Furkan CALISKAN
|
bbb9fed3e6
|
Fixed for FP issues
|
2020-10-06 19:51:55 +03:00 |
|
Furkan CALISKAN
|
0023a22ead
|
Added FP conditions and fileshare part for cmdline
|
2020-10-06 19:20:19 +03:00 |
|
Furkan CALISKAN
|
a5ceba93a9
|
Fixed conditions
|
2020-10-06 19:15:30 +03:00 |
|
Furkan CALISKAN
|
52edc13d15
|
Fixed dates
|
2020-10-06 19:10:33 +03:00 |
|
Furkan CALISKAN
|
ea6d60c58f
|
Added print lolbin
|
2020-10-05 23:26:57 +03:00 |
|
Furkan CALISKAN
|
db4804d6bf
|
Merge branch 'master' of https://github.com/caliskanfurkan/sigma
|
2020-10-05 23:03:21 +03:00 |
|
Furkan CALISKAN
|
4d655138b2
|
Added findstr lolbin
|
2020-10-05 23:03:05 +03:00 |
|
Furkan ÇALIŞKAN
|
b147fc3296
|
Update win_susp_explorer.yml
Added known-fp
|
2020-10-05 13:22:43 +03:00 |
|
Furkan ÇALIŞKAN
|
85962665fd
|
Update win_susp_explorer.yml
|
2020-10-05 10:49:54 +03:00 |
|
Furkan CALISKAN
|
00cf61cc5b
|
Added explorer.exe LOLbin, OSCD
|
2020-10-04 23:47:16 +03:00 |
|
Florian Roth
|
c56cd2dfff
|
Merge pull request #1024 from omkar72/master
Com hijack shell folder
|
2020-10-02 09:24:16 +02:00 |
|
omkargudhate22
|
4487d9cc7e
|
added event type & changed technique
|
2020-10-02 09:22:14 +05:30 |
|
Florian Roth
|
d3ee1aba66
|
docs: MITRE ATT&CK(R) trademark references removed or adjusted
https://github.com/Neo23x0/sigma/issues/1028
|
2020-09-30 08:53:52 +02:00 |
|
Florian Roth
|
c17ca6d5fe
|
Merge pull request #1018 from savvyspoon/wcry-dns
WannaCry Killswitch domain DNS query
|
2020-09-29 09:27:21 +02:00 |
|
omkargudhate22
|
68a992d903
|
updated name
|
2020-09-27 21:57:19 +05:30 |
|
omkargudhate22
|
e7c8197e34
|
Updated fields & renamed
|
2020-09-27 21:52:59 +05:30 |
|
omkargudhate22
|
ebe3dce1d7
|
Update sysmon_comhijack_uac_bypass.yml
|
2020-09-27 21:44:41 +05:30 |
|
omkar72
|
3f148e6c7c
|
COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.
