Thomas Patzke
|
824f26c51c
|
Merge branch 'master' of https://github.com/Neo23x0/sigma
|
2017-03-17 23:34:19 +01:00 |
|
Thomas Patzke
|
b4f52d9cfb
|
Windows index in Splunk example configuration
|
2017-03-17 23:30:11 +01:00 |
|
Thomas Patzke
|
b865a858aa
|
Generation of conditions for configured indices
|
2017-03-17 23:28:06 +01:00 |
|
Thomas Patzke
|
56f415e42c
|
Fixed rule
|
2017-03-17 22:09:53 +01:00 |
|
Omer Yampel
|
d3bd73aefb
|
Create sysmon_sdclt_uac_bypass.yml
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
|
2017-03-17 14:31:26 -04:00 |
|
Florian Roth
|
59499f926e
|
Bugfix: Taskscheduler log source definition
|
2017-03-17 16:09:31 +01:00 |
|
Florian Roth
|
dc00baacda
|
Splunk Windows Configuration Example
|
2017-03-17 10:00:56 +01:00 |
|
Florian Roth
|
dd81b18d6e
|
Rule: Suspicious interactive console logons to servers
|
2017-03-17 09:44:24 +01:00 |
|
Florian Roth
|
bcc250e1c7
|
Added missing description
|
2017-03-17 08:43:21 +01:00 |
|
Florian Roth
|
e46ecd2aff
|
Rule: Rare scheduled task installs
|
2017-03-17 08:41:27 +01:00 |
|
Florian Roth
|
3a7652fff9
|
Added references to rule
|
2017-03-17 00:25:54 +01:00 |
|
Florian Roth
|
c6843d41bc
|
Rule: Vssadmin / NTDS.dit activity
|
2017-03-17 00:23:55 +01:00 |
|
Florian Roth
|
d00bbd9fb5
|
Rule: Windows recon activity
|
2017-03-16 18:59:17 +01:00 |
|
Florian Roth
|
140141b7a2
|
Rule: Suspicious PowerShell parent image combination
|
2017-03-16 18:58:59 +01:00 |
|
Florian Roth
|
091bb8fab7
|
Renamed and removed double space
|
2017-03-16 18:58:32 +01:00 |
|
Florian Roth
|
789b3899df
|
Improved Linux Shell Activity Rule
|
2017-03-15 09:07:59 +01:00 |
|
Thomas Patzke
|
d2a9a91175
|
Log source conditions are integrated in generated expressions
Indices not yet included
|
2017-03-14 23:22:32 +01:00 |
|
Thomas Patzke
|
9f4d7c7934
|
Merge branch 'devel-sigmac' into devel-sigmac-config
|
2017-03-14 22:48:32 +01:00 |
|
Thomas Patzke
|
4d3756259e
|
Merge branch 'master' into devel-sigmac
|
2017-03-14 22:48:15 +01:00 |
|
Florian Roth
|
9afa12f4a3
|
Further shell commands from MSF repo
|
2017-03-14 16:33:51 +01:00 |
|
Florian Roth
|
daeb7c3693
|
Rule: Suspicious activity in shell commands
|
2017-03-14 14:54:08 +01:00 |
|
Florian Roth
|
546a587df7
|
Rule: Shellshock Regex detection
http://rubular.com/r/zxBfjWfFYs
|
2017-03-14 14:53:29 +01:00 |
|
Florian Roth
|
dd558e941c
|
Rule: Access to ADMIN$ share
|
2017-03-14 14:53:03 +01:00 |
|
Florian Roth
|
3eae1f2710
|
Bug and typo fixes
|
2017-03-14 14:52:28 +01:00 |
|
Florian Roth
|
3f95615a9b
|
IDE settings file
|
2017-03-14 12:52:11 +01:00 |
|
Florian Roth
|
2e32e1bb43
|
