Commit Graph

2950 Commits

Author SHA1 Message Date
j91321
c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321
98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321
3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321
bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321
78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master
Upgrade CarbonBlack backend
2020-03-22 00:24:57 +01:00
Thomas Patzke
c10332b06c
Merge pull request #663 from neu5ron/updates_sigmac_and_rules
Updates sigmac and rules
2020-03-22 00:22:31 +01:00
Florian Roth
6040b1f1f8
Merge pull request #668 from Neo23x0/devel
Devel
2020-03-19 18:36:31 +01:00
vunx2
be6519e35d merge 2020-03-19 11:07:39 +07:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
2107d86900 merge 2020-03-19 10:58:30 +07:00
vunx2
f3e642f340 merge 2020-03-19 10:54:48 +07:00
vunx2
b9e9408d34 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-19 10:51:37 +07:00
vunx2
0356178c50 eventdict 2020-03-19 10:49:40 +07:00
vunx2
1b12a6b261 modified: tools/sigma/backends/carbonblack.py 2020-03-19 09:00:24 +07:00
vunx2
e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
vunx2
1df5620a14 fix cleanValue + leading wildcard + EventID Intergration 2020-03-18 16:02:44 +07:00
Florian Roth
8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
Florian Roth
4fb42ffaf7 docs: changed wording in license 2020-03-17 20:38:42 +01:00
neu5ron
b575df8cd7 use the taxonomy for http response which is sc-status 2020-03-14 15:02:33 -04:00
neu5ron
4cd99e71bf use the taxonomy which states to use c-uri instead of c-uri-path 2020-03-14 15:02:06 -04:00
neu5ron
4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron
4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
neu5ron
d212d43acf spelling 2020-03-14 14:58:25 -04:00
neu5ron
58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1
add rule for suspicious use of csharp console by scripting utility
2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
Florian Roth
8a2033aaf9
Merge pull request #657 from EccoTheFlintstone/fix_registry
sysmon registry events fix
2020-03-09 17:38:58 +01:00
ecco
2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth
c4671f2225 docs: coverage illustration 2020-03-08 13:06:35 +01:00
msec1203
f833407265
Initial upload 2020-03-08 19:06:10 +09:00
Florian Roth
3c3917c1d5
Merge pull request #654 from Neo23x0/devel
Minor changes
2020-03-07 11:20:45 +01:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth
54d3706a7f docs: removed outdated section from info graphic 2020-03-07 11:05:53 +01:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1
MMC Lateral Movement Rule 1
2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth
60279c7501
Merge pull request #610 from axi0m/patch-1
Update proxy_raw_paste_service_access.yml
2020-03-07 10:39:56 +01:00
Florian Roth
7e8b59abe6
Merge pull request #643 from grumo35/patch-2
Update sysmon_cred_dump_tools_dropped_files.yml
2020-03-07 10:39:35 +01:00
Florian Roth
c609de4f27
Merge pull request #648 from NVISO-BE/patch-azure-ad-replication
Exclude Azure AD sync accounts from AD Replication rule
2020-03-07 10:39:04 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1
see https://github.com/Neo23x0/sigma/issues/576
2020-03-04 14:57:41 -05:00
Florian Roth
02d256b3b6
Merge pull request #651 from EccoTheFlintstone/fix_sysmon_registry
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 20:25:11 +01:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel
fix: avoiding FPs with Citrix software
2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb fix: avoiding FPs with Citrix software
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
2020-03-03 11:01:42 +01:00
vunx2
b070ffab74 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-03 10:08:31 +07:00