valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,192 Commits 20 Branches 25 Tags 21 MiB
f101d661f0
Commit Graph

2774 Commits

Author SHA1 Message Date
Jonhnathan
efe9c2d3d6
Update powershell_shellcode_b64.yml 2020-10-15 17:14:01 -03:00
Jonhnathan
013533fceb
Update powershell_prompt_credentials.yml 2020-10-15 17:13:16 -03:00
Jonhnathan
8cf2596068
Update powershell_malicious_keywords.yml 2020-10-15 17:12:08 -03:00
Jonhnathan
ec10d5a61f
Update powershell_malicious_commandlets.yml 2020-10-15 17:11:20 -03:00
Jonhnathan
4a3607d50b
Update powershell_exe_calling_ps.yml 2020-10-15 17:09:47 -03:00
Jonhnathan
09c43b7517
Update win_wmi_persistence.yml 2020-10-15 17:08:15 -03:00
Jonhnathan
b769728d0b
Update win_pcap_drivers.yml 2020-10-15 17:07:22 -03:00
Jonhnathan
fb851e1f41
Update sysmon_win_binary_susp_com.yml 2020-10-15 16:27:01 -03:00
Jonhnathan
5dc02f3a87
Update sysmon_win_binary_github_com.yml 2020-10-15 16:26:28 -03:00
Jonhnathan
554adb8562
Update sysmon_susp_rdp.yml 2020-10-15 16:25:58 -03:00
Jonhnathan
71785b91b5
Update sysmon_susp_prog_location_network_connection.yml 2020-10-15 16:25:25 -03:00
Jonhnathan
9c58db9271
Update sysmon_rundll32_net_connections.yml 2020-10-15 16:24:38 -03:00
Jonhnathan
bbf0210f70
Update sysmon_rdp_reverse_tunnel.yml 2020-10-15 16:23:17 -03:00
Jonhnathan
689bea2681
Update sysmon_powershell_network_connection.yml 2020-10-15 16:22:13 -03:00
Jonhnathan
e20027965f
Update sysmon_notepad_network_connection.yml 2020-10-15 16:21:38 -03:00
Jonhnathan
b479cbdb10
Update sysmon_malware_backconnect_ports.yml 2020-10-15 16:20:27 -03:00
Jonhnathan
22e5f83a6c
Update sysmon_dllhost_net_connections.yml 2020-10-15 16:19:43 -03:00
Jonhnathan
acfe0633e2
Update win_mal_ursnif.yml 2020-10-15 16:18:38 -03:00
Jonhnathan
983e9cb9ae
Update win_mal_ryuk.yml 2020-10-15 16:18:14 -03:00
Jonhnathan
8d44548a2c
Update win_mal_flowcloud.yml 2020-10-15 16:16:08 -03:00
Jonhnathan
ef646e74d8
Update mal_azorult_reg.yml 2020-10-15 16:15:25 -03:00
Jonhnathan
69c90570ec
Update av_webshell.yml 2020-10-15 16:14:08 -03:00
Jonhnathan
cdaa5ef3a6
Update av_relevant_files.yml 2020-10-15 16:13:22 -03:00
Jonhnathan
7dc720cf13
Update av_password_dumper.yml 2020-10-15 16:11:52 -03:00
Jonhnathan
dea145cd5e
Update av_exploiting.yml 2020-10-15 16:11:24 -03:00
Jonhnathan
7adfd75c0a
Update sysmon_svchost_dll_search_order_hijack.yml 2020-10-15 16:10:23 -03:00
Jonhnathan
b6cf10fdd2
Update sysmon_susp_winword_wmidll_load.yml 2020-10-15 16:09:44 -03:00
Jonhnathan
efe5ad92c3
Update sysmon_susp_winword_vbadll_load.yml 2020-10-15 16:09:21 -03:00
Jonhnathan
7c196aed22
Update sysmon_susp_office_kerberos_dll_load.yml 2020-10-15 16:09:03 -03:00
Jonhnathan
38ef5976dc
Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-15 16:08:55 -03:00
Jonhnathan
8aa2f8582b
Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-15 16:07:46 -03:00
Jonhnathan
4de241d44c
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-10-15 16:07:10 -03:00
Jonhnathan
ecbec06709
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-10-15 16:06:47 -03:00
Jonhnathan
0d4f372351
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-10-15 16:06:21 -03:00
Jonhnathan
1136725728
Update sysmon_susp_image_load.yml 2020-10-15 16:05:50 -03:00
Jonhnathan
56594a5a06