|
2020-09-27 21:19:04 +05:30 |
|
omkargudhate22
|
15c8721e7b
|
Merge pull request #1 from Neo23x0/master
Updating my fork
|
2020-09-27 19:12:36 +05:30 |
|
Florian Roth
|
d7d9c0e772
|
Merge pull request #1021 from hieuttmmo/master
Sigma rule to detect AdFind.exe execution
|
2020-09-27 09:50:41 +02:00 |
|
Florian Roth
|
8020fe3c40
|
false positive condition
|
2020-09-26 17:03:29 +02:00 |
|
Florian Roth
|
60795f7050
|
Update win_susp_adfind.yml
Fear that a simple adfind.exe causes too many false positives
|
2020-09-26 17:02:39 +02:00 |
|
Florian Roth
|
dbdd758365
|
Duplicate Rule
we already have a rule for that
|
2020-09-26 17:01:32 +02:00 |
|
Tran Trung Hieu
|
d4dd0600ad
|
Fix logsource service to process_creation
|
2020-09-26 21:45:23 +07:00 |
|
Tran Trung Hieu
|
c756fc8576
|
Detect Suspicious AdFind Execution
|
2020-09-26 21:34:06 +07:00 |
|
Mike Wade
|
f76f80db80
|
Killswitch domain
|
2020-09-16 20:32:31 -06:00 |
|
Mike Wade
|
7b1ef9ea64
|
fixing test runner issues
|
2020-09-15 15:45:33 -06:00 |
|
Mike Wade
|
6ed36b0e41
|
fixed issues with tabs and duplicate tags
|
2020-09-15 08:52:00 -06:00 |
|
Florian Roth
|
2cd9b794e6
|
Merge pull request #1007 from d4rk-d4nph3/master
Windows Defender AMSI Trigger Detected
|
2020-09-15 15:45:00 +02:00 |
|
Florian Roth
|
19ccfb80da
|
Merge pull request #1016 from NVISO-BE/win_vul_cve_2020_1472
Added win_vul_cve_2020_1472 rule
|
2020-09-15 15:43:53 +02:00 |
|
Remco Hofman
|
6cadfa5b2b
|
Added win_vul_cve_2020_1472 rule
|
2020-09-15 15:13:53 +02:00 |
|
Mike Wade
|
1ddba05eb2
|
Second round
|
2020-09-15 07:02:30 -06:00 |
|
Mike Wade
|
da9b32bdd6
|
we
|
2020-09-15 06:24:44 -06:00 |
|
Mike Wade
|
8ce73bd8df
|
Fixed issues with tags and missing files
|
2020-09-15 06:10:57 -06:00 |
|
Thomas Patzke
|
b0ccf44243
|
Added test
|
2020-09-15 12:42:37 +02:00 |
|
Thomas Patzke
|
378d9c94cf
|
Merge branch 'master' of https://github.com/socprime/sigma into pr-981
|
2020-09-15 12:14:49 +02:00 |
|
Thomas Patzke
|
64961c6d42
|
Added test
|
2020-09-15 09:06:02 +02:00 |
|
Thomas Patzke
|
28426f9b7f
|
Merge branch 'Netwitness-EPL' of https://github.com/snake-jump/sigma into pr-1001
|
2020-09-15 08:29:03 +02:00 |
|
Florian Roth
|
50db6dcc69
|
Merge pull request #1002 from scottdermott/master
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
|
2020-09-15 08:17:02 +02:00 |
|
Florian Roth
|
ade9cf9b84
|
Merge pull request #1004 from oscd-initiative/master
fix typos, update tags
|
2020-09-15 08:16:25 +02:00 |
|
snake-jump
|
5119f887c8
|
add Regular expression support
Add Regular expression support for netwitness-epl backend
|
2020-09-14 22:04:47 +02:00 |
|
snake-jump
|
531557465c
|
delete raise exception in case of sigma key is keyword(s)
|
2020-09-14 16:00:03 +02:00 |
|
Bhabesh Rai
|
03c7d751c0
|
Windows Defender AMSI Trigger Detected
|
2020-09-14 18:10:38 +05:45 |
|
Mike Wade
|
57cae0ded1
|
Fixed reference typo
|
2020-09-13 22:07:43 -06:00 |
|
Mike Wade
|
52ab677798
|
Fixed my git issue
|
2020-09-13 22:03:04 -06:00 |
|
Mike Wade
|
249c255435
|
No Idea why these files are deleted
|
2020-09-13 22:00:30 -06:00 |
|
Yugoslavskiy Daniil
|
1fc202fe5d
|
fix typos, update tags
|
2020-09-13 15:46:45 +02:00 |
|
Dermott, Scott J
|
c72ac8f73e
|
Merge branch 'master' of https://github.com/scottdermott/sigma
|
2020-09-11 16:19:54 +01:00 |
|
Scott Dermott
|
1f50e0af35
|
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC).
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
|
2020-09-11 16:06:51 +01:00 |
|
snake-jump
|
09f25cf992
|
delete sqlparse module usage
|
2020-09-10 19:05:55 +02:00 |
|