valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,696 Commits 20 Branches 25 Tags 21 MiB
e7c5827776
Commit Graph

5684 Commits

Author SHA1 Message Date
Austin Songer
c0e58d3c27 Update 2021-08-23 23:00:58 +00:00
Austin Songer
29e1ce7e8f Update 2021-08-23 22:50:39 +00:00
Austin Songer
ad892eb239 Update 2021-08-23 22:46:37 +00:00
Austin Songer
84944cf849 Update 2021-08-23 22:30:11 +00:00
Austin Songer
53482b7e9c Update 2021-08-23 22:19:41 +00:00
Austin Songer
754158bfd2 Update 2021-08-23 22:18:12 +00:00
Austin Songer
da69b2f531 Update 2021-08-23 22:09:27 +00:00
Austin Songer
595bd3b80f Updated 2021-08-23 22:07:09 +00:00
Austin Songer
1fa32fcd1a Update 2021-08-23 22:02:47 +00:00
Austin Songer
4ab9519546 Update 2021-08-23 18:59:07 +00:00
Nate Guagenti
b255586117
condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Austin Songer
8e4b8f45dd Update 2021-08-23 18:57:17 +00:00
Austin Songer
a5c551ad61 Merge branch '365' of https://github.com/austinsonger/sigma into 365 2021-08-23 18:55:40 +00:00
Austin Songer
41786a1b63 In-Progress 2021-08-23 18:55:29 +00:00
Nate Guagenti
064d7b7b9f
improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00
Nate Guagenti
cfc32e5950
correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
Nate Guagenti
1819e4b02b
improve rule 
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
 2021-08-23 14:12:50 -04:00
Nate Guagenti
feb7d0e187
Update zeek_dns_mining_pools.yml 2021-08-23 14:11:04 -04:00
Nate Guagenti
b00e1772b3
added logic and usage 
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
 2021-08-23 14:03:38 -04:00
Austin Songer
3d151ef9f1
Update microsoft365_logon_from_risky_ip_address.yml 2021-08-23 12:59:53 -05:00
Austin Songer
23e96712f8
Update microsoft365_data_exfiltration_to_unsanctioned_app.yml 2021-08-23 12:59:44 -05:00
frack113
a04fbe2a99
Merge pull request #1901 from frack113/redcanary 
Redcanary Powershell Suspicious Win32_PnPEntity T1120
 2021-08-23 19:44:16 +02:00
frack113
07c808d35c
Merge pull request #1902 from neu5ron/patch-2 
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
 2021-08-23 19:43:58 +02:00
Austin Songer
1834324a16 Update 2021-08-23 17:33:57 +00:00
Austin Songer
7d211f2487 Data exfiltration to unsanctioned apps 2021-08-23 17:33:00 +00:00
Austin Songer
f5286905ff
Merge branch 'SigmaHQ:master' into microsoft365 2021-08-23 12:22:58 -05:00
Austin Songer
b52f4ba1c3 Merge branch 'master' of https://github.com/austinsonger/sigma 2021-08-23 17:22:08 +00:00
Austin Songer
3a4c61f44d M365 - Inbox Manipulation Rules 2021-08-23 17:21:27 +00:00
Austin Songer
ae84559488 M365 - Risky IP Addresses 2021-08-23 17:18:16 +00:00
frack113
9d3a13b13e
cleanup 2021-08-23 19:04:01 +02:00
Florian Roth
998ebbe1f3
fix: typo in name 2021-08-23 18:46:05 +02:00
Florian Roth
6b86dacc9e
rule: razor installer 2021-08-23 18:44:15 +02:00
frack113
be316db84d
Merge pull request #1899 from secDre4mer/master 
feat: Add rule for malicious CSR export on Exchange
 2021-08-23 17:26:16 +02:00
Nate Guagenti
4f8bd4a5a2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
try new uuid to pass check...
