Florian Roth
|
fa344987c0
|
Merge pull request #1703 from hieuttmmo/master
Suspicious behaviours related to SOURGUM
|
2021-07-23 10:32:25 +02:00 |
|
Florian Roth
|
7c42a9d6cb
|
Merge pull request #1728 from SigmaHQ/rule-devel
HiveNightmare file creation, other rule improvements
|
2021-07-23 10:21:35 +02:00 |
|
Tran Trung Hieu
|
77b4a37916
|
Update the references
|
2021-07-23 14:58:51 +07:00 |
|
Florian Roth
|
38b9e942c1
|
Merge pull request #1724 from austinsonger/master
sysmon_dns_over_https_enabled.yml
|
2021-07-23 09:52:24 +02:00 |
|
Florian Roth
|
5b95ef0872
|
Merge pull request #1725 from frack113/add_new_test
Add check for status and level
|
2021-07-23 09:51:37 +02:00 |
|
Florian Roth
|
cc8899ea62
|
Merge pull request #1717 from frack113/netcat
[OSCD] sysmon_netcat_execution.yml T1095
|
2021-07-23 09:51:23 +02:00 |
|
Florian Roth
|
d00ca03cb6
|
increased level to high
|
2021-07-23 09:51:00 +02:00 |
|
Florian Roth
|
5955efa750
|
adjusted timestamp
|
2021-07-23 09:45:50 +02:00 |
|
Florian Roth
|
d9dc442f4e
|
rule: HiveNightmare
|
2021-07-23 09:41:00 +02:00 |
|
Austin Songer
|
a4b78ef4f0
|
Delete sysmon_dns_over_https_enabled.yml
|
2021-07-22 21:48:28 -05:00 |
|
Austin Songer
|
d7783ea9d7
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 12:42:53 -05:00 |
|
frack113
|
aff5264096
|
Add check for status and level
|
2021-07-22 19:25:51 +02:00 |
|
Austin Songer
|
2929f8915e
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:27:41 -05:00 |
|
Austin Songer
|
44630b215e
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:22:56 -05:00 |
|
Austin Songer
|
4ddcea0714
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:09:41 -05:00 |
|
Austin Songer
|
d093fea6a5
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:07:02 -05:00 |
|
Austin Songer
|
6e8df1e9d2
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:05:54 -05:00 |
|
Austin Songer
|
edf1740ec4
|
Update sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:05:31 -05:00 |
|
Austin Songer
|
c7685e1c18
|
Create sysmon_dns_over_https_enabled.yml
|
2021-07-22 11:04:15 -05:00 |
|
Florian Roth
|
edfd082754
|
Merge pull request #1716 from frack113/elk_keyword_rule
powershell_nishang_malicious_commandlets Elk keywords trouble
|
2021-07-22 15:01:13 +02:00 |
|
Florian Roth
|
cbc7a746d4
|
feat: some often used ncat command line strings
|
2021-07-22 15:00:50 +02:00 |
|
Florian Roth
|
7a8fcf4237
|
Merge pull request #1718 from frack113/powercat
[OSCD] powershell_powercat.yml T1095
|
2021-07-22 14:53:34 +02:00 |
|
Florian Roth
|
132bd8fdd8
|
Merge pull request #1720 from frack113/redcanary_t1411_001
[OSCD] powershell_suspicious_mail_acces.yml T1114.001
|
2021-07-22 14:53:21 +02:00 |
|
Florian Roth
|
583cae058e
|
Merge pull request #1723 from phantinuss/master
Add sysmon_status and sysmon_error category to thor logsource; logical rule fix
|
2021-07-22 14:53:01 +02:00 |
|
Florian Roth
|
9f2f6db598
|
Merge pull request #1721 from frack113/update_test
Update date and modified test
|
2021-07-22 11:10:25 +02:00 |
|
Florian Roth
|
1cfb0e4689
|
Update win_mal_flowcloud.yml
|
2021-07-22 11:09:45 +02:00 |
|
phantinuss
|
3c85bba998
|
fix: according to the reference the condition should be or; it would never match otherwise anyways
|
2021-07-22 09:59:04 +02:00 |
|
frack113
|
985a80de96
|
Find duplicate rules
|
2021-07-22 08:33:52 +02:00 |
|
frack113
|
fe20158f5e
|
Update date and modified test
|
2021-07-21 18:28:47 +02:00 |
|
frack113
|
4cc4df35d8
|
add powershell_suspicious_mail_acces.yml
|
2021-07-21 15:27:12 +02:00 |
|
frack113
|
72da7a3053
|
fix tags attack.t1095
|
2021-07-21 13:08:35 +02:00 |
|
frack113
|
41c4f1d157
|
add powershell_powercat.yml
|
2021-07-21 13:04:27 +02:00 |
|
frack113
|
1b537cac5d
|
add sysmon_netcat_execution.yml
|
2021-07-21 10:55:54 +02:00 |
|
Florian Roth
|
0930a933c3
|
Merge pull request #1713 from frack113/redcanary_t1552_004
[OSCD] process_creation_discover_private_keys.yml T1552.004
|
2021-07-21 10:43:45 +02:00 |
