Commit Graph

2317 Commits

Author SHA1 Message Date
Thomas Patzke
ee4138c48e
Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby
[feature] extend es-dsl to support nested aggregations
2019-12-13 21:55:47 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7
Added svchost.exe as a parent image
2019-12-10 20:17:22 +01:00
Florian Roth
611b72dba5
Merge pull request #559 from vburov/patch-8
Added some suspicious locations
2019-12-10 20:15:16 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
2019-12-10 19:31:12 +03:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Thomas Patzke
51e9689425 Sigmatool release 0.15.0 2019-12-06 22:13:44 +01:00
Thomas Patzke
58d8512396
Merge pull request #553 from berggren/patch-1
Add source distribution for PyPi when building
2019-12-06 22:10:19 +01:00
Johan Berggren
d8e1f56219
Add source distribution for PyPi when building
Add sdist when building. This makes it easier to build packages from PyPi for example Debian PPA pkgs etc.
This will not affect anything else, just make the source distribution available in PyPi as a tar.gz archive.

If this gets merged, please bump the version and push to PyPi as well.
2019-12-06 15:45:28 +01:00
Florian Roth
e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Florian Roth
e91a79e707
Merge pull request #550 from refractionPOINT/lc-proxy-support
LimaCharlie basic support for Proxy rule category.
2019-12-06 08:20:14 +01:00
Florian Roth
6359223390
Merge pull request #551 from axi0m/patch-1
Add hastebin raw URI to contains selection
2019-12-06 08:19:44 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Florian Roth
ab2dd094a5 fix: fixed broken link in elise rule 2019-12-05 09:56:20 +01:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
Thomas Patzke
98be3ce069 Fixed changelog (missing title) 2019-11-30 00:34:17 +01:00
Florian Roth
39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth
00a26dff16
Merge pull request #536 from Neo23x0/devel
Changes to CVE-2019-1388 rule
2019-11-20 09:27:56 +01:00
Florian Roth
f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth
0b9cd47c1e
Merge pull request #535 from Neo23x0/devel
Rule to detect CVE-2019-1388
2019-11-20 09:19:52 +01:00
Florian Roth
4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth
a6d069c6d2 Merge branch 'master' into devel 2019-11-19 15:59:22 +01:00
Florian Roth
98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
Florian Roth
0dd583510a
Merge pull request #534 from Neo23x0/devel
rules and fixes
2019-11-18 16:01:26 +01:00
Florian Roth
2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth
fdc32889a7 rule: PulseSecure CVE-2019-11510 attack 2019-11-18 15:33:58 +01:00
Florian Roth
93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
Florian Roth
da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth
2c54d1afe4 rule: removed Zebrocy rule because it doesn't work that way
reason: command line gets split up at the '&' character, which results in two command lines
2019-11-18 11:42:38 +01:00
Florian Roth
396c506794
Merge pull request #532 from Neo23x0/devel
rule: RottenPotato attack pattern
2019-11-15 12:01:42 +01:00
Florian Roth
04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth
7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
Florian Roth
c99ab28834
Merge pull request #531 from Neo23x0/devel
Devel
2019-11-15 00:34:38 +01:00
Florian Roth
ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00