 2021-08-23 11:24:22 -04:00
Nate Guagenti
6aea58b4d2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:18:51 -04:00
Nate Guagenti
78c667fda1
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
shorten title
 2021-08-23 11:15:30 -04:00
Nate Guagenti
96e77eb8db
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:06:44 -04:00
SomeOne
037f33b5e2 Replace by default windows fieldnames 2021-08-23 15:24:48 +02:00
Florian Roth
91b42f9077
fix: indentation 2021-08-23 15:03:59 +02:00
SomeOne
45f30cb2b4 Add fields to event log cleared 2021-08-23 15:00:07 +02:00
frack113
25072e37b3 update references 2021-08-23 13:30:46 +02:00
frack113
33c6ff6b5f add powershell_suspicious_win32_pnpentity 2021-08-23 13:17:35 +02:00
Max Altgelt
82dde594d1
feat: Add rule for malicious CSR export on Exchange 2021-08-23 11:20:30 +02:00
frack113
52595de85e
Merge pull request #1889 from rachelrice/update_aws_rules 
Update AWS CloudTrail rules
 2021-08-23 11:14:31 +02:00
Florian Roth
a0f72e5f6f
rule: suspicious splwow64 process starts 2021-08-23 10:41:42 +02:00
Florian Roth
dc3ed771b5
rule: EfsPotato Named Pipe 2021-08-23 08:32:50 +02:00
frack113
fc9666fb4e
Merge pull request #1896 from ZikyHD/fix_old_technics 
Replace old mitre techniques by new one
 2021-08-22 18:56:08 +02:00
frack113
0a410010a2
Merge pull request #1877 from frack113/red_back 
Add t1546 redcanary rules
 2021-08-22 18:50:58 +02:00
SomeOne
295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
frack113
064c65cb1f
Merge pull request #1892 from frack113/clean_PS 
Powershell Cleanup
 2021-08-21 18:04:52 +02:00
frack113
07a87aa7f8
Merge pull request #1858 from frack113/fix_pr718 
Replace pr718
 2021-08-21 18:02:30 +02:00
frack113
a44206bfa0
Some cleanup 2021-08-21 17:33:39 +02:00
pbssubhash
eee497f656 Title modification 2021-08-21 20:04:03 +05:30
pbssubhash
a415463f5b Modified rule 2021-08-21 19:37:28 +05:30
pbssubhash
fba54b8d69 First Rule commit 2021-08-21 17:47:56 +05:30
frack113
42c90b9d20 fix powershell_psattack error 2021-08-21 10:05:47 +02:00
frack113
2f683b9ab7 fix powershell_clear_powershell_history error 2021-08-21 10:00:48 +02:00
frack113
0fb6c35b1f Cleanup PS rules 2021-08-21 09:58:58 +02:00
frack113
da839775fe Update PS rules 2021-08-21 09:50:59 +02:00
frack113
6c529f7ab2 Update PS rules 2021-08-21 09:33:52 +02:00
frack113
cb95582077 Update PowerShell rule 2021-08-21 09:08:38 +02:00
frack113
dbbb422a42
Merge pull request #1885 from austinsonger/microsoft365_unusual_volume_of_file_deletion.yml 
microsoft365_unusual_volume_of_file_deletion.yml
 2021-08-20 17:20:43 +02:00
frack113
34ac3587e9
Merge pull request #1884 from austinsonger/microsoft365_potential_ransomware_activity.yml 
microsoft365_potential_ransomware_activity.yml
 2021-08-20 17:20:34 +02:00
frack113
73fee68d4b
Merge pull request #1883 from austinsonger/microsoft365_user_restricted_from_sending_email.yml 
microsoft365_user_restricted_from_sending_email.yml
 2021-08-20 17:20:22 +02:00
frack113
b9a355e3f4
cleanup falsepositives 2021-08-20 17:18:32 +02:00
Florian Roth
b92346ba5f
Merge pull request #1882 from austinsonger/win_susp_bitstransfer.yml 
win_susp_bitstransfer.yml
 2021-08-20 16:53:52 +02:00
Florian Roth
ecd0bb4576
Merge pull request #1890 from frack113/update_conti_ref 
update ref from conti_leak
 2021-08-20 16:53:12 +02:00
Florian Roth
700b8e440f