|
Florian Roth
|
78f903a2cc
|
Merge pull request #1714 from frack113/redcanary_t1074_001
[OSCD] win_susp_zip_compress.yml T1074.001
|
2021-07-21 10:43:32 +02:00 |
|
frack113
|
44254038d3
|
fix human error : test-sigmac Error 4
|
2021-07-21 10:01:46 +02:00 |
|
frack113
|
b9b0ef2066
|
convert keywords to correct field name Payload
|
2021-07-21 09:44:26 +02:00 |
|
Florian Roth
|
ddb4744613
|
regsvr32 anomaly rule update
https://twitter.com/BlackMatter23/status/1417545425297580045
|
2021-07-20 21:14:48 +02:00 |
|
frack113
|
ba50a2309c
|
fix case EventID
|
2021-07-20 16:26:13 +02:00 |
|
frack113
|
42005a07b7
|
update powershell_suspicious_download.yml
|
2021-07-20 16:12:24 +02:00 |
|
frack113
|
b031a1b4b7
|
add win_susp_zip_compress.yml
|
2021-07-20 13:13:53 +02:00 |
|
frack113
|
cf8904b560
|
fix files_with_incorrect_mitre_tags
|
2021-07-20 12:22:31 +02:00 |
|
Florian Roth
|
66aaa2210c
|
refactor: widened PS1 Empire cmdlines rule
|
2021-07-20 11:26:22 +02:00 |
|
frack113
|
da6135ccb3
|
add process_creation_discover_private_keys.yml
|
2021-07-20 11:20:30 +02:00 |
|
Florian Roth
|
6fbce11094
|
Merge pull request #1712 from SigmaHQ/rule-devel
fix: bug in regsvr anomaly rule
|
2021-07-18 13:00:19 +02:00 |
|
Florian Roth
|
b7b4c4555f
|
fix: bug in regsvr anomaly rule
|
2021-07-18 12:59:31 +02:00 |
|
Florian Roth
|
7eb873e48b
|
Merge pull request #1710 from SigmaHQ/rule-devel
added more legitimate extensions to regsvr32 rule
|
2021-07-17 13:46:21 +02:00 |
|
Florian Roth
|
53c25969ab
|
added more legitimate extensions to regsvr32 rule
|
2021-07-17 11:20:05 +02:00 |
|
Florian Roth
|
8a75890b51
|
Merge pull request #1702 from d4rk-d4nph3/master
Added rule for ADRecon execution
|
2021-07-17 09:50:29 +02:00 |
|
Florian Roth
|
e838a1acc4
|
increased level
|
2021-07-17 09:50:11 +02:00 |
|
Florian Roth
|
715bca0fd2
|
Merge pull request #1704 from frack113/redcanary_t1216
Redcanary t1216
|
2021-07-17 09:48:43 +02:00 |
|
Florian Roth
|
56ae1938af
|
Merge pull request #1706 from BlackB0lt/patch-12
Create sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
|
2021-07-17 09:46:35 +02:00 |
|
Florian Roth
|
b1a00152bc
|
Merge pull request #1698 from SigmaHQ/rule-devel
several new rules and fixes
|
2021-07-17 09:39:47 +02:00 |
|
Florian Roth
|
b911175f28
|
Suspicious mshta patterns
|
2021-07-17 09:04:41 +02:00 |
|
Florian Roth
|
6c79115ce0
|
Regsvr32 Anomalies extended
|
2021-07-17 09:04:31 +02:00 |
|
Sittikorn S
|
d3a1fb8565
|
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
|
2021-07-17 06:49:37 +07:00 |
|
Sittikorn S
|
5e84a603d0
|
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
|
2021-07-17 01:04:07 +07:00 |
|
Sittikorn S
|
a3c4aa5dad
|
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
|
2021-07-17 01:02:14 +07:00 |
|
Sittikorn S
|
eea3675d4e
|
Rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml to sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
|
2021-07-17 00:09:04 +07:00 |
|
Sittikorn S
|
90fc50e0a2
|
Update and rename sysmon_devilstongue_CVE_2021_31979_exploit.yml to sysmon_cve_2021_31979_cve-2021_33771_exploits.yml
rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml
|
2021-07-17 00:02:15 +07:00 |
|
Sittikorn S
|
9fb589201e
|
Update and rename sysmon_devilstongue_exploit_0day.yml to sysmon_devilstongue_CVE_2021_31979_exploit.yml
Change Title
|
2021-07-16 23:47:14 +07:00 |
|
Sittikorn S
|
f2187f05e6
|
Update and rename sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_exploit_0day.yml
|
2021-07-16 23:42:05 +07:00 |
|
Sittikorn S
|
91295cff21
|
Update sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 23:35:31 +07:00 |
|
Sittikorn S
|
dac72e2750
|
Update and rename sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 23:30:05 +07:00 |
|
Sittikorn S
|
10b7b6d640
|
Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 23:11:14 +07:00 |
|
Sittikorn S
|
94ba194b42
|
Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 23:09:51 +07:00 |
