BlueTeamOps
|
f75ad98903
|
Create win_lateral_movement
EID 4674 with the proposed attributes is very rare in prod environment.
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
|
2021-04-27 22:55:58 +10:00 |
|
Florian Roth
|
9166167447
|
Merge pull request #1433 from d4rk-d4nph3/master
Added rule for Lazarus activity of Apr 2021
|
2021-04-26 20:34:51 +02:00 |
|
Florian Roth
|
3008e5b9e7
|
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy
Fix typo on CommandLine field
|
2021-04-26 20:33:56 +02:00 |
|
Florian Roth
|
194b0af4d2
|
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas
Fix typo on CommandLine field
|
2021-04-26 20:33:45 +02:00 |
|
Florian Roth
|
6d2acb1660
|
Merge pull request #1441 from SigmaHQ/rule-devel
feat: generic registry events compatible with native audit logging
|
2021-04-26 10:24:44 +02:00 |
|
Florian Roth
|
d24f0b8988
|
feat: generic registry events compatible with native audit logging
|
2021-04-26 09:31:36 +02:00 |
|
Florian Roth
|
66d0f910dd
|
feat: windows native events - registry_event
|
2021-04-25 22:35:23 +02:00 |
|
Florian Roth
|
9a14557136
|
Merge pull request #1437 from SigmaHQ/rule-devel
feat: generic categories, thor config, revert splunk config
|
2021-04-25 21:54:17 +02:00 |
|
Florian Roth
|
08234c4620
|
Revert "fix: splunk for windows config errors"
This reverts commit 13347df263 .
|
2021-04-25 21:52:29 +02:00 |
|
Cedric Hien
|
748005fc14
|
Fix typo on CommandLine field
|
2021-04-25 15:52:59 +02:00 |
|
Cedric Hien
|
c580db166c
|
Fix typo on CommandLine field
|
2021-04-25 15:50:44 +02:00 |
|
Florian Roth
|
d766c12888
|
feat: generic categories - thor config
|
2021-04-23 17:47:09 +02:00 |
|
Florian Roth
|
1ff5e226ad
|
Merge pull request #1436 from SigmaHQ/rule-devel
Rule devel
|
2021-04-23 17:33:07 +02:00 |
|
Florian Roth
|
f2fa8dd956
|
rules: CobaltStrike named pipes
|
2021-04-23 17:16:09 +02:00 |
|
Florian Roth
|
c7ce9154d1
|
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
|
2021-04-23 16:52:25 +02:00 |
|
Florian Roth
|
a29ac79a3f
|
refactor: extended comsvcs.dll MiniDump rule
|
2021-04-23 16:46:04 +02:00 |
|
Florian Roth
|
6f12a1b099
|
docs: FPs and changed level
|
2021-04-23 16:45:52 +02:00 |
|
Florian Roth
|
1333a95c51
|
rule: get-process lsass
|
2021-04-23 16:44:53 +02:00 |
|
Florian Roth
|
5aed7c80db
|
Merge pull request #1435 from SigmaHQ/rule-devel
fix: FPs with certutil command and McAfee Chromium Container
|
2021-04-23 14:55:31 +02:00 |
|
Florian Roth
|
85582c540e
|
docs: changed modification date
|
2021-04-23 14:55:04 +02:00 |
|
Florian Roth
|
ce03ca9485
|
fix: Jitter keyword prone to FPs
|
2021-04-23 14:54:32 +02:00 |
|
Florian Roth
|
6256261d0e
|
fix: FPs with Certutil and McAfee Chromium Container
|
2021-04-23 12:49:16 +02:00 |
|
Florian Roth
|
886079ce8f
|
Merge pull request #1434 from phantinuss/master
THOR: search generic *.log files for product: linux
|
2021-04-23 12:35:24 +02:00 |
|
phantinuss
|
95fa99b4a3
|
search generic log files for product: linux
|
2021-04-23 12:00:48 +02:00 |
|
Florian Roth
|
6d1b9f36e8
|
