 frack113
|
217be6cd8a
|
Merge pull request #2005 from frack113/tags_end
Add missing tags to rule
|
2021-09-09 15:04:26 +02:00 |
|
|
Florian Roth
|
e8b633f54f
|
Merge pull request #2006 from SigmaHQ/rule-devel
docs: changed level and reference in CVE-2021-40444 rule
|
2021-09-09 09:29:08 +02:00 |
|
|
Florian Roth
|
2777187fd9
|
docs: changed level and reference in CVE-2021-40444 rule
|
2021-09-09 08:46:34 +02:00 |
|
|
Florian Roth
|
b1f5c22805
|
Merge pull request #2003 from SigmaHQ/rule-devel
CVE-2021-40444 process pattern
|
2021-09-09 08:44:52 +02:00 |
|
|
Florian Roth
|
36a5d7ec04
|
CVE-2021-40444 false positives
|
2021-09-09 08:12:36 +02:00 |
|
|
frack113
|
8eb527d042
|
Update process_mailboxexport_share.yml
|
2021-09-08 20:21:02 +02:00 |
|
|
frack113
|
deb0ddfe09
|
fix duplicate tags
|
2021-09-08 20:16:53 +02:00 |
|
|
frack113
|
af8bf06b30
|
add missing tags
|
2021-09-08 20:14:49 +02:00 |
|
|
Florian Roth
|
b1540d65b9
|
refactor: simplified rule
|
2021-09-08 17:35:50 +02:00 |
|
|
Florian Roth
|
e388bc6bfa
|
remove unsupported tag
|
2021-09-08 16:56:04 +02:00 |
|
|
Florian Roth
|
c9b4f5d326
|
CVE-2021-40444
|
2021-09-08 16:49:49 +02:00 |
|
|
frack113
|
993112c7eb
|
Merge pull request #2002 from frack113/missing_tag
Add missing Tags #1974
|
2021-09-08 06:26:55 +02:00 |
|
|
frack113
|
e712d9696b
|
Merge pull request #2000 from frack113/split_global
Split frack113 global rules
|
2021-09-08 06:26:35 +02:00 |
|
|
Thomas Patzke
|
143744bc12
|
Various fixes
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
|
2021-09-07 23:38:07 +02:00 |
|
|
frack113
|
4e394d83a1
|
add missing tags
|
2021-09-07 17:45:41 +02:00 |
|
|
frack113
|
0e5e4fa19d
|
Split global rules
|
2021-09-07 13:30:32 +02:00 |
|
|
Florian Roth
|
6b2bacd2cc
|
Merge pull request #1979 from frack113/test_global
Change ID in global action rule
|
2021-09-06 08:44:14 +02:00 |
|
|
frack113
|
6780182c37
|
Merge pull request #1974 from frack113/tags_pack2
Add missing Tags
|
2021-09-03 19:13:32 +02:00 |
|
|
frack113
|
688df3405a
|
Merge pull request #1970 from frack113/red_T1564.004_1
Redcanary t1564.004 ADS test 1
|
2021-09-03 19:06:51 +02:00 |
|
|
ncrqnt
|
adc3c9e608
|
fixed date: switched day/month
|
2021-09-03 12:03:38 +02:00 |
|
|
frack113
|
11e4b900e4
|
Update global id
|
2021-09-03 06:59:40 +02:00 |
|
|
frack113
|
135d0a2c61
|
Update global id
|
2021-09-03 06:50:00 +02:00 |
|
|
frack113
|
a6bb5574fb
|
Update global id
|
2021-09-03 06:35:35 +02:00 |
|
|
phantinuss
|
ab721c736c
|
chore: move level/falsepositives to bottom
|
2021-09-02 14:55:17 +02:00 |
|
|
phantinuss
|
0b373ff1e9
|
fix: remove 2nd selection due to FPs
|
2021-09-02 14:47:47 +02:00 |
|
|
frack113
|
6a1b95d947
|