Update sysmon_mimikatz_inmemory_detection.yml 2020-10-15 16:05:11 -03:00
Jonhnathan
569f14eb1e
Update sysmon_tsclient_filewrite_startup.yml 2020-10-15 16:02:52 -03:00
Jonhnathan
7d5e404b32
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 2020-10-15 16:02:16 -03:00
Jonhnathan
5790cc2ea7
Update sysmon_susp_adsi_cache_usage.yml 2020-10-15 16:01:46 -03:00
Jonhnathan
9eedeabda9
Update sysmon_quarkspw_filedump.yml 2020-10-15 16:01:24 -03:00
Jonhnathan
d2d49c445a
Update sysmon_powershell_exploit_scripts.yml 2020-10-15 16:00:20 -03:00
Jonhnathan
b6b34b37d9
Update sysmon_ghostpack_safetykatz.yml 2020-10-15 15:59:09 -03:00
Jonhnathan
099843470e
Update sysmon_creation_system_file.yml 2020-10-15 15:58:10 -03:00
Jonhnathan
427962937b
Update sysmon_susp_driver_load.yml 2020-10-15 15:57:05 -03:00
Jonhnathan
1cd56f5dae
Update win_vul_cve_2020_0688.yml 2020-10-15 15:56:36 -03:00
Jonhnathan
ef3af551e9
Update win_user_driver_loaded.yml 2020-10-15 15:56:16 -03:00
Jonhnathan
4e70b2d797
Update win_user_added_to_local_administrators.yml 2020-10-15 15:55:21 -03:00
Jonhnathan
c0892c63c8
Update win_svcctl_remote_service.yml 2020-10-15 15:54:47 -03:00
Jonhnathan
d96bd0d9f3
Update win_susp_wmi_login.yml 2020-10-15 15:54:21 -03:00
Jonhnathan
496cfcb26a
Update win_susp_sdelete.yml 2020-10-15 15:53:51 -03:00
Jonhnathan
600c7057b1
Update win_susp_sam_dump.yml 2020-10-15 15:53:26 -03:00
Jonhnathan
754e67c0d9
Update win_susp_rc4_kerberos.yml 2020-10-15 15:52:48 -03:00
Jonhnathan
43a56b6759
Update win_susp_raccess_sensitive_fext.yml 2020-10-15 15:51:57 -03:00
Jonhnathan
054255fb17
Update win_susp_psexec.yml 2020-10-15 15:51:16 -03:00
Jonhnathan
dae1f3fa71
Update win_susp_ntlm_rdp.yml 2020-10-15 15:50:44 -03:00
Jonhnathan
9b8817f489
Update win_susp_msmpeng_crash.yml 2020-10-15 15:50:01 -03:00
Jonhnathan
c310d72e2b
Update win_susp_mshta_execution.yml 2020-10-15 15:49:39 -03:00
Jonhnathan
7419396351
Update win_susp_mshta_execution.yml 2020-10-15 15:49:26 -03:00
Jonhnathan
1eb0ccbf14
Update win_susp_local_anon_logon_created.yml 2020-10-15 15:48:36 -03:00
Jonhnathan
e089118718
Update win_possible_dc_shadow.yml 2020-10-15 15:45:55 -03:00
Jonhnathan
6961ee4986
Update win_net_ntlm_downgrade.yml 2020-10-15 15:44:24 -03:00
Jonhnathan
8261737728
Update win_mmc20_lateral_movement.yml 2020-10-15 15:42:07 -03:00
Jonhnathan
8f3542a73e
Update win_mal_wceaux_dll.yml 2020-10-15 15:41:13 -03:00
Jonhnathan
9bfd63ec26
Update win_hack_smbexec.yml 2020-10-15 15:20:08 -03:00
Jonhnathan
e5789a2a52
Update win_dcsync.yml 2020-10-15 15:19:18 -03:00
Jonhnathan
777e49b76c
Update win_av_relevant_match.yml 2020-10-15 15:17:33 -03:00
Jonhnathan
b555628321
Update win_atsvc_task.yml 2020-10-15 15:15:01 -03:00
Jonhnathan
44735049b6
Update win_apt_stonedrill.yml 2020-10-15 15:14:27 -03:00
Jonhnathan
02a1ab4033
Update win_alert_mimikatz_keywords.yml 2020-10-15 15:11:10 -03:00
Jonhnathan
26b442ec48
Update win_alert_lsass_access.yml 
Getting rid of '*' use
 2020-10-15 15:09:35 -03:00
Jonhnathan
79c2b8d570
Update win_GPO_scheduledtasks.yml 
Getting rid of '*' use
 2020-10-15 15:07:16 -03:00
Jonhnathan
4aa96a2ac9
Update win_alert_enable_weak_encryption.yml 2020-10-15 15:05:49 -03:00
Jonhnathan
5765573907
Update win_alert_active_directory_user_control.yml 
Getting rid of '*' use
 2020-10-15 15:04:08 -03:00
