6216 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Florian Roth	fa45298474	Merge pull request #1516 from SigmaHQ/rule-devel ... Update win_susp_regedit_trustedinstaller.yml	2021-05-27 17:48:48 +02:00
Florian Roth	61f5e66569	Update win_susp_regedit_trustedinstaller.yml	2021-05-27 16:57:41 +02:00
Florian Roth	71625c54f0	Merge pull request #1514 from SigmaHQ/rule-devel ... ProcessHacker rule, NCCGroup rclone rules	2021-05-27 16:30:30 +02:00
Florian Roth	d1582944a7	fix: dates in new rules	2021-05-27 16:30:09 +02:00
Florian Roth	d5e8d1153f	fix: missing condition	2021-05-27 15:04:13 +02:00
Florian Roth	7ce7095c2c	fix: title with lower case letters	2021-05-27 15:01:32 +02:00
Florian Roth	6e31bc3037	Merge pull request #1485 from V1D1AN/master ... Update ecs-zeek-elastic-beats-implementation.yml	2021-05-27 14:59:14 +02:00
Florian Roth	5cf7078fb3	Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution ... Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…	2021-05-27 12:55:31 +02:00
Florian Roth	ea430c8823	Merge pull request #1471 from d4rk-d4nph3/master ... Updated rule for Advanced IP Scanner and new rule for PowerView	2021-05-27 12:55:03 +02:00
Florian Roth	8d834cf681	Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access ... Add Windows Defender on WL	2021-05-27 12:54:15 +02:00
Florian Roth	d8827fc29d	Merge pull request #1481 from ZikyHD/improve_win_tool_psexec ... Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule	2021-05-27 12:53:56 +02:00
Florian Roth	1bf9546fad	Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file ... Exclude dism.exe	2021-05-27 12:53:27 +02:00
Florian Roth	9239690ef3	Merge pull request #1488 from dacelbot/master ... Contribute AWS snapshot exfiltration rule	2021-05-27 12:52:46 +02:00
Florian Roth	a80c29a7c2	Merge pull request #1491 from w0rk3r/patch-1 ... Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml	2021-05-27 12:52:14 +02:00
Florian Roth	059e669ac6	Merge pull request #1496 from frack113/falsepositives_NOT_a_list ... Fix rule where Falsepositives not a valid value	2021-05-27 12:51:54 +02:00
Florian Roth	e397a2974e	Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation ... Fix missing eventid when converting windows obfuscation rules	2021-05-27 12:51:22 +02:00
Florian Roth	3cd2730a26	rule: process hacker priv esc	2021-05-27 12:49:54 +02:00
Florian Roth	c0b93a010c	NCCGroup rules from rclone blog post ... https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/	2021-05-27 12:49:40 +02:00
Florian Roth	f16aca7a35	Merge pull request #1512 from SigmaHQ/rule-devel ... duplicate UUIDs, regedit as trusted installer	2021-05-27 12:42:36 +02:00
Florian Roth	7812a4217c	rule: regedit as trustedinstaller	2021-05-27 11:36:05 +02:00
Florian Roth	b5352ac5f7	fix: duplicate UUIDs	2021-05-27 10:29:21 +02:00
Florian Roth	ffeda2a2a2	Merge pull request #1492 from frack113/es_rule_uuid ... Fix errors when import es-rule ndjson to KIBANA	2021-05-27 10:24:39 +02:00
Florian Roth	adbdb5b22f	Merge branch 'master' into falsepositives_NOT_a_list	2021-05-27 10:23:19 +02:00
Florian Roth	f98716c672	Merge pull request #1500 from frack113/sigmac_add_time_filter ... Sigmac add new filter	2021-05-27 10:16:19 +02:00
frack113	2a68700991	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:43:08 +02:00
frack113	30cc64a349	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:41:19 +02:00
frack113	e4c32c353a	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:39:16 +02:00
frack113	a878f3b0a5	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:36:47 +02:00
frack113	cbce61bc8c	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:34:46 +02:00
frack113	8d8df10687	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:31:57 +02:00
frack113	ce53a5a67b	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:30:00 +02:00
frack113	417da3ac95	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:28:06 +02:00
frack113	f0d1c9aa7d	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:26:08 +02:00
frack113	788ebbafdc	use same trick as Invoke-Obfuscation Obfuscated IEX Invocation	2021-05-27 09:20:29 +02:00
Florian Roth	fb07b204b4	Merge pull request #1510 from SigmaHQ/rule-devel ... CobaltStrike Pipe Rule Changes	2021-05-26 18:30:34 +02:00
Florian Roth	a5fe7af25f	Cobalt Strike Service Installation	2021-05-26 18:05:38 +02:00
Florian Roth	c1cebe627a	refactor: reworked CS pipe rule	2021-05-26 17:22:34 +02:00
Florian Roth	d06f2bcf14	fix: sysmon backend "startswith"	2021-05-26 15:42:16 +02:00
Florian Roth	ba12057919	Merge pull request #1505 from WojciechLesicki/master ... Update rule regarding other named pipe	2021-05-26 14:35:22 +02:00
Florian Roth	bb71860fb2	Merge pull request #1509 from vastlimits/feature/update-6.1 ... Updated uberAgent backend to support version 6.1.	2021-05-26 13:08:08 +02:00
Florian Roth	8aabb58eca	Merge pull request #1498 from w0rk3r/otrf ... Update broken OTRF Threat Hunter Playbook References	2021-05-26 13:06:16 +02:00
WojciechLesicki	8b707bc948	Added also \status_ pipe.	2021-05-25 21:58:22 +02:00
WojciechLesicki	f1a0308e73	Add one more pipe, references etc.	2021-05-25 21:07:23 +02:00
Bhabesh Rai	cc9ac2ddcf	Added rule for PowerView's malicious cmdlets	2021-05-25 21:04:32 +05:45
WojciechLesicki	38552e98cf	Adding some pipes	2021-05-25 15:47:34 +02:00
Florian Roth	5e62cc2094	Merge pull request #1503 from frack113/fix_typo ... Fix some typo	2021-05-25 15:03:28 +02:00
frack113	3717c68bb7	fix typo of level	2021-05-24 10:45:58 +02:00
frack113	104a004b3d	fix typo of tags	2021-05-24 10:41:17 +02:00
frack113	afb3d63900	fix typo of fields	2021-05-24 10:37:14 +02:00
frack113	1fcd0bf951	fix typo of fields	2021-05-24 10:34:56 +02:00