202 Commits

Author	SHA1	Message	Date
frack113	756a248032	update logsource	2023-01-04 18:52:24 +01:00
Nasreddine Bencherchali	a25027fef8	fix: rename links from old repo to SigmaHQ	2022-12-27 21:05:16 +01:00
frack113	7060db3d47	Promotion rules (#3821) ... * Promotion rules * fix missing null * fix: modified date Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali	e6baac1bf2	fix: exclude teamviewer fp & reduce severity	2022-12-23 20:50:38 +01:00
Nasreddine Bencherchali	21f5bf8536	feat: new rules related to rat software based on #2841	2022-12-23 20:42:51 +01:00
Nasreddine Bencherchali	03cc78e916	feat: filename test enhancements (#3812)	2022-12-23 09:25:16 +01:00
Qasim Qlf	29377ddfff	fix: updated targetUserName and ipAddress	2022-12-22 14:16:25 +05:00
Nasreddine Bencherchali	beccf416da	feat: add two new rules	2022-12-20 23:44:44 +01:00
Nasreddine Bencherchali	681c720509	fix: fp in user_driver_loaded rule	2022-12-12 22:30:08 +01:00
Nasreddine Bencherchali	7c7057d9d3	fix: rename .net etw tamper rules	2022-12-09 18:06:58 +01:00
Nasreddine Bencherchali	89e44d46cb	feat: update .net etw tamper rules	2022-12-09 18:06:20 +01:00
Nasreddine Bencherchali	559b4c4e97	Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel	2022-12-09 13:41:21 +01:00
Florian Roth	356ab98ada	fix: FPs with Important Scheduled Task Deleted	2022-12-09 12:55:41 +01:00
Nasreddine Bencherchali	6f6cb9648d	fix: fp found in testing	2022-12-09 10:33:52 +01:00
Nasreddine Bencherchali	fa318243c2	Merge branch 'SigmaHQ:master' into nasbench-rule-devel	2022-12-08 19:22:11 +01:00
Nasreddine Bencherchali	0567ca8ca3	fix: fix unused selection	2022-12-08 11:57:40 +01:00
Nasreddine Bencherchali	f12975bc6b	fix: update description ... Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2022-12-07 22:34:56 +01:00
Nasreddine Bencherchali	a425ef65e5	feat: update metadata and add more cases for rules	2022-12-07 02:26:21 +01:00
Nasreddine Bencherchali	a7bfb349ee	fix: fix fp found in testing	2022-12-07 02:25:52 +01:00
Nasreddine Bencherchali	42b99b165d	feat: new rules and fixes (#3759) ... Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2022-12-06 12:13:20 +01:00
Nasreddine Bencherchali	9657446647	fix: apply suggestions from code review ... Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>	2022-12-06 10:53:57 +01:00
Nasreddine Bencherchali	dbf114e7cb	feat: add rules related to scheduled tasks	2022-12-05 23:52:11 +01:00
frack113	54739006a9	Fix workflow warning	2022-12-04 15:29:08 +01:00
frack113	a674ee246b	Update Title (#3739)	2022-11-30 11:44:15 +01:00
frack113	c820216541	Update Title (#3733)	2022-11-28 06:43:17 +01:00
frack113	cd4121d966	Update Title (#3731) ... Co-authored-by: Florian Roth <venom14@gmail.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-11-27 19:19:27 +01:00
Qasim Qlf	ed54bf44a5	Minor Fix	2022-11-22 18:13:34 +05:00
Nasreddine Bencherchali	6603ca9202	fix: update rules to not use regex	2022-11-18 11:16:13 +01:00
Florian Roth	0fb1295157	fix: FPs noticed with Aurora	2022-11-13 20:26:03 +01:00
Yamato Security	5de1fd6f2d	Rule add: windows access token abuse (#3675) ... Co-authored-by: Florian Roth <venom14@gmail.com>	2022-11-09 09:43:15 +01:00
frack113	8b749fb126	Order yaml field	2022-10-25 11:08:51 +02:00
frack113	f78e9e9034	Add rule ... Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-10-24 17:52:05 +02:00
Nasreddine Bencherchali	4a61f56c5f	Update win_security_susp_possible_shadow_credentials_added.yml	2022-10-19 19:06:00 +02:00
Nasreddine Bencherchali	87c0788fca	Update win_security_susp_possible_shadow_credentials_added.yml	2022-10-19 19:04:53 +02:00
Nasreddine Bencherchali	a6edfd6c21	Add more details to the definition section ... Add more details to the definition section for events from the "Audit Directory Service Changes"	2022-10-18 17:35:02 +02:00
Nasreddine Bencherchali	2758e67185	Update win_security_susp_possible_shadow_credentials_added.yml	2022-10-18 17:08:09 +02:00
Nasreddine Bencherchali	18ed0ce02a	Update win_security_susp_possible_shadow_credentials_added.yml	2022-10-18 17:07:36 +02:00
Nasreddine Bencherchali	ce567a4d8d	Fix wording in definition + Add FP description	2022-10-18 16:02:41 +02:00
Nasreddine Bencherchali	01826d2a3b	New File Access Rules ... Added new files access rules related to windows dpapi files/keys	2022-10-18 11:51:24 +02:00
Nasreddine Bencherchali	e26a6e36db	Add missing definitions ... Add missing definitions for Audit Directory Services Changes events	2022-10-17 13:23:53 +02:00
Florian Roth	e344b1f10f	Merge pull request #3591 from frack113/yamato_security ... Windows builtin security rules	2022-10-15 10:49:37 +02:00
Florian Roth	a6e54ab023	Update win_security_user_logoff.yml	2022-10-14 18:03:40 +02:00
frack113	81ec573424	Update rules/windows/builtin/security/win_security_user_logoff.yml ... Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-10-14 12:37:51 +02:00
frack113	d010fedb2c	Update rules/windows/builtin/security/win_security_replay_attack_detected.yml ... Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-10-14 12:37:41 +02:00
frack113	2e14174911	Update rules/windows/builtin/security/win_security_device_installation_blocked.yml ... Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-10-14 12:37:27 +02:00
frack113	0042e2c8f0	Update rules/windows/builtin/security/win_security_add_remove_computer.yml ... Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-10-14 12:37:20 +02:00
frack113	0eda26397f	Set to low	2022-10-14 10:33:34 +02:00
frack113	35e1660479	Fix LF	2022-10-14 10:22:58 +02:00
frack113	6a69608b44	Add security rules	2022-10-14 10:13:32 +02:00
frack113	8b7280e8fa	Fix file name lenght	2022-10-14 09:11:19 +02:00