 frack113
|
7060db3d47
|
Promotion rules (#3821)
* Promotion rules
* fix missing null
* fix: modified date
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-27 12:29:10 +01:00 |
|
|
Nasreddine Bencherchali
|
21f5bf8536
|
feat: new rules related to rat software based on #2841
|
2022-12-23 20:42:51 +01:00 |
|
|
Nasreddine Bencherchali
|
03cc78e916
|
feat: filename test enhancements (#3812)
|
2022-12-23 09:25:16 +01:00 |
|
|
jstnk9
|
647f6dc2ef
|
Update title (#3734)
|
2022-11-29 07:36:45 +01:00 |
|
|
Nasreddine Bencherchali
|
20b0a6bad8
|
Rule Dev
|
2022-11-18 11:15:28 +01:00 |
|
|
Nasreddine Bencherchali
|
e8f10733e0
|
Add browsers
|
2022-10-31 20:57:22 +01:00 |
|
|
frack113
|
dfdaecc52c
|
Order yaml field
|
2022-10-25 12:00:56 +02:00 |
|
|
frack113
|
cf7a348028
|
Fix related
|
2022-10-09 17:28:05 +02:00 |
|
|
frack113
|
931fb30853
|
old experimental rule promotion
|
2022-10-09 16:54:04 +02:00 |
|
|
Nasreddine Bencherchali
|
df6c167b17
|
New Rules
|
2022-09-28 10:48:51 +02:00 |
|
|
phantinuss
|
b7f20b884c
|
fix: FPs from new evtx-baseline
|
2022-09-21 13:51:19 +02:00 |
|
|
Florian Roth
|
34d7ad03f7
|
fix: FPs noticed with Aurora
|
2022-09-18 12:54:37 +02:00 |
|
|
phantinuss
|
586b1c449f
|
fix: FP on race condition
|
2022-09-08 16:28:05 +02:00 |
|
|
David ANDRE
|
0b0190ccb1
|
Added quotes to strings
|
2022-09-01 15:22:26 +02:00 |
|
|
frack113
|
247edbf967
|
Update dns_query_win_susp_ldap.yml
|
2022-08-21 07:37:56 +02:00 |
|
|
frack113
|
6a7b3e56f3
|
Fix FP
|
2022-08-20 17:19:24 +02:00 |
|
|
frack113
|
9f89d4c8c7
|
Redcannary 20220820
|
2022-08-20 17:12:31 +02:00 |
|
|
Florian Roth
|
c232aaa7d8
|
Update dns_query_win_anonymfiles_com.yml
|
2022-07-15 16:20:10 +02:00 |
|
|
Paul Hager
|
1529d0377e
|
blackbyte rules
|
2022-07-15 12:09:55 +02:00 |
|
|
frack113
|
e3d3979786
|
Add related for remove rules
|
2022-07-15 08:36:51 +02:00 |
|
|
Nasreddine Bencherchali
|
238e0ecd7d
|
Update Ref+Selection
|
2022-07-11 14:11:53 +01:00 |
|
|
Paul Hager
|
d7f983340b
|
rule cleanup and new rules
|
2022-06-27 16:35:22 +02:00 |
|
|
frack113
|
8de0027ca3
|
refactor condition
|
2022-06-03 15:35:24 +02:00 |
|
|
frack113
|
aaafef29b4
|
Redcannary
|
2022-04-04 10:57:23 +02:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
frack113
|
ec7319be21
|
Name Normalization
Name Normalization
|
2022-02-27 07:39:46 +01:00 |
|
|
Florian Roth
|
dff806c5bc
|
changed description, fix: onion TLD position of '.'
|
2022-02-20 12:17:12 +01:00 |
|
|
Florian Roth
|
d3c0d90ba7
|
increased level
|
2022-02-20 12:14:05 +01:00 |
|
|
frack113
|
82660bbaf2
|
Simple TOR rules
|
2022-02-20 11:26:13 +01:00 |
|
|
frack113
|
171edbd1bc
|
Merge pull request #2694 from frack113/Red_20220213
Windows Redcannary
|
2022-02-14 06:34:20 +01:00 |
|
|
frack113
|
f288134b41
|
Windows Redcannary
|
2022-02-13 11:04:00 +01:00 |
|
|
frack113
|
7e3c088165
|
Windows Redcannary
|
2022-02-12 15:53:13 +01:00 |
|
|
Florian Roth
|
9c7679e319
|
fix: duplicate date field
|
2022-02-08 20:41:26 +01:00 |
|
|
Florian Roth
|
d388ce945c
|
refactor: reduced level of TeamViewer rule
|
2022-02-08 20:40:31 +01:00 |
|
|
Florian Roth
|
ba3065e943
|
refactor: added another TV domain
|
2022-01-30 22:26:01 +01:00 |
|
|
Florian Roth
|
1b57916890
|
rule: suspicious renamed teamviewer
|
2022-01-30 22:05:47 +01:00 |
|
|
frack113
|
4631d0c482
|
remove invalid tag
|
2022-01-19 18:23:30 +01:00 |
|
|
Florian Roth
|
e055ec1d52
|
refactor: change all " of them" expressions
|
2022-01-11 10:59:57 +01:00 |
|
|
frack113
|
01dc930c17
|
Change status for old rules
|
2021-11-27 11:33:14 +01:00 |
|
|
frack113
|
bdb00f403f
|
fix rule
|
2021-11-24 19:24:16 +01:00 |
|
|
frack113
|
960a03eaf4
|
add lobas Binary
|
2021-11-24 19:17:00 +01:00 |
|
|
frack113
|
f47d0da3f7
|
add missing MITRE Techniques
|
2021-11-20 12:26:01 +01:00 |
|
|
Florian Roth
|
c07a9adb9b
|
fix: moved rule written for DNS/Sysmon to the correct folder
|
2021-11-09 17:30:15 +01:00 |
|
|
Florian Roth
|
39283c0ac2
|
CobaltStrike DNS rules
|
2021-11-09 17:29:43 +01:00 |
|
|
frack113
|
4c85858e12
|
split global sysmon_regsvr32_network_activity.yml
|
2021-09-21 10:33:47 +02:00 |
|
|
frack113
|
2a76c469e0
|
normalise name
|
2021-09-11 13:34:19 +02:00 |
|
|
frack113
|
d9cd1652f2
|
Split global sysmon rules
|
2021-09-09 16:11:41 +02:00 |
|
|
Thomas Patzke
|
103a8f8052
|
Removed EventID from generic DNS query rule
|
2021-07-08 07:41:11 +02:00 |
|
|
Florian Roth
|
c0b93a010c
|
NCCGroup rules from rclone blog post
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
|
2021-05-27 12:49:40 +02:00 |
|
|
Steven
|
0c9a82af89
|
- Remove 'service: sysmon' since defining the categories made the rules generic
|
2020-10-02 09:37:52 +02:00 |
|