Jonhnathan
1c06c9e166
Update win_admin_share_access.yml 
Getting rid of '*' use
 2020-10-15 15:03:31 -03:00
Jonhnathan
085dc21d25
Update win_admin_rdp_login.yml 
Getting rid of '*' use
 2020-10-15 15:02:40 -03:00
Jonhnathan
9c7a23e432
Update win_account_discovery.yml 
Getting rid of '*' use
 2020-10-15 15:01:31 -03:00
Jonhnathan
fdd9234acc Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-15 14:57:18 -03:00
Jonhnathan
17e7eee3a6 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-15 14:57:14 -03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
Florian Roth
c56cd2dfff
Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Florian Roth
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth
8020fe3c40
false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth
60795f7050
Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth
dbdd758365
Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu
d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu
c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade
f76f80db80 Killswitch domain 2020-09-16 20:32:31 -06:00
Mike Wade
7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade
6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00
Florian Roth
2cd9b794e6
Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Remco Hofman
6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Mike Wade
1ddba05eb2 Second round 2020-09-15 07:02:30 -06:00
Mike Wade
da9b32bdd6 we 2020-09-15 06:24:44 -06:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Thomas Patzke
378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00
Bhabesh Rai
03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Mike Wade
57cae0ded1 Fixed reference typo 2020-09-13 22:07:43 -06:00
Mike Wade
52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Mike Wade
249c255435 No Idea why these files are deleted 2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil
1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J
c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) 
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
 2020-09-11 16:06:51 +01:00
Tran Trung Hieu
49ba107dce Fixed Title 2020-09-10 17:36:37 +07:00
Tran Trung Hieu
f7d5240d40 Added UID, fixed rule description 2020-09-10 17:20:16 +07:00
Tran Trung Hieu
1b6c6ec5bf Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender 2020-09-10 17:16:06 +07:00
Bhabesh Rai
ed059a9831 Added Credential Dumping by LaZagne 2020-09-09 18:27:14 +05:45
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2 
New rules for Linux
 2020-09-07 09:41:43 +02:00
Florian Roth
39dfcd40ec
Merge pull request #921 from d4rk-d4nph3/master 
Added support for Defender's PSExec and WMI ASR rules.
 2020-09-07 09:40:46 +02:00
Florian Roth
6f96bbbe65
Merge pull request #977 from barvhaim/patch-1 
Update win_new_service_creation.yml typo
 2020-09-07 09:39:28 +02:00
Florian Roth
37751fc3a1
Merge pull request #978 from barvhaim/patch-2 
Update sysmon_apt_muddywater_dnstunnel.yml typo
 2020-09-07 09:39:11 +02:00
e6e6e
98c412044a att&ck tags review: windows/process_creation part 5 
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
 2020-09-07 02:00:41 +04:00
e6e6e
7ae76b8d99 Revert "att&ck tags review: windows/process_creation part 5" 
This reverts commit e94c47e74e.
