Florian Roth
|
bdf0dd8e21
|
Merge pull request #260 from TareqAlKhatib/malware_backconnect
Added private IP filter to reduce FPs
|
2019-02-23 22:47:14 +01:00 |
|
Tareq AlKhatib
|
a022333382
|
Added private IP filter to reduce FPs
|
2019-02-23 21:15:03 +03:00 |
|
Florian Roth
|
f25416bd65
|
chore: workaround Travis Python 3.5 problems
|
2019-02-23 07:43:41 +01:00 |
|
Florian Roth
|
afa18245bf
|
Merge pull request #254 from darkquasar/master
adding MPreter as McAfee classifies it
|
2019-02-23 07:34:04 +01:00 |
|
Thomas Patzke
|
c17f9d172f
|
Merge pull request #248 from megan201296/patch-17
Create win_mal_ursnif.yml
|
2019-02-22 21:30:49 +01:00 |
|
Thomas Patzke
|
02239fa288
|
Changed registry root key
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
|
2019-02-22 21:30:30 +01:00 |
|
Thomas Patzke
|
18d012cc2e
|
Merge pull request #255 from vburov/patch-1
Update win_susp_process_creations.yml
|
2019-02-22 21:15:52 +01:00 |
|
Thomas Patzke
|
5c63ef17d2
|
Added further NirSoft tool parameters
|
2019-02-22 21:15:03 +01:00 |
|
vburov
|
bdf44be077
|
Update win_susp_process_creations.yml
|
2019-02-22 22:46:57 +03:00 |
|
darkquasar
|
87994ca46b
|
adding MPreter as McAfee classifies it
McAfee classifies some Meterpreter events with the "Mpreter" keyword
|
2019-02-22 15:22:10 +11:00 |
|
Florian Roth
|
d3b623e92a
|
Rule: suspicious pipes extended
https://github.com/Neo23x0/sigma/issues/253
|
2019-02-21 13:26:48 +01:00 |
|
Florian Roth
|
343a40ced7
|
Rule: extended exec location rule to support 4688 events
|
2019-02-21 13:26:48 +01:00 |
|
Florian Roth
|
c8701ac6e9
|
Merge pull request #252 from keepwatch/patch-1
Fixing yara condition
|
2019-02-21 10:17:09 +01:00 |
|
Florian Roth
|
8ae37f5d64
|
BEAR activity - CrowdStrike GTR 2019
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
|
2019-02-21 09:54:01 +01:00 |
|
Florian Roth
|
3a994d0d63
|
fix: bugfix in Judgement Panda rule
|
2019-02-21 09:50:49 +01:00 |
|
Florian Roth
|
5935eaa572
|
fix: added MITRE ATT&CK tags to APT rule
|
2019-02-21 09:27:59 +01:00 |
|
Florian Roth
|
aca470961a
|
fix: bugfix in Judgement Panda rule
|
2019-02-21 09:20:52 +01:00 |
|
Florian Roth
|
c474bfcae5
|
Judgement Panda - Crowdstrike GTR 2019
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
|
2019-02-21 09:20:52 +01:00 |
|
Keep Watcher
|
07dec06222
|
Fixing yara condition
|
2019-02-20 10:57:24 -05:00 |
|
Thomas Patzke
|
9ef314486e
|
Grep backend escapes +
|
2019-02-19 14:49:06 +01:00 |
|
Florian Roth
|
eeae74e245
|
Merge pull request #249 from TareqAlKhatib/duplicate_filters
Duplicate Detections
|
2019-02-18 21:58:39 +01:00 |
|
Tareq AlKhatib
|
ae62acf3d2
|
Added a test for duplicate filters and a test for Source: Eventlog
|
2019-02-18 21:05:58 +03:00 |
|
Tareq AlKhatib
|
2e3a2b9ba6
|
Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental'
|
2019-02-18 21:03:53 +03:00 |
|
Florian Roth
|
f0a4aede24
|
Rule: RDP over Reverse SSH Tunnel
|