Findstr covert by win_susp_findstr.yml
|
2021-09-02 14:22:59 +02:00 |
|
|
frack113
|
aaa568ff2d
|
print covert by win_susp_print.yml
|
2021-09-02 14:18:38 +02:00 |
|
|
phantinuss
|
5cb6eed52e
|
fix: remove single value lists
|
2021-09-02 14:09:03 +02:00 |
|
|
phantinuss
|
f4a5df67ae
|
further narrowing down of the selection, therefore removing the filter
|
2021-09-02 10:28:01 +02:00 |
|
|
frack113
|
6f1f70ca5e
|
Add missing tags
|
2021-09-02 09:59:19 +02:00 |
|
|
frack113
|
e0cd35261c
|
add missing tags
|
2021-09-01 20:01:03 +02:00 |
|
|
phantinuss
|
0b38237dbf
|
fix: add relation to now obsolete rule
|
2021-09-01 15:38:29 +02:00 |
|
|
phantinuss
|
ae9966bdcc
|
fix: unifying two overlapping rules
|
2021-09-01 14:48:32 +02:00 |
|
|
phantinuss
|
deefcaa8ac
|
fix: prevent possible FPs with the respective command only used as the last parameter
|
2021-09-01 14:33:46 +02:00 |
|
|
frack113
|
2dbbaf0180
|
fix missing char in date
|
2021-09-01 14:00:55 +02:00 |
|
|
frack113
|
e71fce6f11
|
fix errors
|
2021-09-01 13:55:14 +02:00 |
|
|
frack113
|
80dbfa7af5
|
add process_creation_alternate_data_streams.yml
|
2021-09-01 13:52:09 +02:00 |
|
|
phantinuss
|
9ffdced740
|
fix: implement suggestions from PR discussion
|
2021-09-01 10:21:37 +02:00 |
|
|
phantinuss
|
add1ad40f8
|
additional UAC bypass rule
|
2021-08-31 16:23:32 +02:00 |
|
|
phantinuss
|
59d8e0b866
|
add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might
|
2021-08-31 16:18:05 +02:00 |
|
|
phantinuss
|
3a9e10d081
|
bulk of new rules to match working UACMe UAC bypasses
|
2021-08-31 12:51:21 +02:00 |
|
|
phantinuss
|
50b8ca5110
|
add more COM interfaces and sharpen rule logic
|
2021-08-31 12:51:21 +02:00 |
|
|
frack113
|
b25fbbea54
|
Merge pull request #1957 from d4rk-d4nph3/master
Added new malwarebytes reference for Cab File Expansion rule
|
2021-08-31 09:54:47 +02:00 |
|
|
Bhabesh Rai
|
911c45201a
|
Added -F option support
|
2021-08-31 13:02:53 +05:45 |
|
|
Bhabesh Rai
|
e2bfaea10f
|
Added new malwarebytes reference for Cab File Expansion rule
|
2021-08-31 11:35:54 +05:45 |
|
|
Florian Roth
|
36a227796a
|
Merge pull request #1945 from SigmaHQ/rule-devel
rules: cobalt strike rules refactored
|
2021-08-30 15:48:01 +02:00 |
|
|
Florian Roth
|
1ded4eb913
|
rules: cobalt strike rules refactored
|
2021-08-30 15:10:30 +02:00 |
|
|
frack113
|
970dfa2f92
|
Merge pull request #1938 from EvanYu0816/upstream-fixes
Fix Pass the Hash and NotPetya Ransomware rule
|
2021-08-28 21:02:04 +02:00 |
|
|
frack113
|
3e355c64db
|
Merge pull request #1939 from SigmaHQ/rule-devel
rule: UAC bypass by mocking dirs
|
2021-08-28 20:47:27 +02:00 |
|
|
Florian Roth
|
f78225c394
|
rule: UAC bypass by mocking dirs
|
2021-08-27 18:12:21 +02:00 |
|