Merge pull request #1868 from d4rk-d4nph3/master 
Added rule for zero day CVE-2021-22123 in Fortinet WAFs
 2021-08-20 16:52:49 +02:00
Rachel Rice
f037f5b0a9
Add filter3 back for vm export failure, without consolelogin 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2021-08-20 15:42:49 +01:00
Austin Songer
a25f6e196f
Update microsoft365_unusual_volume_of_file_deletion.yml 2021-08-20 08:17:25 -05:00
Austin Songer
360b936357
Update microsoft365_potential_ransomware_activity.yml 2021-08-20 08:17:09 -05:00
Austin Songer
ae36804935
Update microsoft365_user_restricted_from_sending_email.yml 2021-08-20 08:16:48 -05:00
Rachel Rice
f09b3ea4b1
Update AWS CloudTrail rules 
aws_ec2_disable_encryption.yml
Remove `status: success` from selection criteria, not required

aws_ec2_vm_export_failure.yml
Remove filter3:
```
eventName: 'ConsoleLogin'
responseElements|contains: 'Failure'
```
Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'`

aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml
Update reference

aws_sts_assumedrole_misuse.yml
Rename to aws_sts_assumerole_misuse.yml
Update references to "AssumedRole" to "AssumeRole"
Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role`
 2021-08-20 13:43:00 +01:00
frack113
7ebd411190 update ref from conti_leak 2021-08-20 14:22:17 +02:00
frack113
4e29dc9c45
fix title 2021-08-20 09:06:16 +02:00
frack113
9b106dcc7d
Merge pull request #1880 from austinsonger/azure_suppression_rule_created.yml 
azure_suppression_rule_created.yml
 2021-08-20 09:04:48 +02:00
frack113
d58b1e8e40
Merge pull request #1879 from austinsonger/azure_application_gateway_modified_or_deleted.yml 
azure_application_gateway_modified_or_deleted.yml
 2021-08-20 09:03:57 +02:00
frack113
4b08aac47f
Merge pull request #1878 from austinsonger/azure_application_security_group_modified_or_deleted.yml 
azure_application_security_group_modified_or_deleted.yml
 2021-08-20 09:01:39 +02:00
Austin Songer
853c2eb41d
Update microsoft365_potential_ransomware_activity.yml 2021-08-20 01:19:01 -05:00
Austin Songer
f745593e80
Update microsoft365_potential_ransomware_activity.yml 2021-08-20 00:33:42 -05:00
Austin Songer
42fbc0cbfc
Update aws_eks_cluster_created_or_deleted.yml 2021-08-19 23:13:35 -05:00
Austin Songer
bcb43cf728
Update aws_eks_cluster_created_or_deleted.yml 2021-08-19 23:13:06 -05:00
Austin Songer
b89910a38a
Update aws_eks_cluster_created_or_deleted.yml 2021-08-19 23:09:38 -05:00
frack113
f882ebda35
fix status 2021-08-20 06:08:28 +02:00
Austin Songer
54bda90685
Create microsoft365_user_restricted_from_sending_email.yml 2021-08-19 23:08:25 -05:00
Austin Songer
9b19190ea7
Create microsoft365_potential_ransomware_activity.yml 2021-08-19 23:05:05 -05:00
Austin Songer
99fbd4ef44
Create microsoft365_unusual_volume_of_file_deletion.yml 2021-08-19 23:00:23 -05:00
Austin Songer
fe0e1353e0
Update win_susp_bitstransfer.yml 2021-08-19 22:24:23 -05:00
Austin Songer
810aae5ddd
Update aws_eks_cluster_created_or_deleted.yml 2021-08-19 21:58:36 -05:00
Austin Songer
8d57ae5ffd
Create win_susp_bitstransfer.yml 2021-08-19 21:57:37 -05:00
Austin Songer
0a3e57cc12 Update 2021-08-20 02:10:32 +00:00
Austin Songer
842ade16be Forgot to add my username to some of the rules. 2021-08-20 02:09:31 +00:00
Austin Songer
9a83836070
Update aws_eks_cluster_created_or_deleted.yml 2021-08-19 21:00:36 -05:00
