1196 Commits

Author	SHA1	Message	Date
Thomas Patzke	a5579fa8cd	Merge pull request #513 from Karneades/fix-sysmon-rule ... fix: bound sysmon logon script rule to field	2019-11-02 23:04:35 +01:00
Karneades	0117dac1db	fix: bound sysmon logon script rule to field ... Fixed rule: - rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml	2019-11-02 11:47:20 +01:00
Karneades	68fd20cb66	fix: bound windows event log rules to message field ... Fixed rules - rules/windows/builtin/win_susp_msmpeng_crash.yml - rules/windows/builtin/win_alert_active_directory_user_control.yml - rules/windows/builtin/win_av_relevant_match.yml - rules/windows/builtin/win_mal_creddumper.yml - rules/windows/builtin/win_susp_sam_dump.yml - rules/windows/builtin/win_alert_mimikatz_keywords.yml - rules/windows/builtin/win_alert_enable_weak_encryption.yml	2019-11-02 11:25:29 +01:00
Florian Roth	3107c0c268	rule: Formbook rule improved	2019-10-31 09:32:18 +01:00
Florian Roth	4741b6a4d6	rule: Mustang Panda dropper	2019-10-30 18:22:40 +01:00
Florian Roth	d661771608	rule: another DTRACK reference	2019-10-30 18:22:25 +01:00
Florian Roth	3ac28f3eed	rule: DTRACK process creation	2019-10-30 15:16:33 +01:00
Thomas Patzke	219f00e3fb	Added command line parameter ... Implements #418	2019-10-29 23:04:28 +01:00
Thomas Patzke	f4e9690d6b	Merge pull request #508 from Karneades/fixRule3 ... fix: bound keywords to field in multiple PS rules	2019-10-29 22:34:08 +01:00
Thomas Patzke	78d8ca2b41	Merge pull request #507 from Karneades/fixRule2 ... fix: bound keywords to field in PS cred prompt rule	2019-10-29 22:31:01 +01:00
Thomas Patzke	40df0d4534	Merge pull request #506 from Karneades/fixRule1 ... fix: bound keywords to field in WMI persistence rule	2019-10-29 22:30:27 +01:00
Thomas Patzke	6eb49fc1ce	Merge pull request #509 from Karneades/fixRule4 ... fix: change keyword and bound it to a field in PS rule	2019-10-29 22:27:54 +01:00
Thomas Patzke	b6403793c1	Fixed escaping in rule	2019-10-29 22:06:23 +01:00
Karneades	ab5556ae8c	fix: change keyword and bound it to a field	2019-10-29 19:59:43 +01:00
Karneades	aafab2e936	fix: bound keywords to field in multiple PS rules ... Rules changed: - rules/windows/powershell/powershell_malicious_commandlets.yml - rules/windows/powershell/powershell_malicious_keywords.yml - rules/windows/powershell/powershell_suspicious_download.yml - rules/windows/powershell/powershell_suspicious_invocation_specific.yml	2019-10-29 19:53:18 +01:00
Karneades	f31750e567	fix: bound keywords to field in PS cred prompt rule	2019-10-29 19:43:04 +01:00
Karneades	cd20e4a3fc	fix: bound keywords to field in WMI persistence rule ... See #501.	2019-10-29 19:22:41 +01:00
Florian Roth	8ff85499c8	rule: svchost dll search order hijack	2019-10-28 12:03:03 +01:00
Florian Roth	1a3444d0ef	docs: comment on rule expression	2019-10-28 12:02:46 +01:00
Florian Roth	66a32549f1	rule: proxy malware ua - Zebrocy	2019-10-26 14:20:29 +02:00
Florian Roth	42808b7eb8	rule: webshell detection improved	2019-10-26 09:14:54 +02:00
Florian Roth	a5ec6722a1	rule: the actual changes to hwp rule	2019-10-24 15:35:13 +02:00
