Florian Roth
|
d35b6c0353
|
Backup catalog deletion rule
|
2017-05-12 23:00:56 +02:00 |
|
Florian Roth
|
b7837d4cdb
|
Fixed WannaCrypt rule
|
2017-05-12 22:32:40 +02:00 |
|
Florian Roth
|
1ab3c746c1
|
Merge branch 'master' of https://github.com/Neo23x0/sigma
|
2017-05-12 21:59:43 +02:00 |
|
Florian Roth
|
5cdb2b013b
|
WannaCrypt Ransomware
|
2017-05-12 21:57:53 +02:00 |
|
Florian Roth
|
0b541b2689
|
Suspicious Windows Process Creations Update
|
2017-05-12 21:55:30 +02:00 |
|
Thomas Patzke
|
300dbe8f3e
|
Fixed condition
AND has higher precedence than OR.
|
2017-05-09 23:12:02 +02:00 |
|
Florian Roth
|
565c51e5be
|
Removed "1 of" expression (no bug, but cleaner)
|
2017-05-09 22:58:42 +02:00 |
|
Florian Roth
|
a6678e199b
|
Microsoft Malware Protection Engine Crash - ref CVE-2017-0290
|
2017-05-09 22:46:57 +02:00 |
|
Florian Roth
|
96deef7d34
|
Updated sigma signature
|
2017-05-08 21:25:07 +02:00 |
|
Florian Roth
|
16ac2337a4
|
Suspicious DNS Server Config Error - Sysmon Rule
|
2017-05-08 13:39:50 +02:00 |
|
Florian Roth
|
75e58b8142
|
Bugfix and date
|
2017-05-08 13:10:40 +02:00 |
|
Florian Roth
|
263c98a2c8
|
Suspicious DNS Server Config Error - ServerLevelPluginDLL issue
|
2017-05-08 13:09:50 +02:00 |
|
Florian Roth
|
f66085b198
|
Added eventlog source DNS Server to configs
|
2017-05-08 13:09:17 +02:00 |
|
Florian Roth
|
c7cc2a00d3
|
WScript/CScript Dropper
|
2017-05-05 17:30:46 +02:00 |
|
Florian Roth
|
004fed24e0
|
Linux Generic Rules
|
2017-05-02 20:32:38 +02:00 |
|
Florian Roth
|
dc4ae35be1
|
Schtasks frequency - minute
|
2017-04-28 17:03:35 +02:00 |
|
Thomas Patzke
|
05e9d1e1e9
|
Check if aggregation is present in BaseBackend
Caused NotImplementedError in ElasticsearchQueryStringBackend.
|
2017-04-17 00:11:20 +02:00 |
|
Florian Roth
|
a5c3f424c1
|
regsvr32 Anomalies
|
2017-04-16 12:02:29 +02:00 |
|
Florian Roth
|
769156a83b
|
Minor fix > list to single value
|
2017-04-16 12:01:03 +02:00 |
|
Florian Roth
|
30163939f3
|
Fix: Rule identifier in EQGRP C2 rule
|
2017-04-15 23:32:56 +02:00 |
|
Florian Roth
|
8363b25888
|
Suspicious Control Panel DLL Load
|
2017-04-15 23:32:26 +02:00 |
|
Florian Roth
|
a0ee92a5c3
|
Equation group C2 server in firewall log rule
|
2017-04-15 11:32:56 +02:00 |
|
Florian Roth
|
37449e2c5d
|
Fix: Search to log source in network rule
|
2017-04-15 11:32:38 +02:00 |
|
Florian Roth
|
89e43c1059
|
Improved MSHTA rule
|
2017-04-13 09:25:34 +02:00 |
|
Florian Roth
|
d66c97921f
|
Bugfix in rule
|
2017-04-13 01:22:03 +02:00 |
|
Florian Roth
|
059cfbf15a
|
Removed duplicate
|
2017-04-13 01:21:46 +02:00 |
|
Florian Roth
|
c2ed7bd9df
|
MSHTA Rule v1
|
2017-04-13 01:08:37 +02:00 |
|
Florian Roth
|
64caa8aedc
|
Merge pull request #31 from neu5ron/patch-4
Create win_alert_ad_user_backdoors.yml
|
