5085 Commits

Author	SHA1	Message	Date
frack113	f4bef0fc39	Add Microsoft-Windows-Windows Defender/Operational	2021-08-06 11:12:34 +02:00
Florian Roth	eb247704fe	Merge pull request #1761 from d4rk-d4nph3/master ... Added rule for Cabinet file expansion and Pypykatz	2021-08-05 15:50:12 +02:00
Florian Roth	c44b22b52f	Merge pull request #1762 from frack113/redcanary_collection ... [OSCD] Redcanary TA0009 collection	2021-08-05 15:49:10 +02:00
Florian Roth	83505351bc	Merge pull request #1764 from frack113/fix_product ... fix product sysmon_apt_sourgrum.yml	2021-08-05 15:48:35 +02:00
Florian Roth	448868302d	Merge pull request #1767 from frack113/redcanary_t1497_001 ... [OSCD] Detect Virtualization Environment (Windows) T1497.001	2021-08-05 15:47:37 +02:00
Florian Roth	3634901bf1	Update poweshell_detect_vm_env.yml	2021-08-05 15:47:29 +02:00
Florian Roth	6a11190e79	Merge pull request #1769 from frack113/fix_powershell_400 ... Cleanup eventid 400 powershell-classic	2021-08-05 15:47:04 +02:00
Florian Roth	da6b5f8ec5	Merge pull request #1770 from frack113/redcanary_powershell_T1070.006 ... [OSCD] powershell_timestomp.yml T1070.006	2021-08-05 15:46:48 +02:00
Florian Roth	b1fb462c39	Update powershell_timestomp.yml	2021-08-05 15:46:01 +02:00
Florian Roth	9b7be5985e	Merge pull request #1773 from phantinuss/master ... Two CobaltStrike BOF rules and a little fix on the local rule test script usage text	2021-08-05 15:42:47 +02:00
Florian Roth	6507e8c060	Merge pull request #1774 from frack113/fix_4104_ScriptBlockText ... Clean-up Powershell EventID 4104	2021-08-05 15:42:35 +02:00
Florian Roth	52b41da731	Merge pull request #1775 from austinsonger/sysmon_disabled_pua_protection_on_microsoft_defender.yml ... Create sysmon_disabled_pua_protection_on_microsoft_defender.yml	2021-08-05 15:42:17 +02:00
Florian Roth	c05dacb1f0	Merge pull request #1776 from austinsonger/sysmon_disabled_tamper_protection_on_microsoft_defender.yml ... sysmon_disabled_tamper_protection_on_microsoft_defender.yml	2021-08-05 15:41:54 +02:00
Austin Songer	483dacb209	Create sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml	2021-08-04 19:11:00 -05:00
Austin Songer	ff7fb4e4d2	Create sysmon_disabled_tamper_protection_on_microsoft_defender.yml	2021-08-04 19:08:10 -05:00
Austin Songer	6a2663a3ae	Update sysmon_disabled_pua_protection_on_microsoft_defender.yml	2021-08-04 17:00:34 -05:00
Austin Songer	8d195bf5d5	Update sysmon_disabled_pua_protection_on_microsoft_defender.yml	2021-08-04 13:11:31 -05:00
Austin Songer	bae075713c	Update sysmon_disabled_pua_protection_on_microsoft_defender.yml	2021-08-04 13:10:37 -05:00
Austin Songer	f89ba18c5d	Create sysmon_disabled_pua_protection_on_microsoft_defender.yml	2021-08-04 11:27:41 -05:00
phantinuss	882ea7ec22	fix: remove unnecessary single value list	2021-08-04 15:50:39 +02:00
frack113	f040725dd8	fix EventID: 4104 ScriptBlockText	2021-08-04 14:49:50 +02:00
phantinuss	994701bd8e	CobaltStrike injected AMSI bypass	2021-08-04 11:28:58 +02:00