Florian Roth	86c1b4ae4b	rule: hwp exploits	2019-10-24 11:46:56 +02:00
Florian Roth	3d4ce9d175	rule: another reference link for 'execution by ordinal'	2019-10-22 15:18:19 +02:00
Florian Roth	b3654947bc	rule: suspicious call by ordinal (rundll32)	2019-10-22 12:40:26 +02:00
Florian Roth	0f02f2bdfc	rule: adjusted very noisy rule on AppLocker whitelist bypass	2019-10-22 12:32:37 +02:00
Florian Roth	4e7ad5c948	rule: added date to crypto miner rule	2019-10-21 13:24:33 +02:00
Florian Roth	e8963b2599	rule: crypto miner user agents in proxy logs	2019-10-21 13:21:50 +02:00
Florian Roth	c8b5b91815	Merge pull request #471 from a2tf/rule_change_proxy_uri_to_url ... rule: changed two proxy rules from uri-query to url	2019-10-21 12:52:36 +02:00
Florian Roth	9457f01c29	Update proxy_ios_implant.yml	2019-10-21 11:20:11 +02:00
Florian Roth	f8d8eb7948	Update proxy_chafer_malware.yml	2019-10-21 11:19:59 +02:00
Florian Roth	454ba2b576	rule: modified sudo vuln rule to be most generic	2019-10-20 14:02:10 +02:00
Florian Roth	08ff2f38bc	Revert "rule: modified sudo vuln rule to be most generic" ... This reverts commit ef6a25d109.	2019-10-20 14:01:14 +02:00
Florian Roth	ef6a25d109	rule: modified sudo vuln rule to be most generic	2019-10-20 10:37:05 +02:00
a2tf	a2753ba5a6	rule: changed two proxy rules from uri-query to url	2019-10-18 14:15:39 +00:00
Thomas Patzke	522f021ef1	Merge pull request #461 from Galapag0s/patch-2 ... Added Additional history clearing options	2019-10-16 22:35:41 +02:00
Florian Roth	deb3ecf404	fix: relevant fields in lsass dll load rule	2019-10-16 19:09:20 +02:00
Florian Roth	ab292a4029	rule: simplified Emotet rule	2019-10-16 15:29:42 +02:00
Florian Roth	36f678930d	rule: updated sudo vuln rule to detect 0-padding part 2 ... https://twitter.com/joshbressers/status/1184455759620378627	2019-10-16 15:10:44 +02:00
Florian Roth	5374d18e4b	rule: updated sudo vuln rule to detect 0-padding ... https://twitter.com/taviso/status/1184238670343065600	2019-10-16 15:03:28 +02:00
Florian Roth	c396526f40	rule: LSASS DLL load via undocumented Registry key ... https://twitter.com/SBousseaden/status/1183745981189427200	2019-10-16 13:18:44 +02:00
Florian Roth	5d143f4f22	rule: emotet rule references extended	2019-10-16 13:18:44 +02:00
Florian Roth	d46154da5c	rule: extending Emotet rule	2019-10-16 10:22:48 +02:00
Florian Roth	4ea469d138	rule: suspicious compression tool parameters	2019-10-15 16:38:53 +02:00
Florian Roth	e870c86fb0	rule: keyboad layout preloads extended with '	2019-10-15 15:11:00 +02:00
Florian Roth	921a39f1e3	rule: extended sudo rule with variant for USER field	2019-10-15 14:55:09 +02:00
Florian Roth	96d77447d2	rule: added reference and mitre tags	2019-10-15 09:44:17 +02:00
Florian Roth	49ed76004c	rule: sudo priv esc vuln CVE-2019-14287	2019-10-15 09:39:08 +02:00
Florian Roth	52fef7ae10	Merge pull request #468 from 2d4d/lsass_without_exe ... remove .exe from lsass	2019-10-14 18:03:13 +02:00
Florian Roth	8db1cac910	fix: made rule compatible with event id 4688	2019-10-14 18:01:24 +02:00