Austin Songer
6ae62488b3
Merge branch 'SigmaHQ:master' into azure_application_gateway_modified_or_deleted.yml 2021-08-19 20:32:35 -05:00
Austin Songer
d2f87feb7b
Merge branch 'SigmaHQ:master' into azure_application_security_group_modified_or_deleted.yml 2021-08-19 20:31:48 -05:00
frack113
0103b148f7
Merge pull request #1876 from rachelrice/update_cloudtrail_rules 
Update AWS CloudTrail rules
 2021-08-19 18:33:07 +02:00
frack113
23ad8cd14e remove bad rules 2021-08-19 18:30:32 +02:00
frack113
3283664154 Update remove useless rules 2021-08-19 18:28:44 +02:00
frack113
f1a84536c3 update fix 2021-08-19 17:55:41 +02:00
frack113
39617c9807
Merge pull request #1865 from austinsonger/azure_keyvault_secrets_modified_or_deleted.yml 
add azure_keyvault_secrets_modified_or_deleted.yml
 2021-08-19 17:06:28 +02:00
frack113
600c6233c2
Merge pull request #1874 from gs3cl/patch-1 
Update win_nltest_query.yml
 2021-08-19 16:18:20 +02:00
frack113
78212546a7
Merge pull request #1869 from frack113/redcanary_T1546.013 
powershell_trigger_profiles T1546.013
 2021-08-19 16:17:53 +02:00
frack113
90c9c08743 fix title 2021-08-19 16:09:31 +02:00
Austin Songer
cc51e054e3
Update azure_keyvault_secrets_modified_or_deleted.yml 2021-08-19 09:04:22 -05:00
frack113
89b6e1108b powershell_wmi_persistence fix errors 2021-08-19 15:42:19 +02:00
frack113
1266a66a8d add powershell_wmi_persistence.yml 2021-08-19 15:37:28 +02:00
Rachel Rice
67020bb0ff
Update AWS CloudTrail rules 
aws_elasticache_security_group_created.yml
aws_elasticache_security_group_modified_or_deleted.yml
Removed spaces from eventNames

aws_s3_data_management_tampering.yml
Fix typo in title, use s3 as eventSource

aws_snapshot_backup_exfiltration.yml
Use ec2 as eventSource
 2021-08-19 14:24:43 +01:00
frack113
08af3a9429
Cleanup errors 2021-08-19 15:20:04 +02:00
frack113
60931d09b9
fix title error 2021-08-19 14:24:54 +02:00
gs3cl
bf9ac21ebc
Update win_nltest_recon.yml 
change "startswith" to "contains"
 2021-08-19 14:12:00 +02:00
frack113
b4a029ac3c Add win_susp_screensaver_reg.yml 2021-08-19 13:55:09 +02:00
Florian Roth
0c6db48ceb
Update web_fortinet_cve_2021_22123_exploit.yml 2021-08-19 08:27:15 +02:00
gs3cl
df829f0d45
Update and rename win_nltest_query.yml to win_nltest_recon.yml 
changes based on feedback added

Update and rename win_nltest_query.yml to win_nltest_recon.yml
 2021-08-19 08:26:33 +02:00
Florian Roth
459a0bdca1
Merge pull request #1870 from frack113/fix_fp_Renamed_Powershell 
Fix some false positives in  renamed powershell
 2021-08-19 08:23:51 +02:00
gs3cl
92b72ffdc1
Update win_nltest_query.yml 
modification based on new reports

1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) 
-> for (selection_recon1 and seletion_recon2")
2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example
3.MITRE reference just for reference to MITRE to gain more insights
4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ 
-> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule
 2021-08-18 20:45:18 +00:00
Austin Songer
c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
Austin Songer
36406d5781 Fixed Spelling 2021-08-18 18:53:28 +00:00
Florian Roth
39ef3e0df9
Merge pull request #1872 from SigmaHQ/rule-devel 
fix: FPs with WMIADAP.exe
 2021-08-18 19:26:17 +02:00
frack113
c7d697e720
