 Austin Songer
|
3dd201d36f
|
Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml
|
2021-08-23 19:38:58 -05:00 |
|
|
Austin Songer
|
6b1f0b83f4
|
Create workspace_user_assigned_admin_role.yml
|
2021-08-23 19:38:47 -05:00 |
|
|
Austin Songer
|
c767da91d1
|
Delete gworkspace_user_assigned_admin_role.yml
|
2021-08-23 19:38:01 -05:00 |
|
|
Austin Songer
|
8382bbfe09
|
Create gworkspace_user_assigned_admin_role.yml
|
2021-08-23 19:37:46 -05:00 |
|
|
Austin Songer
|
edcb956f2a
|
Merge branch 'SigmaHQ:master' into gworkspace_user_assigned_admin_role.yml
|
2021-08-23 19:37:06 -05:00 |
|
|
Nate Guagenti
|
b255586117
|
condition fix and add fields
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
|
2021-08-23 14:59:06 -04:00 |
|
|
Nate Guagenti
|
cfc32e5950
|
correct fields for zeek_rdp_public_listener.yml
correct zeek fields for `fields` section.
improve false positives information
|
2021-08-23 14:16:55 -04:00 |
|
|
frack113
|
a04fbe2a99
|
Merge pull request #1901 from frack113/redcanary
Redcanary Powershell Suspicious Win32_PnPEntity T1120
|
2021-08-23 19:44:16 +02:00 |
|
|
frack113
|
07c808d35c
|
Merge pull request #1902 from neu5ron/patch-2
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
|
2021-08-23 19:43:58 +02:00 |
|
|
Austin Songer
|
b52f4ba1c3
|
Merge branch 'master' of https://github.com/austinsonger/sigma
|
2021-08-23 17:22:08 +00:00 |
|
|
Austin Songer
|
3a4c61f44d
|
M365 - Inbox Manipulation Rules
|
2021-08-23 17:21:27 +00:00 |
|
|
frack113
|
9d3a13b13e
|
cleanup
|
2021-08-23 19:04:01 +02:00 |
|
|
frack113
|
be316db84d
|
Merge pull request #1899 from secDre4mer/master
feat: Add rule for malicious CSR export on Exchange
|
2021-08-23 17:26:16 +02:00 |
|
|
Nate Guagenti
|
4f8bd4a5a2
|
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
try new uuid to pass check...
|
2021-08-23 11:24:22 -04:00 |
|
|
Nate Guagenti
|
6aea58b4d2
|
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
|
2021-08-23 11:18:51 -04:00 |
|
|
Nate Guagenti
|
78c667fda1
|
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
shorten title
|
2021-08-23 11:15:30 -04:00 |
|
|
Nate Guagenti
|
96e77eb8db
|
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
|
2021-08-23 11:06:44 -04:00 |
|
|
SomeOne
|
037f33b5e2
|
Replace by default windows fieldnames
|
2021-08-23 15:24:48 +02:00 |
|
|
SomeOne
|
45f30cb2b4
|
Add fields to event log cleared
|
2021-08-23 15:00:07 +02:00 |
|
|
frack113
|
25072e37b3
|
update references
|
2021-08-23 13:30:46 +02:00 |
|
|
frack113
|
33c6ff6b5f
|
add powershell_suspicious_win32_pnpentity
|
2021-08-23 13:17:35 +02:00 |
|
|
Max Altgelt
|
82dde594d1
|
feat: Add rule for malicious CSR export on Exchange
|
2021-08-23 11:20:30 +02:00 |
|
|
frack113
|
52595de85e
|
Merge pull request #1889 from rachelrice/update_aws_rules
Update AWS CloudTrail rules
|
2021-08-23 11:14:31 +02:00 |
|
|
frack113
|
fc9666fb4e
|
Merge pull request #1896 from ZikyHD/fix_old_technics
Replace old mitre techniques by new one
|
2021-08-22 18:56:08 +02:00 |
|
|
frack113
|
0a410010a2
|
Merge pull request #1877 from frack113/red_back
Add t1546 redcanary rules
|
2021-08-22 18:50:58 +02:00 |
|
|
SomeOne
|
295054dcbe
|
Replace old mitre techniques by new one
|
2021-08-22 13:57:56 +02:00 |
|
|
frack113
|
064c65cb1f
|
Merge pull request #1892 from frack113/clean_PS
