Commit Graph

1352 Commits

Author SHA1 Message Date
Florian Roth
bdf0dd8e21
Merge pull request #260 from TareqAlKhatib/malware_backconnect
Added private IP filter to reduce FPs
2019-02-23 22:47:14 +01:00
Tareq AlKhatib
a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Florian Roth
f25416bd65 chore: workaround Travis Python 3.5 problems 2019-02-23 07:43:41 +01:00
Florian Roth
afa18245bf
Merge pull request #254 from darkquasar/master
adding MPreter as McAfee classifies it
2019-02-23 07:34:04 +01:00
Thomas Patzke
c17f9d172f
Merge pull request #248 from megan201296/patch-17
Create win_mal_ursnif.yml
2019-02-22 21:30:49 +01:00
Thomas Patzke
02239fa288
Changed registry root key
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
2019-02-22 21:30:30 +01:00
Thomas Patzke
18d012cc2e
Merge pull request #255 from vburov/patch-1
Update win_susp_process_creations.yml
2019-02-22 21:15:52 +01:00
Thomas Patzke
5c63ef17d2
Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov
bdf44be077
Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
darkquasar
87994ca46b
adding MPreter as McAfee classifies it
McAfee classifies some Meterpreter events with the "Mpreter" keyword
2019-02-22 15:22:10 +11:00
Florian Roth
d3b623e92a Rule: suspicious pipes extended
https://github.com/Neo23x0/sigma/issues/253
2019-02-21 13:26:48 +01:00
Florian Roth
343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth
c8701ac6e9
Merge pull request #252 from keepwatch/patch-1
Fixing yara condition
2019-02-21 10:17:09 +01:00
Florian Roth
8ae37f5d64 BEAR activity - CrowdStrike GTR 2019
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:54:01 +01:00
Florian Roth
3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth
5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth
aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth
c474bfcae5 Judgement Panda - Crowdstrike GTR 2019
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
2019-02-21 09:20:52 +01:00
Keep Watcher
07dec06222
Fixing yara condition 2019-02-20 10:57:24 -05:00
Thomas Patzke
9ef314486e Grep backend escapes + 2019-02-19 14:49:06 +01:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters
Duplicate Detections
2019-02-18 21:58:39 +01:00
Tareq AlKhatib
ae62acf3d2 Added a test for duplicate filters and a test for Source: Eventlog 2019-02-18 21:05:58 +03:00
Tareq AlKhatib
2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Florian Roth
08e00945aa
doc: SANS webcast link in README 2019-02-16 09:51:02 +01:00
megan201296
34f9d17b26
Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Florian Roth
2e61233e31
Merge pull request #247 from TareqAlKhatib/duplicate_filters
Unnecessary 1/all of them
2019-02-13 20:30:53 +01:00
Tareq AlKhatib
97b28f4308 Added a test for unnecessary use of '1 of them' in condition 2019-02-13 21:27:27 +03:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth
8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth
004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
Florian Roth
c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
Florian Roth
be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth
74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke
a5af134bfe Merge branch 'neu5ron-patch-2' 2019-02-10 00:16:55 +01:00
Thomas Patzke
01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master
new rule and updated false positive note
2019-02-09 23:57:39 +01:00
Thomas Patzke
01dfc23a26
Merge pull request #234 from juju4/devel-sumo
Sumologic support update
2019-02-09 23:54:23 +01:00
Thomas Patzke
d9aceeb7eb
Merge pull request #228 from keepwatch/ssp-regkey-detection
SSP added to LSA configuration
2019-02-09 23:44:55 +01:00
Thomas Patzke
5866d8eb71
Merge pull request #238 from sisecbe/patch-1
Adapt count function when aggfield not present
2019-02-09 23:38:20 +01:00
juju4
4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4
a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
05424883dd
Added Info Graphic to README 2019-02-09 09:38:01 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master
2nd method to call downloadString or downloadFile in Powershell
2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters
Duplicate filters
2019-02-09 09:23:57 +01:00