Merge pull request #1864 from austinsonger/azure_key_vault_modified_or_deleted.yml 
azure_keyvault_modified_or_deleted.yml
 2021-08-18 18:30:20 +02:00
frack113
e7132a8498
Merge pull request #1863 from austinsonger/azure_vault_key_modified_or_deleted.yml 
azure_keyvault_key_modified_or_deleted.yml
 2021-08-18 18:28:46 +02:00
frack113
768855e6d6
update modified after FP fix 2021-08-18 18:17:53 +02:00
Florian Roth
44013e25c8
fix: FPs with WMIADAP.exe 2021-08-18 17:26:57 +02:00
frack113
2d05eda1be fix ContextInfo FP 2021-08-18 15:18:29 +02:00
frack113
48d0846b53 add powershell_trigger_profiles 2021-08-18 14:29:50 +02:00
frack113
6a282ad24a fix many FP 2021-08-18 13:56:14 +02:00
Bhabesh Rai
8d9f2e059a Added rule for zero day CVE-2021-22123 in Fortinet WAFs 2021-08-18 17:28:57 +05:45
Florian Roth
efcf1d9019
Merge pull request #1867 from SigmaHQ/rule-devel 
fix: FPs with [reflection.assembly]::Load
 2021-08-18 11:42:47 +02:00
Florian Roth
a2e45353aa
Merge pull request #1825 from frack113/iis_ProxyLogon 
rule: ProxyLogon web_cve_2021_26858_iis_rce.yml
 2021-08-18 09:54:15 +02:00
Florian Roth
66c674e8e8
Merge pull request #1837 from phantinuss/master 
generalise amsi bypass rule to CobaltStrike BOF injection pattern
 2021-08-18 09:53:21 +02:00
Florian Roth
5fa5a412d5
fix: FPs with [reflection.assembly]::Load 2021-08-18 09:49:34 +02:00
Austin Songer
309e71491b
Update azure_keyvault_key_modified_or_deleted.yml 2021-08-17 08:44:39 -05:00
Austin Songer
23d0477120
Update azure_keyvault_secrets_modified_or_deleted.yml 2021-08-17 08:42:41 -05:00
Austin Songer
16e0def41d
Update and rename azure_vault_key_modified_or_deleted.yml to azure_keyvault_key_modified_or_deleted.yml 2021-08-17 08:31:22 -05:00
Austin Songer
ecdcd8f843
Rename azure_key_vault_modified_or_deleted.yml to azure_keyvault_modified_or_deleted.yml 2021-08-17 08:30:10 -05:00
Austin Songer
49ab7d7bb6
Merge branch 'SigmaHQ:master' into azure_application_gateway_modified_or_deleted.yml 2021-08-17 08:29:18 -05:00
Austin Songer
8a7d9d23f5
Merge branch 'SigmaHQ:master' into azure_application_security_group_modified_or_deleted.yml 2021-08-17 08:29:15 -05:00
Austin Songer
f0ef01ae09
Merge branch 'SigmaHQ:master' into azure_key_vault_modified_or_deleted.yml 2021-08-17 08:29:12 -05:00
Austin Songer
a01d8cc2fe
Merge branch 'SigmaHQ:master' into azure_keyvault_secrets_modified_or_deleted.yml 2021-08-17 08:29:09 -05:00
Florian Roth
a0625ad074
Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
Florian Roth
9684c4e55f
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-17 12:03:54 +02:00
Florian Roth
80b3acfce9
fix: false positive with Xen / Oracle scripts 2021-08-17 12:03:49 +02:00
Austin Songer
9986515b59
Update azure_suppression_rule_created.yml 2021-08-17 00:04:11 -05:00
Austin Songer
84e96d5b4f
Create azure_suppression_rule_created.yml 2021-08-17 00:04:00 -05:00
Austin Songer
1fcc1701b7
Create azure_keyvault_secrets_modified_or_deleted.yml 2021-08-16 23:54:57 -05:00
Austin Songer
7abceb07ce
Create azure_vault_key_modified_or_deleted.yml 2021-08-16 23:50:56 -05:00
Austin Songer
758293e2f9
Delete azure_application_security_group_modified_or_deleted.yml 2021-08-16 23:42:15 -05:00
Austin Songer
824d64a9ce
Create azure_key_vault_modified_or_deleted.yml 2021-08-16 23:41:43 -05:00
Austin Songer
3c8f27ba76
