 Florian Roth
|
ea430c8823
|
Merge pull request #1471 from d4rk-d4nph3/master
Updated rule for Advanced IP Scanner and new rule for PowerView
|
2021-05-27 12:55:03 +02:00 |
|
|
Florian Roth
|
059e669ac6
|
Merge pull request #1496 from frack113/falsepositives_NOT_a_list
Fix rule where Falsepositives not a valid value
|
2021-05-27 12:51:54 +02:00 |
|
|
Florian Roth
|
b5352ac5f7
|
fix: duplicate UUIDs
|
2021-05-27 10:29:21 +02:00 |
|
|
Florian Roth
|
adbdb5b22f
|
Merge branch 'master' into falsepositives_NOT_a_list
|
2021-05-27 10:23:19 +02:00 |
|
|
Bhabesh Rai
|
cc9ac2ddcf
|
Added rule for PowerView's malicious cmdlets
|
2021-05-25 21:04:32 +05:45 |
|
|
Jonhnathan
|
26ecbea0ba
|
Update Threat Hunter Playbook Reference
|
2021-05-22 01:03:49 -03:00 |
|
|
Jonhnathan
|
4ebdcf2f1d
|
Update Threat Hunter Playbook Reference
|
2021-05-22 01:03:23 -03:00 |
|
|
frack113
|
1d1170e8ba
|
Fix falsepositives list
|
2021-05-21 12:31:01 +02:00 |
|
|
frack113
|
a6cadc6de5
|
Fix falsepositives list
|
2021-05-21 12:29:28 +02:00 |
|
|
frack113
|
ad376a8328
|
Fix falsepositives list
|
2021-05-21 12:28:12 +02:00 |
|
|
frack113
|
2197514fc5
|
Fix falsepositives list
|
2021-05-21 12:26:37 +02:00 |
|
|
frack113
|
48a7e80192
|
Fix falsepositives list
|
2021-05-21 12:24:25 +02:00 |
|
|
partyh4rd
|
5a98e36905
|
Update powershell_suspicious_getprocess_lsass.yml
fix mitre_code 1552.004 -> 1003.001
|
2021-05-04 14:04:52 +03:00 |
|
|
Florian Roth
|
1ff5e226ad
|
Merge pull request #1436 from SigmaHQ/rule-devel
Rule devel
|
2021-04-23 17:33:07 +02:00 |
|
|
Florian Roth
|
c7ce9154d1
|
Merge pull request #1030 from stevengoossensB/master
Updated sysmon config and rewrite rules to use categories
|
2021-04-23 16:52:25 +02:00 |
|
|
Florian Roth
|
1333a95c51
|
rule: get-process lsass
|
2021-04-23 16:44:53 +02:00 |
|
|
Florian Roth
|
5aed7c80db
|
Merge pull request #1435 from SigmaHQ/rule-devel
fix: FPs with certutil command and McAfee Chromium Container
|
2021-04-23 14:55:31 +02:00 |
|
|
Florian Roth
|
85582c540e
|
docs: changed modification date
|
2021-04-23 14:55:04 +02:00 |
|
|
Florian Roth
|
ce03ca9485
|
fix: Jitter keyword prone to FPs
|
2021-04-23 14:54:32 +02:00 |
|
|
Florian Roth
|
64f5af4c45
|
Merge pull request #1432 from SigmaHQ/rule-devel
fix: splunk windows config, additional rule
|
2021-04-23 10:30:44 +02:00 |
|
|
Florian Roth
|
d5e88d369c
|
fix: fixed rule title
|
2021-04-23 09:51:31 +02:00 |
|
|
Florian Roth
|
b447e6338f
|
rule: Export-PfxCertificate
|
2021-04-23 09:01:14 +02:00 |
|
|
Steven
|
d263b937b4
|
Clean-up service: sysmon as it will be replaced by filling the category
|
2021-04-15 02:02:25 +02:00 |
|
|
Steven
|
850a002840
|
Merge branch 'master' of https://github.com/SigmaHQ/sigma
|
2021-04-15 01:25:48 +02:00 |
|
|
Florian Roth
|
4abebd98d9
|
Merge pull request #1418 from SigmaHQ/rule-devel
Fixing false positives with newest OSCD rules
|
2021-04-09 17:26:02 +02:00 |
|
|
Florian Roth
|
897da252f1
|
