2019-10-22 12:40:26 +02:00
Florian Roth
0f02f2bdfc
rule: adjusted very noisy rule on AppLocker whitelist bypass
2019-10-22 12:32:37 +02:00
Florian Roth
3bd3e724f1
Merge pull request #473 from joesecurity/patch-3
...
Update README.md
2019-10-21 13:34:41 +02:00
Florian Roth
439045a87b
Reordered projects
2019-10-21 13:34:30 +02:00
Florian Roth
4e7ad5c948
rule: added date to crypto miner rule
2019-10-21 13:24:33 +02:00
Florian Roth
e8963b2599
rule: crypto miner user agents in proxy logs
2019-10-21 13:21:50 +02:00
Joe Security
b815b15255
Update README.md
...
Added Joe Sandbox to list of supported Projects or Products.
2019-10-21 13:13:49 +02:00
Florian Roth
c8b5b91815
Merge pull request #471 from a2tf/rule_change_proxy_uri_to_url
...
rule: changed two proxy rules from uri-query to url
2019-10-21 12:52:36 +02:00
Thomas Patzke
8a545b973b
Sigmatools release 0.13
2019-10-21 11:58:26 +02:00
Florian Roth
9457f01c29
Update proxy_ios_implant.yml
2019-10-21 11:20:11 +02:00
Florian Roth
f8d8eb7948
Update proxy_chafer_malware.yml
2019-10-21 11:19:59 +02:00
Florian Roth
454ba2b576
rule: modified sudo vuln rule to be most generic
2019-10-20 14:02:10 +02:00
Florian Roth
08ff2f38bc
Revert "rule: modified sudo vuln rule to be most generic"
...
This reverts commit ef6a25d109
.
2019-10-20 14:01:14 +02:00
Florian Roth
ef6a25d109
rule: modified sudo vuln rule to be most generic
2019-10-20 10:37:05 +02:00
Florian Roth
bd93425639
Added Sumologic to list
2019-10-19 10:11:28 +02:00
a2tf
a2753ba5a6
rule: changed two proxy rules from uri-query to url
2019-10-18 14:15:39 +00:00
Thomas Patzke
fc276612b6
Added encoding modifiers
2019-10-16 23:52:06 +02:00
Thomas Patzke
522f021ef1
Merge pull request #461 from Galapag0s/patch-2
...
Added Additional history clearing options
2019-10-16 22:35:41 +02:00
Thomas Patzke
02d193c518
Merge pull request #470 from stevengoossensB/master
...
Mapping the fields in the select statement according to the configuration file
2019-10-16 22:34:28 +02:00
Florian Roth
deb3ecf404
fix: relevant fields in lsass dll load rule
2019-10-16 19:09:20 +02:00
Steven Goossens
5f7813f71e
Merge branch 'master' of https://github.com/Neo23x0/sigma
2019-10-16 16:38:59 +02:00
Steven Goossens
6a1a96a918
Implement mapping when selecting the fields for the AQL query. This was not being done correctly
2019-10-16 16:37:09 +02:00
Florian Roth
ab292a4029
rule: simplified Emotet rule
2019-10-16 15:29:42 +02:00
Florian Roth
36f678930d
rule: updated sudo vuln rule to detect 0-padding part 2
...
https://twitter.com/joshbressers/status/1184455759620378627
2019-10-16 15:10:44 +02:00
Florian Roth
5374d18e4b
rule: updated sudo vuln rule to detect 0-padding
...
https://twitter.com/taviso/status/1184238670343065600
2019-10-16 15:03:28 +02:00
Florian Roth
c396526f40
rule: LSASS DLL load via undocumented Registry key
...
https://twitter.com/SBousseaden/status/1183745981189427200
2019-10-16 13:18:44 +02:00
Florian Roth
5d143f4f22
rule: emotet rule references extended
2019-10-16 13:18:44 +02:00
Thomas Patzke
8c8ac52b57
Merge pull request #469 from stevengoossensB/master
...
Added the cleanValue function for Qradar
2019-10-16 11:24:57 +02:00
Steven Goossens
c6e0e10613
Merge branch 'master' of https://github.com/Neo23x0/sigma
2019-10-16 11:06:53 +02:00
Steven Goossens
2837d3ba74
Added the cleanValue function for Qradar
2019-10-16 10:27:24 +02:00
Florian Roth
d46154da5c
rule: extending Emotet rule
2019-10-16 10:22:48 +02:00
Florian Roth
38c19db1c5
Set theme jekyll-theme-minimal
2019-10-15 16:39:49 +02:00
Florian Roth
4ea469d138
rule: suspicious compression tool parameters
2019-10-15 16:38:53 +02:00
Florian Roth
e870c86fb0
rule: keyboad layout preloads extended with '
2019-10-15 15:11:00 +02:00
Florian Roth
921a39f1e3
rule: extended sudo rule with variant for USER field
2019-10-15 14:55:09 +02:00
Florian Roth
96d77447d2
rule: added reference and mitre tags
2019-10-15 09:44:17 +02:00
Florian Roth
49ed76004c
rule: sudo priv esc vuln CVE-2019-14287
2019-10-15 09:39:08 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe
...
remove .exe from lsass
2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910
fix: made rule compatible with event id 4688
2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176
rule: modified the default
2019-10-14 17:50:48 +02:00
Florian Roth
312311494d
rule: suspicious code page switch using chcp
2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad
remove .exe from lsass
2019-10-14 17:26:33 +02:00
Florian Roth
7ee3974428
rule: suspicious keyboard layout load
2019-10-14 16:25:27 +02:00
Florian Roth
5583684efd
rule: extended suspicious procdump rule
2019-10-14 16:21:37 +02:00
Florian Roth
98f0d01b2e
rule: mimikatz use extended
2019-10-11 18:50:33 +02:00
Florian Roth
60af1f5a4b
rule: WMI Backdoor Exchange Transport Agent
2019-10-11 12:12:44 +02:00
Thomas Patzke
849a5a520d
Conditional field mapping resolve_fieldname now functional
...
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
2019-10-09 23:57:41 +02:00
Florian Roth
ec5bb71049
fix: Mimikatz DC Sync rule FP description and level
2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c
fix: FPs with Mimikatz DC Sync rule
2019-10-08 17:44:00 +02:00
Thomas Patzke
95c8d25858
Improved --backend-config help text
2019-10-07 22:30:57 +02:00