Create azure_application_security_group_modified_or_deleted.yml 2021-08-16 23:31:45 -05:00
Austin Songer
144cfcb016
Create azure_application_gateway_modified_or_deleted.yml 2021-08-16 23:30:30 -05:00
frack113
63733a623e
Merge pull request #1861 from austinsonger/aws_eks_cluster_modified_or_deleted.yml 
aws_eks_cluster_created_or_deleted.yml
 2021-08-17 06:25:18 +02:00
frack113
2521ae2ed1
Merge pull request #1859 from austinsonger/gcp_vpn_tunnel_modified_or_deleted.yml 
gcp_vpn_tunnel_modified_or_deleted.yml
 2021-08-17 06:24:49 +02:00
frack113
e098fc73cb
add keywords condition 2021-08-17 06:24:04 +02:00
frack113
accb675ed5
fix error space 2021-08-16 20:36:55 +02:00
Austin Songer
80062ff5cd
Update aws_eks_cluster_created_or_deleted.yml 2021-08-16 12:42:14 -05:00
Austin Songer
cfb863a98e
Update aws_eks_cluster_created_or_deleted.yml 2021-08-16 11:52:22 -05:00
frack113
06840be3e7 fix author 2021-08-16 18:46:25 +02:00
frack113
dfd9e6d8f0
Merge pull request #1857 from frack113/fix_HostApplication 
Update definition for powershell-classic rule
 2021-08-16 17:18:24 +02:00
frack113
eb406ba36f
Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Austin Songer
ed507b82f4
Update and rename aws_eks_cluster_modified_or_deleted.yml to aws_eks_cluster_created_or_deleted.yml 2021-08-16 09:58:48 -05:00
Austin Songer
c7831a3d70
Update gcp_vpn_tunnel_modified_or_deleted.yml 2021-08-16 09:45:31 -05:00
Florian Roth
d2790f2450
fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113
e1b99db149
fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth
669308a37a
Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth
141ca03c9b
Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth
3028eb68b6
refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113
911579023c fix powershell_alternate_powershell_hosts.yml 2021-08-16 13:30:45 +02:00
frack113
2dbf9af27d add definition to powershell-classic 2021-08-16 12:56:24 +02:00
frack113
fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113
a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113
a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth
79bc89b344
rule: av hacktool events 2021-08-16 10:57:03 +02:00
Florian Roth
f8bedfa759
docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113
dc9bb22a00
fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt
78e2c0da92
fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113
fb80b35141
fix condition 2021-08-16 09:21:38 +02:00
frack113
5b09dff1fb
cleanup win_malware_conti_shadowcopy.yml 2021-08-16 09:21:04 +02:00
frack113
ed424c55c8
fix selection 2021-08-16 09:20:25 +02:00
frack113
26d632bf05
fix condition 2021-08-16 09:19:46 +02:00
frack113
e8723e892a
clean-up powershell_invoke_nightmare.yml 2021-08-16 09:19:10 +02:00
frack113
f69868b5aa
Merge pull request #1834 from secDre4mer/master 
Correct incorrect message / keyword usage
 2021-08-16 09:16:33 +02:00
Max Altgelt
5b60e0ea5a
feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
 2021-08-16 09:13:51 +02:00
Max Altgelt
d2a35edae9
fix: Remove powershell_alternate_hosts from PR 
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
 2021-08-16 08:42:17 +02:00
frack113
c57ded1ecd
Merge pull request #1852 from austinsonger/gcp_dns_zone_modified_or_deleted.yml 
gcp_dns_zone_modified_or_deleted.yml
 2021-08-16 07:37:28 +02:00
frack113
d710818eb2