feat: thor config - process all *.log files
|
2021-04-23 10:31:07 +02:00 |
|
Florian Roth
|
64f5af4c45
|
Merge pull request #1432 from SigmaHQ/rule-devel
fix: splunk windows config, additional rule
|
2021-04-23 10:30:44 +02:00 |
|
Florian Roth
|
d5e88d369c
|
fix: fixed rule title
|
2021-04-23 09:51:31 +02:00 |
|
Florian Roth
|
13347df263
|
fix: splunk for windows config errors
|
2021-04-23 09:50:13 +02:00 |
|
Florian Roth
|
b447e6338f
|
rule: Export-PfxCertificate
|
2021-04-23 09:01:14 +02:00 |
|
Bhabesh Rai
|
dd391cd0b9
|
Added rule for Lazarus activity of Apr 2021
|
2021-04-20 20:05:51 +05:45 |
|
Florian Roth
|
1fea9a7c41
|
Merge pull request #1428 from defensivedepth/patch-3
false positive - added Azure AD Connect
|
2021-04-20 15:10:31 +02:00 |
|
Josh Brower
|
dfc1218e6a
|
false positive - added Azure AD Connect
|
2021-04-20 08:24:38 -04:00 |
|
Thomas Patzke
|
35e6e515ba
|
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield
Fix es-dsl aggregation generation when aggfield is not given
|
2021-04-20 10:35:16 +02:00 |
|
Florian Roth
|
0bf2625393
|
Merge pull request #1421 from ZikyHD/patch_fireeye_helix_backend
Fix SyntaxWarning for 'is' on fireeye-helix backend
|
2021-04-20 09:07:10 +02:00 |
|
Florian Roth
|
68c59850af
|
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery
Fix invalid logsource on lnx_system_info_discovery rule
|
2021-04-20 09:06:54 +02:00 |
|
Florian Roth
|
20c5356c9e
|
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet
Fix typo on CommandLine
|
2021-04-20 09:06:38 +02:00 |
|
Florian Roth
|
0b9a7c14f3
|
Merge pull request #1426 from defensivedepth/patch-2
Added MS Threat Docs for 4616 to references
|
2021-04-20 09:06:23 +02:00 |
|
Josh Brower
|
2486a85a1f
|
Added MS Threat Docs for 4616 to references
|
2021-04-19 08:15:42 -04:00 |
|
Florian Roth
|
7039209a7a
|
Merge pull request #1425 from SigmaHQ/rule-devel
refactor: tightened filter
|
2021-04-19 11:32:02 +02:00 |
|
Florian Roth
|
53c6a7c54e
|
refactor: tightened filter
|
2021-04-19 09:30:32 +02:00 |
|
Cedric Hien
|
1d6aec3c25
|
Fix typo on CommandLine
|
2021-04-19 08:20:44 +02:00 |
|
Cedric Hien
|
bbdbab700d
|
Fix invalid logsource on lnx_system_info_discovery rule
|
2021-04-17 12:57:30 +02:00 |
|
Cedric Hien
|
2ff27aa980
|
Fix SyntaxWarning for 'is' on fireeye-helix backend
|
2021-04-17 12:55:13 +02:00 |
|
Florian Roth
|
941d47bc28
|
Merge pull request #1416 from sycophantic/master
Remove extra spaces
|
2021-04-15 13:20:49 +02:00 |
|
Steven
|
a8d8165541
|
Yet another syntax fix
|
2021-04-15 09:25:04 +02:00 |
|
Florian Roth
|
e95daa07b0
|
Merge pull request #1419 from OTRF/master
HybridConnectionMgr Service Activity
|
2021-04-15 08:28:46 +02:00 |
|
Steven
|
8703d9f352
|
Remove another reference to hardcoded event ID
|
2021-04-15 03:07:18 +02:00 |
|
Steven
|
9f5e8a02a4
|
Fix parse errors
|
2021-04-15 02:46:41 +02:00 |
|
Steven
|
8301b9c221
|
Fix selection vs selection_1 in rule files
|
2021-04-15 02:41:04 +02:00 |
|
Steven
|
cce8d945a0
|
Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category
|
2021-04-15 02:30:41 +02:00 |
|