|
Sittikorn S
|
477ec060d2
|
Update and rename sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:47:04 +07:00 |
|
Sittikorn S
|
99e5990416
|
Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:30:06 +07:00 |
|
Sittikorn S
|
dc94c4e51e
|
Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:21:34 +07:00 |
|
Sittikorn S
|
0954163e9d
|
Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:19:07 +07:00 |
|
Sittikorn S
|
e094c76098
|
Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:14:22 +07:00 |
|
Sittikorn S
|
0506e10697
|
Create sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml
|
2021-07-16 22:09:07 +07:00 |
|
Tran Trung Hieu
|
8effde4e1d
|
More suspicious flag fot bitsadmin execution
|
2021-07-16 16:40:00 +07:00 |
|
Tran Trung Hieu
|
1cb631017a
|
Suspicious behaviours related to SOURGUM
|
2021-07-16 14:13:48 +07:00 |
|
Bhabesh Rai
|
be8fce8e82
|
Added rule for ADRecon execution
|
2021-07-16 12:58:47 +05:45 |
|
frack113
|
9a7f3036e4
|
update ref in win_manage-bde_lolbas.yml
|
2021-07-16 08:34:30 +02:00 |
|
frack113
|
d6dc217c6d
|
Add process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
|
2021-07-16 08:28:25 +02:00 |
|
Florian Roth
|
021f211c14
|
fix: FP with WCE and Windows Cluster Service
|
2021-07-15 12:09:28 +02:00 |
|
frack113
|
c6cb7f1247
|
fix missing references and duplicate UUID
|
2021-07-15 11:06:54 +02:00 |
|
Florian Roth
|
e40b859254
|
Merge pull request #1695 from frack113/fix_re
escape / in regex
|
2021-07-15 09:25:58 +02:00 |
|
Florian Roth
|
abb8df887a
|
Merge pull request #1690 from WuerthIT/patch_rule
update rule: powershell_accessing_win_api.yml
|
2021-07-15 08:36:38 +02:00 |
|
Florian Roth
|
f3d24e27c2
|
Merge pull request #1694 from leegengyu/patch-13
Update win_remote_powershell_session_process.yml
|
2021-07-15 08:36:12 +02:00 |
|
Florian Roth
|
2055da991f
|
Merge pull request #1691 from SigmaHQ/rule-devel
Rules: scripts from Temp folders, reg disable sec services
|
2021-07-15 08:35:54 +02:00 |
|
frack113
|
0ef3dc2082
|
escape / in regex
|
2021-07-15 08:13:49 +02:00 |
|
G Y
|
8bbea58786
|
Update win_remote_powershell_session_process.yml
Updated TTP and formatting.
|
2021-07-15 11:20:25 +08:00 |
|
Florian Roth
|
e516aecc74
|
fix: error in selector
|
2021-07-14 15:58:55 +02:00 |
|
Florian Roth
|
530e04faec
|
rule: Script Execution from Temp Folder
|
2021-07-14 15:52:52 +02:00 |
|
Florian Roth
|
0d794357e8
|
rule: reg disable security services
|
2021-07-14 15:52:35 +02:00 |
|
k-vdv
|
12b172039f
|
fixed some typos and adjusted capitalization to original
|
2021-07-14 15:47:17 +02:00 |
|
Florian Roth
|
3ff4e99d44
|
Merge pull request #1688 from SigmaHQ/rule-devel
refactor: improved Raccine uninstall rule
|
2021-07-14 09:57:08 +02:00 |
|
Florian Roth
|
04370c7e91
|
refactor: improved Raccine uninstall rule
|
2021-07-14 09:56:35 +02:00 |
|
Florian Roth
|
1ec9473472
|
Merge pull request #1687 from SigmaHQ/rule-devel
Rule adjustments and new Serv-U exploitation rules
|
2021-07-14 08:59:33 +02:00 |
|
Florian Roth
|
5e2e6c9b72
|
Merge branch 'config-adjustments' into rule-devel
|
2021-07-14 08:35:47 +02:00 |
|
Florian Roth
|
e0f166aba2
|
rule: Serv-U exploitation
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
2021-07-14 08:35:25 +02:00 |
|
Florian Roth
|
85d47aeabc
|
Merge pull request #1678 from frack113/redcanary_t1228
Some Redcanary T1228
|
2021-07-14 08:18:52 +02:00 |
|
Florian Roth
|
9fce0fb42d
|
Merge pull request #1680 from phantinuss/master
medium level Rule for Windows Defender Exclusions
|
2021-07-14 08:18:39 +02:00 |
|
frack113
|
8b14dc6c99
|
fix [colons] too many spaces after colon
|
2021-07-13 14:42:47 +02:00 |
|
frack113
|
c00dd0bf65
|
add win_susp_athremotefxvgpudisablementcommand.yml
|
2021-07-13 14:29:00 +02:00 |
|
frack113
|
6d1e8268ba
|
update win_workflow_compiler.yml
|
2021-07-13 13:55:27 +02:00 |
|
phantinuss
|
bf9b82fc45
|
medium level rule for Windows Defender Exclusions
|
2021-07-13 13:16:25 +02:00 |
|