Rule: User account added to local Administrators
|
2017-03-14 12:51:50 +01:00 |
|
Florian Roth
|
cb683a6b56
|
Rule: Suspicious executions in web folders / non-exe folders
|
2017-03-13 23:56:06 +01:00 |
|
Florian Roth
|
c571848e9b
|
Rule: Scheduled task creation
|
2017-03-13 20:45:28 +01:00 |
|
Florian Roth
|
de46c8c0a0
|
Reduced to user accounts
|
2017-03-13 19:09:29 +01:00 |
|
Florian Roth
|
36c941d5d8
|
Restrict rule to non-private IP ranges only
|
2017-03-13 18:45:15 +01:00 |
|
Florian Roth
|
8d36e2a1b5
|
Rule: Suspicious PowerShell Parameter Substring
|
2017-03-13 17:23:25 +01:00 |
|
Florian Roth
|
ff8e3fe584
|
Merge pull request #9 from iliaselmatani/patch-1
Create win_pass_the_hash.yml
|
2017-03-13 16:16:55 +01:00 |
|
Florian Roth
|
a66955013c
|
Update win_pass_the_hash.yml
|
2017-03-13 16:16:34 +01:00 |
|
Florian Roth
|
a87d513efa
|
Rule: Suspicious executable downloads
|
2017-03-13 16:11:43 +01:00 |
|
IeM
|
9f5e5a2366
|
Update win_pass_the_hash.yml
Added placeholders for WorkstationName to detect network logons between Workstations.
|
2017-03-13 16:09:32 +01:00 |
|
Florian Roth
|
85c298c43c
|
Bugfix in rule
|
2017-03-13 15:09:48 +01:00 |
|
Florian Roth
|
606d74546a
|
Rule: PowerShell with network connections
|
2017-03-13 13:57:41 +01:00 |
|
Florian Roth
|
b8db4935e0
|
Rule: PowerShell UserAgent in Proxy Logs
|
2017-03-13 13:51:32 +01:00 |
|
Florian Roth
|
a0047f7c67
|
Sysmon as 'service' of product 'windows'
|
2017-03-13 09:23:08 +01:00 |
|
Thomas Patzke
|
52d7e9fc07
|
Parsing log sources in configuration files
|
2017-03-12 23:12:21 +01:00 |
|
Florian Roth
|
9fd375c130
|
Bugfix: Added time frame to correlation rule
|
2017-03-12 17:11:29 +01:00 |
|
Florian Roth
|
4470c2f893
|
PowerShell Suspicious Invocation > Sysmon
|
2017-03-12 17:11:05 +01:00 |
|
Florian Roth
|
de689c32b5
|
Suspicious PowerShell Invocation
|
2017-03-12 17:06:53 +01:00 |
|
Thomas Patzke
|
e262b574b2
|
Merge branch 'master' into devel-sigmac
|
2017-03-11 23:53:58 +01:00 |
|
Thomas Patzke
|
12e825783b
|
Merge branch 'master' into devel-sigmac
|
2017-03-11 23:49:56 +01:00 |
|
Thomas Patzke
|
63e23af63c
|
Merge branch 'devel-sigmac-config' into devel-sigmac
|
2017-03-11 23:49:41 +01:00 |
|
Michael Haag
|
359ae18989
|
Merge remote-tracking branch 'Neo23x0/master'
|
2017-03-08 23:05:57 -08:00 |
|
Florian Roth
|
d6957f1c2e
|
Merge pull request #10 from MHaggis/master
Sysmon
|
2017-03-09 08:05:22 +01:00 |
|
Michael Haag
|
923f298015
|
Merge remote-tracking branch 'Neo23x0/master'
|
2017-03-08 22:51:03 -08:00 |
|
Michael Haag
|
c5f05dd829
|
bitsadmin & VSSAdmin
+Bitsadmin download
+VSSAdmin delete
|
2017-03-08 22:49:35 -08:00 |
|