Powershell Cleanup
|
2021-08-21 18:04:52 +02:00 |
|
|
frack113
|
07a87aa7f8
|
Merge pull request #1858 from frack113/fix_pr718
Replace pr718
|
2021-08-21 18:02:30 +02:00 |
|
|
frack113
|
a44206bfa0
|
Some cleanup
|
2021-08-21 17:33:39 +02:00 |
|
|
pbssubhash
|
eee497f656
|
Title modification
|
2021-08-21 20:04:03 +05:30 |
|
|
pbssubhash
|
a415463f5b
|
Modified rule
|
2021-08-21 19:37:28 +05:30 |
|
|
pbssubhash
|
fba54b8d69
|
First Rule commit
|
2021-08-21 17:47:56 +05:30 |
|
|
frack113
|
42c90b9d20
|
fix powershell_psattack error
|
2021-08-21 10:05:47 +02:00 |
|
|
frack113
|
2f683b9ab7
|
fix powershell_clear_powershell_history error
|
2021-08-21 10:00:48 +02:00 |
|
|
frack113
|
0fb6c35b1f
|
Cleanup PS rules
|
2021-08-21 09:58:58 +02:00 |
|
|
frack113
|
da839775fe
|
Update PS rules
|
2021-08-21 09:50:59 +02:00 |
|
|
frack113
|
6c529f7ab2
|
Update PS rules
|
2021-08-21 09:33:52 +02:00 |
|
|
frack113
|
cb95582077
|
Update PowerShell rule
|
2021-08-21 09:08:38 +02:00 |
|
|
frack113
|
dbbb422a42
|
Merge pull request #1885 from austinsonger/microsoft365_unusual_volume_of_file_deletion.yml
microsoft365_unusual_volume_of_file_deletion.yml
|
2021-08-20 17:20:43 +02:00 |
|
|
frack113
|
34ac3587e9
|
Merge pull request #1884 from austinsonger/microsoft365_potential_ransomware_activity.yml
microsoft365_potential_ransomware_activity.yml
|
2021-08-20 17:20:34 +02:00 |
|
|
frack113
|
73fee68d4b
|
Merge pull request #1883 from austinsonger/microsoft365_user_restricted_from_sending_email.yml
microsoft365_user_restricted_from_sending_email.yml
|
2021-08-20 17:20:22 +02:00 |
|
|
frack113
|
b9a355e3f4
|
cleanup falsepositives
|
2021-08-20 17:18:32 +02:00 |
|
|
Florian Roth
|
b92346ba5f
|
Merge pull request #1882 from austinsonger/win_susp_bitstransfer.yml
win_susp_bitstransfer.yml
|
2021-08-20 16:53:52 +02:00 |
|
|
Florian Roth
|
ecd0bb4576
|
Merge pull request #1890 from frack113/update_conti_ref
update ref from conti_leak
|
2021-08-20 16:53:12 +02:00 |
|
|
Florian Roth
|
700b8e440f
|
Merge pull request #1868 from d4rk-d4nph3/master
Added rule for zero day CVE-2021-22123 in Fortinet WAFs
|
2021-08-20 16:52:49 +02:00 |
|
|
Rachel Rice
|
f037f5b0a9
|
Add filter3 back for vm export failure, without consolelogin
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
|
2021-08-20 15:42:49 +01:00 |
|
|
Austin Songer
|
a25f6e196f
|
Update microsoft365_unusual_volume_of_file_deletion.yml
|
2021-08-20 08:17:25 -05:00 |
|
|
Austin Songer
|
360b936357
|
Update microsoft365_potential_ransomware_activity.yml
|
2021-08-20 08:17:09 -05:00 |
|
|
Austin Songer
|
ae36804935
|
Update microsoft365_user_restricted_from_sending_email.yml
|
2021-08-20 08:16:48 -05:00 |
|
|
Rachel Rice
|
f09b3ea4b1
|
Update AWS CloudTrail rules
aws_ec2_disable_encryption.yml
Remove `status: success` from selection criteria, not required
aws_ec2_vm_export_failure.yml
Remove filter3:
```
eventName: 'ConsoleLogin'
responseElements|contains: 'Failure'
```
Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'`
aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml
Update reference
aws_sts_assumedrole_misuse.yml
Rename to aws_sts_assumerole_misuse.yml
Update references to "AssumedRole" to "AssumeRole"
Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role`
|
2021-08-20 13:43:00 +01:00 |
|