Merge pull request #1851 from austinsonger/gcp_dlp_re-identifies_sensitive_information.yml 
gcp_dlp_re-identifies_sensitive_information.yml
 2021-08-16 07:37:02 +02:00
frack113
0973c51ef5
Merge pull request #1850 from austinsonger/aws_efs_fileshare_modified_or_deleted.yml 
aws_efs_fileshare_modified_or_deleted.yml
 2021-08-16 07:36:43 +02:00
frack113
37b8040e76
cleanup gcp_dlp_re-identifies_sensitive_information 
Remove list with only 1 value
 2021-08-16 06:28:40 +02:00
Austin Songer
ae12f1f328
Update gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 22:57:54 -05:00
Austin Songer
2524adc6ca
Update aws_efs_fileshare_mount_modified_or_deleted.yml 2021-08-15 22:54:11 -05:00
Austin Songer
fb117d5714
Update aws_efs_fileshare_mount_modified_or_deleted.yml 2021-08-15 22:52:53 -05:00
Austin Songer
5a22d07392
Update aws_efs_fileshare_modified_or_deleted.yml 2021-08-15 22:52:41 -05:00
Austin Songer
ebf2b7a313
Update aws_efs_fileshare_modified_or_deleted.yml 2021-08-15 22:49:01 -05:00
Austin Songer
85dc62070b
Update gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 16:02:12 -05:00
Austin Songer
219be99847
Update gcp_dns_zone_modified_or_deleted.yml 2021-08-15 16:02:04 -05:00
Austin Songer
e4314aa4b8
Update gcp_dns_zone_modified_or_deleted.yml 2021-08-15 16:01:10 -05:00
Austin Songer
3c770c6e4d
Update gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 15:55:46 -05:00
Austin Songer
a37ec60f76
Update gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 15:44:20 -05:00
Austin Songer
dae3d3b446
Update gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 15:42:15 -05:00
Austin Songer
28f6cbe2b8
Update aws_efs_fileshare_modified_or_deleted.yml 2021-08-15 15:37:07 -05:00
Austin Songer
b5766f8804
Update aws_efs_fileshare_modified_or_deleted.yml 2021-08-15 15:36:34 -05:00
Austin Songer
db7d2958d3
Update aws_efs_fileshare_mount_modified_or_deleted.yml 2021-08-15 15:04:24 -05:00
Austin Songer
3d332b8171
Create gcp_vpn_tunnel_modified_or_deleted.yml 2021-08-15 14:37:08 -05:00
Austin Songer
cfb6f4e4fb
Create aws_eks_cluster_modified_or_deleted.yml 2021-08-15 14:33:44 -05:00
Austin Songer
d6bbdf2750
Delete aws_eks_cluster_modified_or_deleted.yml 2021-08-15 14:33:35 -05:00
Austin Songer
532f912991
Create aws_eks_cluster_modified_or_deleted.yml 2021-08-15 14:33:28 -05:00
Austin Songer
5f2160c1b2
Delete aws_s3_control_modified_or_deleted.yml 2021-08-15 14:32:12 -05:00
Austin Songer
b0f6f11309
Create aws_s3_control_modified_or_deleted.yml 2021-08-15 14:31:04 -05:00
Austin Songer
7605795a9f
Create gcp_dns_zone_modified_or_deleted.yml 2021-08-15 14:30:23 -05:00
Austin Songer
ba8e9c9fcb
Create gcp_dlp_re-identifies_sensitive_information.yml 2021-08-15 14:28:10 -05:00
Austin Songer
bde91611a9
Create aws_efs_fileshare_modified_or_deleted.yml 2021-08-15 14:27:22 -05:00
Austin Songer
a0df8ce84c
Create aws_efs_fileshare_mount_modified_or_deleted.yml 2021-08-15 14:26:48 -05:00
frack113
050fb2b77d fix more errors 2021-08-15 19:17:56 +02:00
frack113
0de1949c59 fix azure_rare_operations.yml 2021-08-15 19:11:43 +02:00
frack113
c3457c9911 fix titles 2021-08-15 19:05:00 +02:00
frack113
245cb6d510 fix more errors 2021-08-15 18:55:44 +02:00
frack113
12396f615c remove duplicate rule and fix errors 2021-08-15 16:52:24 +02:00
frack113
a75859a976 First commit 2021-08-15 16:00:14 +02:00
frack113
5390ff85c7