 2020-09-07 01:28:08 +04:00
e6e6e
e94c47e74e att&ck tags review: windows/process_creation part 5 
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
 2020-09-07 01:19:41 +04:00
Alexey Lednyov
7834fdd750 att&ck tags review: windows/registry_event 2020-09-06 22:10:44 +03:00
ecco
ebc1d38027 fix in memory powershell false positive 2020-09-06 09:25:56 -04:00
ecco
b9f7d58dbc fix ADSI rule false positive 2020-09-06 09:17:53 -04:00
grikos
961e4eef4c att&ck tags review: windows/process_creation part 6 2020-09-05 20:35:21 +03:00
Florian Roth
22465037ac
Update win_susp_mpcmdrun_download.yml 2020-09-04 16:50:57 +02:00
Florian Roth
3283e33cbc
Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml 2020-09-04 16:49:44 +02:00
Matthew Matchen
df532be142 Added ID field using UUID generated value 2020-09-04 16:38:52 +02:00
Matthew Matchen
2c69815b7b Removed empty ID field 2020-09-04 16:32:41 +02:00
Matthew Matchen
e0baa097a8 Initial creation 2020-09-04 16:00:23 +02:00
aw350m3
bd5026f6b9 fixed typos in tags 2020-09-03 14:29:05 +00:00
aw350m3
198e42d724 deleted extra spaces 2020-09-03 14:22:31 +00:00
aw350m3
b00047a4e8 att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:54 +00:00
Alexey Lednyov
cf011e4a00 Removed duplicate key 'modified' 2020-09-03 17:12:37 +03:00
Alexey Lednyov
1eb675f693 att&ck tags review: web, network/zeek 2020-09-03 17:06:37 +03:00
Florian Roth
720ac0d998
fix: syntax bug in rule 2020-09-03 09:18:28 +02:00
Yugoslavskiy Daniil
71fec94417 review network/cisco/aaa 2020-09-03 00:34:41 +02:00
Florian Roth
198469bed3 Merge branch 'master' into rule-devel 2020-09-02 17:40:12 +02:00
Florian Roth
423f81c912
Update win_mouse_lock.yml 2020-09-02 14:49:37 +02:00
Florian Roth
73bc514f60 fix: 1 of them / one selection 2020-09-02 12:34:35 +02:00
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil
11e0f794d9 review windows/process_creation part 4 2020-09-02 02:34:34 +02:00
aw350m3
7c6c5263ab fix duplication of key modified in win_malware_emotet.yml 2020-09-01 17:09:54 +00:00
aw350m3
8ed3eb1494 att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:59 +00:00
grikos
65d201b1e4 att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00
Yugoslavskiy Daniil
e04b896cbc fix tags 2020-08-29 21:34:20 +02:00
grikos
a95c4347d9 fixed typo in tag 2020-08-29 20:19:46 +03:00
grikos
6092bfcec1 att&ck tags review: windows/process_creation part 9 2020-08-29 19:22:09 +03:00
aw350m3
ae99a2b207 Removed extra space that broke tests 2020-08-29 04:46:12 +00:00
aw350m3
4ed3db8d23 Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-29 04:39:45 +00:00
aw350m3
da766a245f att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00
Yugoslavskiy Daniil
cd12ab8a77 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-29 02:03:39 +02:00
Yugoslavskiy Daniil
5b70cfd3f7 review windows/sysmon 2020-08-29 02:03:28 +02:00
yugoslavskiy
21a8667720
Merge pull request #1 from zinint/master 
Linux rules reviewed
 2020-08-29 01:55:24 +02:00
grikos
293662810e att&ck tags review: windows/process_creation part 8 2020-08-28 17:14:26 +03:00
vh
a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Alexey Lednyov
880b10cce1 att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00
Florian Roth
7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
aw350m3
eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
Timur Zinniatullin
8dba6ceee6 2nd review 2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf Update lnx_auditd_create_account.yml 2020-08-25 09:20:27 +03:00
aw350m3
c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3
c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3
5af0f1392d att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:35 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
Yugoslavskiy Daniil
5026438524 fix modified field 2020-08-25 01:29:57 +02:00
aw350m3
1999fb609e Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-24 23:14:13 +00:00
Yugoslavskiy Daniil
f274f39b54 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-25 01:09:24 +02:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
aw350m3
08170bbcca fix tags for suspicious outbound kerberos activity rule 2020-08-23 21:10:29 +00:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
aw350m3
4cdd8be354 Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:20:58 +00:00
aw350m3
3aa1ad68fb windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00
aw350m3
80deaf84ca windows/network_connection folder reviewed 2020-08-22 23:36:30 +00:00
Florian Roth
79adaceffa
Merge pull request #979 from barvhaim/patch-3 
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
 2020-08-18 15:08:15 +02:00
Florian Roth
bc74ac1f8a
Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Bar Haim
bd96b1c5ad
Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Bar Haim
c7dc9df87e
Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim
4168f1e430
Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Florian Roth
2e29c07e83
Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth
61a05ee054
reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke
d73447c111
Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke
f827a557f2
Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth
4529e4cd52
Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth
052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777
a52583dc68
.002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth
5625f471d7
Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth
3abc3d0a76
docs: add FP condition 2020-08-03 13:50:47 +02:00