fix: missing new line placeholder escape
|
2021-04-09 16:45:07 +02:00 |
|
|
Florian Roth
|
65a11dde52
|
fix: rules causing too many false positives
|
2021-04-09 15:55:14 +02:00 |
|
|
Thomas Patzke
|
3fef2a10b8
|
Merge branch 'pr-1158'
|
2021-04-08 23:01:54 +02:00 |
|
|
Thomas Patzke
|
a10db2df89
|
Fixes&improvements
|
2021-04-08 01:06:40 +02:00 |
|
|
Thomas Patzke
|
b1b0240692
|
Fixes
|
2021-04-03 23:21:13 +02:00 |
|
|
Thomas Patzke
|
90efe974b8
|
Fixes and improvements
|
2021-04-03 00:08:55 +02:00 |
|
|
Anton Kutepov
|
3f45269296
|
Merge branch 'oscd'
B
B
B
B
A
|
2021-03-02 22:58:41 +03:00 |
|
|
Florian Roth
|
274b7b0f2e
|
fix: search for keywords within message
|
2021-02-26 09:42:12 +01:00 |
|
|
jaegeral
|
e1f43f17c2
|
fixed various spelling errors all over rules and source code
|
2021-02-24 14:43:13 +00:00 |
|
|
Florian Roth
|
aaeb72a2b6
|
fix: FPs
|
2021-02-01 11:47:23 +01:00 |
|
|
yugoslavskiy
|
d25ca9b280
|
Merge pull request #1229 from zinint/1009-19-1
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:24:08 +03:00 |
|
|
yugoslavskiy
|
f4578b0698
|
Merge pull request #1223 from zinint/1009-23-1
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:23:33 +03:00 |
|
|
yugoslavskiy
|
fc1fa23440
|
Merge pull request #1191 from vburov/patch-14
[OSCD] Create powershell_cmdline_special_characters.yml
|
2021-01-06 00:18:12 +03:00 |
|
|
yugoslavskiy
|
cfbd10ab8b
|
Merge pull request #1186 from nsaddler/lolbas107_2
[OSCD] LOLBAS CL_Mutexverifiers - powershell
|
2021-01-06 00:17:54 +03:00 |
|
|
yugoslavskiy
|
9d1c695204
|
Merge pull request #1184 from nsaddler/lolbas106_1
[OSCD] LOLBAS CL_Invocation - powershell
|
2021-01-06 00:17:10 +03:00 |
|
|
yugoslavskiy
|
8e6b77fc4f
|
Merge pull request #1177 from OpalSec/oscd
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
|
2021-01-06 00:16:34 +03:00 |
|
|
yugoslavskiy
|
b56a7181ce
|
Merge pull request #1157 from invrep-de/oscd
[OSCD] Bad Opsec Powershell Artifacts
|
2021-01-06 00:11:24 +03:00 |
|
|
yugoslavskiy
|
a82c559816
|
Merge pull request #1130 from vburov/patch-13
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
|
2021-01-05 23:16:24 +03:00 |
|
|
yugoslavskiy
|
32aea9ad2b
|
Merge pull request #1098 from NikitaStormwind/regular31
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
|
2021-01-05 23:10:28 +03:00 |
|
|
Florian Roth
|
540039cbc3
|
fix: Malicious Nishang PowerShell Commandlets FP with MDATP
|
2020-12-05 09:33:42 +01:00 |
|
|
yugoslavskiy
|
a028cdf1ee
|
Update powershell_shellcode_b64.yml
|
2020-12-01 02:24:35 +01:00 |
|
|
yugoslavskiy
|
7309fb7d0e
|
Update powershell_winlogon_helper_dll.yml
|
2020-12-01 02:23:02 +01:00 |
|
|
Jonhnathan
|
a9fde0117b
|
Merge branch 'oscd' into oscd_rules_improvement
|
2020-11-28 14:52:31 -03:00 |
|
|
yugoslavskiy
|
2e5e4a20d2
|
Update powershell_clear_powershell_history.yml
|
2020-11-28 09:26:18 +01:00 |
|
|
Jonhnathan
|
784cab1dfe
|
Fix missing logic and Field
|
2020-11-26 22:46:17 -03:00 |
|