 Florian Roth
|
4e2e75cd2f
|
Merge branch 'master' into pr/2231
|
2021-11-11 18:09:23 +01:00 |
|
|
Florian Roth
|
81922af134
|
Merge pull request #2249 from redsand/add_allow_for_dns_exe_via_dc
Add allow for dns exe via dc
|
2021-11-11 17:22:32 +01:00 |
|
|
Florian Roth
|
791736cb3e
|
Merge pull request #2243 from SigmaHQ/rule-devel
CobaltStrike DNS beaconing, some FP fixes
|
2021-11-11 17:21:33 +01:00 |
|
|
Florian Roth
|
b61e92ae1d
|
fix: FP with VSCode
|
2021-11-11 16:12:49 +01:00 |
|
|
redsand (Tim Shelton)
|
5ca5ab8cb3
|
Merge branch 'SigmaHQ:master' into add_allow_for_dns_exe_via_dc
|
2021-11-10 13:42:31 -06:00 |
|
|
frack113
|
82c9785f87
|
Fix detection
|
2021-11-10 19:57:46 +01:00 |
|
|
frack113
|
f01523d791
|
Integrity do not exist in file_event
|
2021-11-10 19:51:01 +01:00 |
|
|
frack113
|
da8fcabe0c
|
Fix TargetFilename case
|
2021-11-10 19:49:25 +01:00 |
|
|
frack113
|
b6f6beda3c
|
FileMagicBytes do not exist in file_event
|
2021-11-10 19:44:08 +01:00 |
|
|
frack113
|
95b9cd3d35
|
fix detection
|
2021-11-10 19:40:10 +01:00 |
|
|
frack113
|
3ea1eda717
|
ParentImage do not exist in network_connection
|
2021-11-10 19:38:05 +01:00 |
|
|
frack113
|
b7b1ebf772
|
Fix LogonId - SubjectLogonId
|
2021-11-10 19:12:51 +01:00 |
|
|
frack113
|
a4951a29bb
|
Fix detection
|
2021-11-10 18:57:54 +01:00 |
|
|
Tim Shelton
|
52d0cb67eb
|
adding additional allow for dns service (domain controllers)
|
2021-11-10 17:09:15 +00:00 |
|
|
Florian Roth
|
5abea871b0
|
docs: put link in references
|
2021-11-10 09:28:59 +01:00 |
|
|
frack113
|
ee4082b50d
|
Merge pull request #2242 from frack113/fix_ProcessCommandLine
Fix process command line
|
2021-11-10 08:09:06 +01:00 |
|
|
frack113
|
a089a83794
|
Merge pull request #2238 from frack113/fix_logsource
Fix logsource
|
2021-11-10 08:08:40 +01:00 |
|
|
frack113
|
ca17949d85
|
Merge pull request #2237 from frack113/m365
standardization m365
|
2021-11-10 08:08:10 +01:00 |
|
|
Florian Roth
|
e30b09fcce
|
fix: more FPs with Windows 11 services
|
2021-11-09 19:09:07 +01:00 |
|
|
Florian Roth
|
5613b6ca82
|
fix: FP with MicrosoftEdgeUpdate
|
2021-11-09 19:06:26 +01:00 |
|
|
frack113
|
c14322dfc3
|
Merge pull request #2241 from frack113/linux
Order Linux directory
|
2021-11-09 17:48:57 +01:00 |
|
|
Florian Roth
|
c07a9adb9b
|
fix: moved rule written for DNS/Sysmon to the correct folder
|
2021-11-09 17:30:15 +01:00 |
|
|
Florian Roth
|
39283c0ac2
|
CobaltStrike DNS rules
|
2021-11-09 17:29:43 +01:00 |
|
|
frack113
|
3c3bf75aa8
|
fix detection from test
|
2021-11-09 17:04:27 +01:00 |
|
|
Florian Roth
|
37b9abd827
|
fix: date field
|
2021-11-09 16:52:19 +01:00 |
|
|
Florian Roth
|
77e9decc64
|
Merge branch 'master' into rule-devel
|
2021-11-09 16:45:49 +01:00 |
|
|
frack113
|
24f3e9db5b
|
fix detection from ref
|
2021-11-09 16:44:11 +01:00 |
|
|
Florian Roth
|
c61ca81d9c
|
refactor: raw disk access rule FPs
|
2021-11-09 16:15:31 +01:00 |
|
|
frack113
|
c5fa73c328
|
fix ProcessCommandLine to ParentCommandLine
|
2021-11-09 16:13:29 +01:00 |
|
|
frack113
|
18fea95b86
|
move to macos
|
2021-11-09 13:33:58 +01:00 |
|
|
frack113
|
e8a36ace96
|
move to other
|
2021-11-09 13:32:22 +01:00 |
|
|
frack113
|
c8f488eabf
|
move to builtin
|
2021-11-09 13:27:20 +01:00 |
|
|
frack113
|
6c19303aa4
|
normalize logsource
|
2021-11-09 10:48:13 +01:00 |
|
|
frack113
|
8f39ef9ed1
|
normalize logsource
|
2021-11-09 10:41:09 +01:00 |
|
|
frack113
|
3430943746
|
standardization
|
2021-11-09 07:27:25 +01:00 |
|
|
frack113
|
73e2b5fae6
|
Merge pull request #2233 from frack113/zipexec
Add win_pc_susp_zipexec
|
2021-11-08 22:46:17 +01:00 |
|
|
frack113
|
3e670a876f
|
Merge pull request #2232 from frack113/fix_sysmon_rule
fix logsources
|
2021-11-08 21:28:44 +01:00 |
|
|
frack113
|
d3c3cd9930
|
Merge pull request #2230 from frack113/process_creation_clean
Process creation directory clean
|
2021-11-08 21:27:25 +01:00 |
|
|
Florian Roth
|
3f57251768
|
Merge branch 'master' into rule-devel
|
2021-11-08 11:46:35 +01:00 |
|
|
Florian Roth
|
d43f845157
|
Update proxy_cobalt_malformed_uas.yml
|
2021-11-08 11:21:49 +01:00 |
|
|
Florian Roth
|
20f4099cec
|
rule: Kirbi file creation
|
2021-11-08 11:21:40 +01:00 |
|
|
frack113
|
4672762010
|
add win_pc_susp_zipexec
|
2021-11-07 21:57:40 +01:00 |
|
|
frack113
|
e51dab10c2
|
fix logsources
|
2021-11-07 09:55:02 +01:00 |
|
|
Nate Guagenti
|
8291aba4d3
|
remove duplicate exclusion
exclude_tlds was listed twice
|
2021-11-06 15:45:34 -04:00 |
|
|
frack113
|
aa8694fdef
|
add missing category
|
2021-11-06 10:17:12 +01:00 |
|
|
frack113
|
68d30293b5
|
Cleanup process_creation
|
2021-11-06 10:16:16 +01:00 |
|
|
frack113
|
a3f3ec84c9
|
fix product windows case
|
2021-11-05 13:16:24 +01:00 |
|
|
frack113
|
80d2aee944
|
Merge pull request #2227 from redsand/remove_duplicate_powershell_check
Removing duplicate rule of Powershell memory check
|
2021-11-05 11:15:38 +01:00 |
|
|
frack113
|
3416db7301
|
Merge pull request #2225 from frack113/cmdl32
add win_pc_susp_cmdl32_lolbas
|
2021-11-04 20:58:50 +01:00 |
|
|
frack113
|
a811acde00
|
Merge pull request #2224 from frack113/schtasks_appdata
add win_pc_susp_schtasks_user_temp
|
2021-11-04 20:58:31 +01:00 |
|