Commit Graph

5976 Commits

Author SHA1 Message Date
BlueTeamOps
f75ad98903
Create win_lateral_movement
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
2021-04-27 22:55:58 +10:00
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master
Added rule for Lazarus activity of Apr 2021
2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy
Fix typo on CommandLine field
2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas
Fix typo on CommandLine field
2021-04-26 20:33:45 +02:00
Florian Roth
6d2acb1660
Merge pull request #1441 from SigmaHQ/rule-devel
feat: generic registry events compatible with native audit logging
2021-04-26 10:24:44 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth
66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth
9a14557136
Merge pull request #1437 from SigmaHQ/rule-devel
feat: generic categories, thor config, revert splunk config
2021-04-25 21:54:17 +02:00
Florian Roth
08234c4620 Revert "fix: splunk for windows config errors"
This reverts commit 13347df263.
2021-04-25 21:52:29 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel
Rule devel
2021-04-23 17:33:07 +02:00
Florian Roth
f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel
fix: FPs with certutil command and McAfee Chromium Container
2021-04-23 14:55:31 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
886079ce8f
Merge pull request #1434 from phantinuss/master
THOR: search generic *.log files for product: linux
2021-04-23 12:35:24 +02:00
phantinuss
95fa99b4a3
search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth
6d1b9f36e8 feat: thor config - process all *.log files 2021-04-23 10:31:07 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel
fix: splunk windows config, additional rule
2021-04-23 10:30:44 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Florian Roth
1fea9a7c41
Merge pull request #1428 from defensivedepth/patch-3
false positive - added Azure AD Connect
2021-04-20 15:10:31 +02:00
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Thomas Patzke
35e6e515ba
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield
Fix es-dsl aggregation generation when aggfield is not given
2021-04-20 10:35:16 +02:00
Florian Roth
0bf2625393
Merge pull request #1421 from ZikyHD/patch_fireeye_helix_backend
Fix SyntaxWarning for 'is' on fireeye-helix backend
2021-04-20 09:07:10 +02:00
Florian Roth
68c59850af
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery
Fix invalid logsource on lnx_system_info_discovery rule
2021-04-20 09:06:54 +02:00
Florian Roth
20c5356c9e
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet
Fix typo on CommandLine
2021-04-20 09:06:38 +02:00
Florian Roth
0b9a7c14f3
Merge pull request #1426 from defensivedepth/patch-2
Added MS Threat Docs for 4616 to references
2021-04-20 09:06:23 +02:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Cedric Hien
1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Cedric Hien
bbdbab700d Fix invalid logsource on lnx_system_info_discovery rule 2021-04-17 12:57:30 +02:00
Cedric Hien
2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
Florian Roth
941d47bc28
Merge pull request #1416 from sycophantic/master
Remove extra spaces
2021-04-15 13:20:49 +02:00
Steven
a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00
Florian Roth
e95daa07b0
Merge pull request #1419 from OTRF/master
HybridConnectionMgr Service Activity
2021-04-15 08:28:46 +02:00
Steven
8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven
9f5e8a02a4 Fix parse errors 2021-04-15 02:46:41 +02:00
Steven
8301b9c221 Fix selection vs selection_1 in rule files 2021-04-15 02:41:04 +02:00
Steven
cce8d945a0 Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category 2021-04-15 02:30:41 +02:00