Merge pull request #1846 from austinsonger/gcp_service_account_modified.yml 
gcp_service_account_modified.yml
 2021-08-15 08:34:47 +02:00
frack113
17fa9f87cc
Merge pull request #1847 from austinsonger/gcp_service_account_disabled_or_deleted.yml 
gcp_service_account_disabled_or_deleted.yml
 2021-08-15 08:30:57 +02:00
frack113
39fe9c4525
Merge pull request #1840 from austinsonger/gcp_firewall_rule_modified_or_deleted.yml 
gcp_firewall_rule_modified_or_deleted.yml
 2021-08-15 08:09:04 +02:00
frack113
88e8fea1b7
Merge pull request #1841 from austinsonger/gcp_full_network_traffic_packet_capture.yml 
gcp_full_network_traffic_packet_capture.yml
 2021-08-15 08:08:53 +02:00
frack113
f34c3ef9fd
remove disable as in another rule 2021-08-15 08:08:16 +02:00
frack113
d940417e58
fix error 2021-08-15 08:05:03 +02:00
frack113
db3eda51dd
fix errors 2021-08-15 08:02:51 +02:00
frack113
5d22d3ea19
Merge pull request #1848 from austinsonger/gcp_bucket_enumeration.yml 
gcp_bucket_enumeration.yml
 2021-08-15 07:52:15 +02:00
Austin Songer
3e151410ca
Update gcp_service_account_modified.yml 2021-08-14 22:31:47 -05:00
Austin Songer
552e1544e4
Update gcp_service_account_modified.yml 2021-08-14 22:30:10 -05:00
Austin Songer
d0e08aa78b
Create gcp_service_account_disabled_or_deleted.yml 2021-08-14 22:26:21 -05:00
Austin Songer
68087b80f5
Create gcp_service_account_modified.yml 2021-08-14 22:25:41 -05:00
Austin Songer
b5270ddce1
Update gcp_bucket_modified_or_deleted.yml 2021-08-14 22:07:50 -05:00
Austin Songer
28d3e3f6b9
Update gcp_bucket_enumeration.yml 2021-08-14 22:07:25 -05:00
Austin Songer
eaf1bd8962
Update gcp_bucket_enumeration.yml 2021-08-14 21:58:06 -05:00
Austin Songer
dc386a2ead
Create gcp_bucket_enumeration.yml 2021-08-14 21:56:29 -05:00
Austin Songer
980954751e
Create gcp_bucket_modified_or_deleted.yml 2021-08-14 21:53:56 -05:00
Austin Songer
872c54bc0c
Update gcp_full_network_traffic_packet_capture.yml 2021-08-14 16:50:11 -05:00
Austin Songer
d407a3dd4f
Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-14 16:24:50 -05:00
Austin Songer
885bbefe73
Update gcp_full_network_traffic_packet_capture.yml 2021-08-14 16:21:16 -05:00
frack113
db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113
e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Austin Songer
6ee9fc9bd6
Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 17:08:58 -05:00
Austin Songer
c4b41f8d66
Update gcp_full_network_traffic_packet_capture.yml 2021-08-13 17:07:48 -05:00
Austin Songer
a973c6c445
Create gcp_full_network_traffic_packet_capture.yml 2021-08-13 17:07:18 -05:00
Austin Songer
7479dcd15d
Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 16:51:58 -05:00
Austin Songer
34bc4c5faa
Create gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 16:50:34 -05:00
Max Altgelt
ce326cb903
fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00
frack113
50f02ed957 move microsoft365 rules 2021-08-13 15:45:28 +02:00
frack113
4c59ee83d5 move gcp rules 2021-08-13 15:43:46 +02:00
frack113
1a1221d71c move azure rules 2021-08-13 15:42:54 +02:00
frack113
c0aa9696dd move aws rules 2021-08-13 15:40:03 +02:00
phantinuss
246ba0c17f
generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
frack113
1b480f2ee6
Merge pull request #1819 from frack113/split_1802_builtin 
Correct lists with only 1 value
 2021-08-13 12:43:26 +02:00