SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
$frack113$ frack113	1b480f2ee6	Merge pull request #1819 from frack113/split_1802_builtin Correct lists with only 1 value	2021-08-13 12:43:26 +02:00
$frack113$ frack113	5e42187062	remove change for Message rule	2021-08-13 11:01:33 +02:00
$frack113$ frack113	62e541ec7f	Merge pull request #1784 from frack113/winlogbeat-modules-enabled Update Mapping Winlogbeat modules enabled	2021-08-12 19:14:17 +02:00
Florian Roth	62c9468180	Merge pull request #1832 from SigmaHQ/rule-devel Whoami Refactoring	2021-08-12 14:28:28 +02:00
Florian Roth	d9d543e545	refactor: removed OriginalFileName from rule to improve compatibilty	2021-08-12 13:28:24 +02:00
Florian Roth	34d70de084	rule: whoami anomalies	2021-08-12 13:28:00 +02:00
Florian Roth	bd0a2a1b9f	rule: renamed whoami	2021-08-12 13:27:51 +02:00
Florian Roth	418a0bbf7e	Merge pull request #1827 from phantinuss/master 2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")	2021-08-12 11:41:50 +02:00
Florian Roth	6ed62b431e	Merge pull request #1830 from SigmaHQ/rule-devel SystemNightmare and Typo	2021-08-12 11:41:16 +02:00
Florian Roth	08883c8e32	refactor: removed old rule that uses Message field Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible. We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)	2021-08-12 09:27:50 +02:00
phantinuss	a880663d51	fix: add missing 'all of' for 'and' conjunction of the assignment keywords	2021-08-11 17:46:10 +02:00
phantinuss	1c919c07c7	exchange mailbox export with generic keyword search (Message is not a real field)	2021-08-11 16:57:15 +02:00
Florian Roth	c8d481fd83	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-08-11 10:10:32 +02:00
Florian Roth	c1f9c33730	rule: SystemNightmare	2021-08-11 10:10:30 +02:00
Florian Roth	d9d1e2c578	Merge pull request #1823 from SigmaHQ/rule-devel rule: ProxyLogon rule for MS Exchange	2021-08-11 09:43:41 +02:00
phantinuss	62eca463ac	new rule LittleCorporal generated maldoc process injection	2021-08-11 09:25:23 +02:00
$frack113$ frack113	63ead346e8	fix modified value	2021-08-10 19:09:34 +02:00
Florian Roth	73a4bd74dc	fix: FPs script exec from temp	2021-08-10 17:10:46 +02:00
$frack113$ frack113	6d869feb43	update modified	2021-08-10 15:12:45 +02:00
Jon Galarneau	1544a351a3	Correcting regex in win_modif_of_services_for_via_commandline.yml The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.	2021-08-10 08:29:39 -04:00
Florian Roth	17c6fc7038	rule: ProxyLogon rule for MS Exchange	2021-08-10 09:16:30 +02:00
Florian Roth	17fb418271	Merge pull request #1817 from SigmaHQ/rule-devel rules: ProxyShell refactoring and new rule	2021-08-10 08:18:32 +02:00
$frack113$ frack113	78e0e570dd	Split PR 1802 builtin net rules	2021-08-09 20:23:35 +02:00
Florian Roth	dbf8aecd83	fix: typo in cmdlet name	2021-08-09 18:05:51 +02:00
Florian Roth	a9ad4eda4a	rules: ProxyShell refactoring and new rule	2021-08-09 17:57:34 +02:00
$frack113$ frack113	dd2aa8706d	Merge pull request #1786 from j91321/anydesk Silent installation of AnyDesk (Conti)	2021-08-09 08:57:32 +02:00
$frack113$ frack113	bacb44ab97	Merge pull request #1780 from Sam0x90/master Adding detection rule for esentutl utility	2021-08-07 16:23:45 +02:00
$frack113$ frack113	f75f8fabab	fix file name	2021-08-07 15:54:43 +02:00
$frack113$ frack113	07d21c58e8	Update process_susp_esentutl_params.yaml	2021-08-07 15:49:25 +02:00
$frack113$ frack113	89ee63f63b	Merge pull request #1791 from SigmaHQ/rule-devel More rules - including the ones for ProxyShell	2021-08-07 11:49:16 +02:00
Florian Roth	9be9e4a24f	fix: more changes to incomplete windivert rule	2021-08-07 11:22:44 +02:00
Florian Roth	88a721a1ab	docs: add space in title	2021-08-07 10:13:05 +02:00
Florian Roth	1dcf25878c	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-08-07 10:10:48 +02:00
Florian Roth	0a8904a61e	fix: issues with new rule	2021-08-07 10:10:12 +02:00
$frack113$ frack113	5f89a29ea7	fix file name	2021-08-07 10:01:23 +02:00
Florian Roth	1ac49a2055	rule: ProxyShell patterns	2021-08-07 09:22:24 +02:00
Florian Roth	c0360cd1ca	change name and line breaks	2021-08-06 18:53:08 +02:00
Florian Roth	7de55075f7	fix: condition	2021-08-06 18:45:38 +02:00
Florian Roth	d69e2333c8	various fixes	2021-08-06 18:44:54 +02:00
Florian Roth	e02b85dc99	'--start-with-win' is pretty specific	2021-08-06 18:41:14 +02:00
Ján Trenčanský	2f3b48c347	Fix title	2021-08-06 14:18:30 +02:00
Ján Trenčanský	516e1ade6d	Silent installation of AnyDesk	2021-08-06 14:06:35 +02:00
$frack113$ frack113	f4bef0fc39	Add Microsoft-Windows-Windows Defender/Operational	2021-08-06 11:12:34 +02:00
$frack113$ frack113	cf8d8d3ed4	fix TargetFilename case error	2021-08-06 08:43:05 +02:00
Sam0x90	96911e55b9	Adding detection rule for esentutl utility Used by Conti affiliates to target NTDS file and MSEdge info	2021-08-06 00:55:57 +04:00
Florian Roth	eb247704fe	Merge pull request #1761 from d4rk-d4nph3/master Added rule for Cabinet file expansion and Pypykatz	2021-08-05 15:50:12 +02:00
Florian Roth	c44b22b52f	Merge pull request #1762 from frack113/redcanary_collection [OSCD] Redcanary TA0009 collection	2021-08-05 15:49:10 +02:00
Florian Roth	83505351bc	Merge pull request #1764 from frack113/fix_product fix product sysmon_apt_sourgrum.yml	2021-08-05 15:48:35 +02:00
Florian Roth	448868302d	Merge pull request #1767 from frack113/redcanary_t1497_001 [OSCD] Detect Virtualization Environment (Windows) T1497.001	2021-08-05 15:47:37 +02:00
Florian Roth	3634901bf1	Update poweshell_detect_vm_env.yml	2021-08-05 15:47:29 +02:00

1 2 3 4 5 ...

4143 Commits