2019-02-16 19:36:13 +01:00 |
|
Florian Roth
|
08e00945aa
|
doc: SANS webcast link in README
|
2019-02-16 09:51:02 +01:00 |
|
megan201296
|
34f9d17b26
|
Create win_mal_ursnif.yml
|
2019-02-13 15:22:57 -06:00 |
|
Florian Roth
|
2e61233e31
|
Merge pull request #247 from TareqAlKhatib/duplicate_filters
Unnecessary 1/all of them
|
2019-02-13 20:30:53 +01:00 |
|
Tareq AlKhatib
|
97b28f4308
|
Added a test for unnecessary use of '1 of them' in condition
|
2019-02-13 21:27:27 +03:00 |
|
Tareq AlKhatib
|
cd3cdc9451
|
Removed unnecessary '1 of them' in condition
|
2019-02-13 21:26:02 +03:00 |
|
Florian Roth
|
8d819cfeea
|
Rule: fixed bug in Renamed PowerShell rule
|
2019-02-13 13:23:02 +01:00 |
|
Florian Roth
|
004497075d
|
fix: spark source config bug
|
2019-02-12 23:27:38 +01:00 |
|
Florian Roth
|
c2eda887fa
|
Rule: Suspicious Windows NT 9 UA
|
2019-02-12 10:33:33 +01:00 |
|
Florian Roth
|
be26ada875
|
Rule: Suspicious csc.exe parents
|
2019-02-11 13:50:51 +01:00 |
|
Florian Roth
|
74e3c79f40
|
Rule: Suspicious PowerShell keywords
|
2019-02-11 13:02:38 +01:00 |
|
Thomas Patzke
|
a5af134bfe
|
Merge branch 'neu5ron-patch-2'
|
2019-02-10 00:16:55 +01:00 |
|
Thomas Patzke
|
01570f88db
|
YAML fixes
|
2019-02-10 00:16:27 +01:00 |
|
Thomas Patzke
|
6dd4b4775a
|
Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2
|
2019-02-10 00:15:25 +01:00 |
|
Thomas Patzke
|
ff5081f186
|
Merge branch 'yt0ng-development'
|
2019-02-10 00:09:29 +01:00 |
|
Thomas Patzke
|
14769938e9
|
Fixed condition keyword
|
2019-02-10 00:07:30 +01:00 |
|
Thomas Patzke
|
d43e67a882
|
Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development
|
2019-02-10 00:00:45 +01:00 |
|
Thomas Patzke
|
3cd6de2864
|
Merge pull request #240 from neu5ron/master
new rule and updated false positive note
|
2019-02-09 23:57:39 +01:00 |
|
Thomas Patzke
|
01dfc23a26
|
Merge pull request #234 from juju4/devel-sumo
Sumologic support update
|
2019-02-09 23:54:23 +01:00 |
|
Thomas Patzke
|
d9aceeb7eb
|
Merge pull request #228 from keepwatch/ssp-regkey-detection
SSP added to LSA configuration
|
2019-02-09 23:44:55 +01:00 |
|
Thomas Patzke
|
5866d8eb71
|
Merge pull request #238 from sisecbe/patch-1
Adapt count function when aggfield not present
|
2019-02-09 23:38:20 +01:00 |
|
juju4
|
4429d7564f
|
remove 'escape' of '_' - not needed
|
2019-02-09 12:57:43 -05:00 |
|
juju4
|
a815b7eb9b
|
add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string
|
2019-02-09 12:57:07 -05:00 |
|
Florian Roth
|
aab703a4b4
|
Suspicious calc.exe usage
|
2019-02-09 14:03:23 +01:00 |
|
Florian Roth
|
05424883dd
|
Added Info Graphic to README
|
2019-02-09 09:38:01 +01:00 |
|
Florian Roth
|
efb223b147
|
Merge pull request #245 from kpolley/master
2nd method to call downloadString or downloadFile in Powershell
|
2019-02-09 09:35:19 +01:00 |
|
Florian Roth
|
7e732a2a89
|
Merge pull request #232 from TareqAlKhatib/duplicate_filters
Duplicate filters
|
2019-02-09 09:23:57 +01:00 |
|