2017-04-13 01:07:41 +02:00 |
|
Florian Roth
|
1e4d563a4d
|
Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving
improved win_pass_the_hash.yml rule
|
2017-04-13 01:05:09 +02:00 |
|
Florian Roth
|
75a0a2c4bb
|
Merge pull request #27 from benno001/patch-1
Added field mappings for events with logins
|
2017-04-13 01:04:20 +02:00 |
|
Nate Guagenti
|
53313d45be
|
Create win_alert_ad_user_backdoors.yml
|
2017-04-12 16:15:41 -04:00 |
|
Florian Roth
|
a5297b1f29
|
Equation Group Script/Tool Commands
|
2017-04-09 20:11:56 +02:00 |
|
Florian Roth
|
abb01cc264
|
Rule: PowerShell credential prompt
|
2017-04-09 10:22:04 +02:00 |
|
Florian Roth
|
44bedf9e17
|
Rule: Cloud Hopper WmiExec VBS
|
2017-04-07 17:41:53 +02:00 |
|
Florian Roth
|
92b4a7ad93
|
Added reference
|
2017-04-07 15:42:08 +02:00 |
|
Florian Roth
|
875c187425
|
Merge pull request #29 from neu5ron/patch-2
Create win_alert_active_directory_user_control.yml
|
2017-04-04 18:56:19 +02:00 |
|
yugoslavskiy
|
f83d0e36b8
|
improved win_pass_the_hash.yml rule
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]
[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
|
2017-04-04 02:57:58 +03:00 |
|
Nate Guagenti
|
2bb7d7e6eb
|
Create win_alert_active_directory_user_control.yml
|
2017-04-03 15:58:23 -04:00 |
|
Florian Roth
|
c5b19d5661
|
Merge pull request #28 from neu5ron/patch-1
Create win_alert_enable_weak_encryption.yml
|
2017-04-03 21:27:20 +02:00 |
|
Nate Guagenti
|
85b4efabed
|
Update win_alert_enable_weak_encryption.yml
|
2017-04-03 09:15:52 -04:00 |
|
Nate Guagenti
|
bd63d74776
|
Create win_alert_enable_weak_encryption.yml
kerberoast and enabling weak encryption for password/hash cracking
|
2017-04-03 09:12:58 -04:00 |
|
Florian Roth
|
0650aa3cbe
|
Rule: Suspicious cmd.exe combo with http and AppData
|
2017-04-03 10:41:10 +02:00 |
|
Florian Roth
|
d9e6913c03
|
APT 29 - tor / google update service
|
2017-04-01 10:30:36 +02:00 |
|
Florian Roth
|
43d907791c
|
Rule: APT29 Google Update service install
|
2017-03-31 19:31:13 +02:00 |
|
Florian Roth
|
2657ff7db8
|
Rule: Carbon Paper Framework Service (Turla)
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
|
2017-03-31 19:25:41 +02:00 |
|
Florian Roth
|
919a04666c
|
Improved StoneDrill Rule
|
2017-03-31 19:25:10 +02:00 |
|
Ben de Haan
|
dddb83393d
|
Added field mappings for events with logins
|
2017-03-30 10:49:36 +02:00 |
|
Thomas Patzke
|
f174d861bf
|
Merge pull request #26 from benno001/patch-1
Added LogPoint conditional username mapping
|
2017-03-30 10:46:18 +02:00 |
|
Ben de Haan
|
cb9a9bc2ff
|
Added LogPoint conditional username mapping
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
|
2017-03-30 09:51:32 +02:00 |
|
Thomas Patzke
|
298f3413f0
|
Merge branch 'devel-sigmac'
|
2017-03-29 23:34:52 +02:00 |
|