frack113	644fe80786	add powershell_timestomp.yml	2021-08-03 16:01:54 +02:00
Bhabesh Rai	85b88c7646	Added rule for pypykatz	2021-08-03 15:06:27 +05:45
frack113	b5e4b04cb5	fix eventid 400 powershell-classic	2021-08-03 10:04:15 +02:00
frack113	0efe69bd36	add poweshell_detect_vm_env.yml	2021-08-03 08:30:26 +02:00
frack113	f9aff7d403	fix product sysmon_apt_sourgrum.yml	2021-07-30 16:02:38 +02:00
Bhabesh Rai	1f0d4ca3dc	Merge branch 'master' of https://github.com/d4rk-d4nph3/sigma into master	2021-07-30 12:36:21 +05:45
Bhabesh Rai	9131ed6db5	Added rule for Cabinet file expansion	2021-07-30 12:36:05 +05:45
frack113	ccaffc79f7	update ref win_susp_psr_capture_screenshots.yml	2021-07-30 08:40:21 +02:00
frack113	dfa28944d0	update ref in sysmon_creation_mavinject_dll.yml	2021-07-30 08:31:37 +02:00
frack113	e33ec91b9a	add powershell_keylogging.yml	2021-07-30 08:28:19 +02:00
Florian Roth	ab16490d33	fix: re CS rule	2021-07-30 08:24:41 +02:00
frack113	38ede57cb4	add powershell_suspicious_recon.yml	2021-07-30 08:20:51 +02:00
frack113	eff6b50a89	add process_creation_susp_recon.yml	2021-07-30 08:15:13 +02:00
Florian Roth	096395a49a	fix: one condition style error	2021-07-30 07:19:42 +02:00
Florian Roth	b105402fe4	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-07-30 07:11:14 +02:00
Florian Roth	0cbb6f82ad	CobaltStrike NamedPipe Patterns ... https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575	2021-07-30 07:11:11 +02:00
Florian Roth	61a9da3901	Merge branch 'master' into rule-devel	2021-07-29 18:15:36 +02:00
Florian Roth	03b68dcf10	Merge pull request #1756 from frack113/small_fix ... fix duplicate UUID	2021-07-29 18:14:02 +02:00
Florian Roth	ec9c15226f	SeriousSAM PowerShell rule	2021-07-29 18:12:10 +02:00
Florian Roth	d753d9a7fd	fix: duplicate id and indentation	2021-07-29 16:06:45 +02:00
Florian Roth	5ce5465559	Merge pull request #1755 from SigmaHQ/rule-devel ... Different rule updates	2021-07-28 18:56:28 +02:00
frack113	bd123536df	fix duplicate UUID	2021-07-28 18:19:23 +02:00
Florian Roth	8787e338bd	Merge pull request #1734 from austinsonger/aws_elasticache_security_group_modified_or_deleted.yml ... aws_elasticache_security_group_modified_or_deleted.yml	2021-07-28 16:25:39 +02:00
Florian Roth	358ec255a1	Merge pull request #1736 from austinsonger/azure_kubernetes_pods_delete.yml ... azure_kubernetes_pods_deleted.yml	2021-07-28 16:25:19 +02:00
Florian Roth	3c6c2db11d	Merge pull request #1737 from austinsonger/azure_kubernetes_events_deleted.yml ... azure_kubernetes_events_deleted.yml	2021-07-28 16:25:05 +02:00
Florian Roth	25283948fc	Merge pull request #1741 from austinsonger/aws_sts_getsessiontoken_misuse.yml ... aws_sts_getsessiontoken_misuse.yml	2021-07-28 16:24:53 +02:00
Florian Roth	77c8225db3	Merge pull request #1745 from frack113/redcanary_t1115 ... [OSCD] process_creation_clip.yml t1115	2021-07-28 16:24:15 +02:00
Florian Roth	f57f5931ed	Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml ... Tune sysmon_office_vsto_persistence.yml	2021-07-28 16:23:49 +02:00