Commit Graph

6093 Commits

Author SHA1 Message Date
Andreas Hunkeler
d8ec5fa6af
Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Florian Roth
18bbb2a342
Merge pull request #1490 from frack113/ElasticSearchRuleBackend
FIx ElasticSearchRuleBackend to use uuid instead of title for the rule id
2021-05-18 20:01:25 +02:00
frack113
3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel
Rule devel, Trademark test
2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth
526ab4f707 feat: trademark test case 2021-05-15 13:02:49 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth
3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth
691283616f
Merge pull request #1477 from wagga40/master
Resolves #1450 - Bug in es-rule backend when using "-r" argument
2021-05-14 09:00:30 +02:00
Florian Roth
bd81adc998
Merge pull request #1476 from wagga40/master
Change to have raw log in rule results with SQL/SQlite Backends
2021-05-14 08:59:57 +02:00
Florian Roth
30bee7204c
Merge pull request #1475 from wagga40/master
Modified some field values for case sensitive backends (SQL)
2021-05-14 08:59:39 +02:00
Florian Roth
83068416fa
Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code
Update powershell_suspicious_getprocess_lsass.yml
2021-05-14 08:59:14 +02:00
Florian Roth
09e32ae02e
Merge pull request #1474 from frack113/Check_category
Check category
2021-05-14 08:58:46 +02:00
wagga40
534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
wagga40
972f7a562b Updated SQL/SQLite backend tests 2021-05-13 17:51:54 +02:00
wagga40
5e99379803 Change to have raw log in rule results with SQL/SQlite Backends 2021-05-13 15:01:52 +02:00
wagga40
8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113
0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113
fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Florian Roth
33d9d6876e
Merge pull request #1456 from wagga40/update-sql-backend
Add a backend option to specify table name for SQL Backend
2021-05-11 15:00:39 +02:00
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3
Update win_scm_database_privileged_operation.yml
2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2
Update win_scm_database_handle_failure.yml
2021-05-11 15:00:09 +02:00
Florian Roth
3564cf81f9
Merge pull request #1460 from neu5ron/patch-1
[Add Rule] Zeek Suspicious DNS Z Flag Set
2021-05-11 14:59:48 +02:00
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master
Correct the sysmon case-sensitive Key
2021-05-11 14:59:20 +02:00
Florian Roth
b655c25f7a
Merge pull request #1459 from JohnConnorRF/winlogbeat_scriptblock_logging
Add ScriptBlockText to Winlogbeat Configs
2021-05-11 14:59:08 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml
Got Rid of References that are no longer valid.
2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master
Update av_webshell.yml
2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel
New CS rule for malformed UAs, FP fixes
2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master
Added rule for RClone usage for exfiltration
2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml
Added new strings and moved some from startwith to contains.
2021-05-08 08:49:17 +02:00