Florian Roth
|
71625c54f0
|
Merge pull request #1514 from SigmaHQ/rule-devel
ProcessHacker rule, NCCGroup rclone rules
|
2021-05-27 16:30:30 +02:00 |
|
Florian Roth
|
d1582944a7
|
fix: dates in new rules
|
2021-05-27 16:30:09 +02:00 |
|
Florian Roth
|
d5e8d1153f
|
fix: missing condition
|
2021-05-27 15:04:13 +02:00 |
|
Florian Roth
|
a80c29a7c2
|
Merge pull request #1491 from w0rk3r/patch-1
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
|
2021-05-27 12:52:14 +02:00 |
|
Florian Roth
|
059e669ac6
|
Merge pull request #1496 from frack113/falsepositives_NOT_a_list
Fix rule where Falsepositives not a valid value
|
2021-05-27 12:51:54 +02:00 |
|
Florian Roth
|
3cd2730a26
|
rule: process hacker priv esc
|
2021-05-27 12:49:54 +02:00 |
|
Florian Roth
|
adbdb5b22f
|
Merge branch 'master' into falsepositives_NOT_a_list
|
2021-05-27 10:23:19 +02:00 |
|
frack113
|
2a68700991
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:43:08 +02:00 |
|
frack113
|
30cc64a349
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:41:19 +02:00 |
|
frack113
|
e4c32c353a
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:39:16 +02:00 |
|
frack113
|
a878f3b0a5
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:36:47 +02:00 |
|
frack113
|
cbce61bc8c
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:34:46 +02:00 |
|
frack113
|
8d8df10687
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:31:57 +02:00 |
|
frack113
|
ce53a5a67b
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:30:00 +02:00 |
|
frack113
|
417da3ac95
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:28:06 +02:00 |
|
frack113
|
f0d1c9aa7d
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:26:08 +02:00 |
|
frack113
|
788ebbafdc
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:20:29 +02:00 |
|
Florian Roth
|
a5fe7af25f
|
Cobalt Strike Service Installation
|
2021-05-26 18:05:38 +02:00 |
|
Jonhnathan
|
1b32a5c0f3
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:54 -03:00 |
|
Jonhnathan
|
93087d2130
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:35 -03:00 |
|
Jonhnathan
|
d3afed53ac
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:04 -03:00 |
|
Jonhnathan
|
7007287832
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:58:23 -03:00 |
|
Jonhnathan
|
2e139b4264
|
Update win_protected_storage_service_access.yml
|
2021-05-22 00:57:25 -03:00 |
|
Jonhnathan
|
085218b25a
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:57:01 -03:00 |
|
Jonhnathan
|
3fb5f1c47e
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:32 -03:00 |
|
Jonhnathan
|
943e2c8c88
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:03 -03:00 |
|
Jonhnathan
|
9765fcbd0c
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:55:29 -03:00 |
|
Jonhnathan
|
e23147111b
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:54:57 -03:00 |
|
frack113
|
1e2f7c7abf
|
Fix falsepositives list
|
2021-05-21 12:35:37 +02:00 |
|
Florian Roth
|
a0efd7a4dc
|
Merge pull request #1494 from Karneades/patch-1
Add keyword WinRM to remote powershell rules
|
2021-05-21 10:35:18 +02:00 |
|
Andreas Hunkeler
|
d8ec5fa6af
|
Add modified field in WinRM rule
|
2021-05-21 09:28:45 +02:00 |
|
Florian Roth
|
a30391f3b4
|
Merge pull request #1495 from SigmaHQ/rule-devel
rule refactoring: Cobalt Strike service start
|
2021-05-20 17:43:29 +02:00 |
|
Andreas Hunkeler
|
b46f65965d
|
Add keyword WinRM to remote powershell network rule
|
2021-05-20 17:02:17 +02:00 |
|
Florian Roth
|
ebac8a098f
|
rule refactoring: Cobalt Strike service start
|
2021-05-20 10:05:12 +02:00 |
|
Jonhnathan
|
1cf7bb5735
|
Add Hex equivalent of WriteData
|
2021-05-19 10:27:20 -03:00 |
|
frack113
|
cccfb3e59e
|
file_event is a category
|
2021-05-12 09:05:52 +02:00 |
|
Florian Roth
|
7d7f8c90ec
|
Merge pull request #1443 from icthieves/patch-3
Update win_scm_database_privileged_operation.yml
|
2021-05-11 15:00:20 +02:00 |
|
Florian Roth
|
980ea97217
|
Merge pull request #1444 from icthieves/patch-2
Update win_scm_database_handle_failure.yml
|
2021-05-11 15:00:09 +02:00 |
|
Florian Roth
|
384f40aa5b
|
Merge pull request #1464 from d4rk-d4nph3/master
Added rule for Moriya rootkit
|
2021-05-06 18:15:53 +02:00 |
|
Florian Roth
|
453fa0f299
|
Update win_moriya_rootkit.yml
|
2021-05-06 15:24:21 +02:00 |
|
Florian Roth
|
79c11a5cba
|
Update win_moriya_rootkit.yml
|
2021-05-06 14:59:28 +02:00 |
|
Bhabesh Rai
|
e5f95cac0c
|
Added rule for Moriya rootkit
|
2021-05-06 17:29:20 +05:45 |
|
phantinuss
|
254a3bb122
|
new rules detecting the creation of a local hidden user
|
2021-05-05 15:12:07 +02:00 |
|
Ian Thieves
|
65294d97c4
|
Update win_scm_database_handle_failure.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:28:16 -07:00 |
|
Ian Thieves
|
8efa10465e
|
Update win_scm_database_privileged_operation.yml
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
|
2021-04-26 11:25:16 -07:00 |
|
Florian Roth
|
c7ce9154d1
|
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
|
2021-04-23 16:52:25 +02:00 |
|
Josh Brower
|
dfc1218e6a
|
false positive - added Azure AD Connect
|
2021-04-20 08:24:38 -04:00 |
|
Josh Brower
|
2486a85a1f
|
Added MS Threat Docs for 4616 to references
|
2021-04-19 08:15:42 -04:00 |
|
Florian Roth
|
7039209a7a
|
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
|
2021-04-19 11:32:02 +02:00 |
|
Florian Roth
|
53c6a7c54e
|
refactor: tightened filter
|
2021-04-19 09:30:32 +02:00 |
|