 markus-nclose
|
5d7fe8823b
|
Add reg.exe
Reg.exe for Qakbot defense evasion.
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB17_28.02.2023.txt
xcopy C:\Windows\\\\\\system32\\\\\\reg.exe C:\Users\Admin\AppData\Local\Temp\glanduleHoratory.exe /h /s /e
|
2023-03-01 13:27:59 +02:00 |
|
|
Nasreddine Bencherchali
|
b584dd198e
|
Merge pull request #4074 from pfpt-dmiller/patch-1
feat: add new dns rule related to socgholish c2
|
2023-02-28 18:28:56 +01:00 |
|
|
phantinuss
|
b61ec0d515
|
restrict System process using PID
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2023-02-28 12:16:55 +01:00 |
|
|
phantinuss
|
8cf0de3776
|
fix: FP found in testing environment
|
2023-02-28 10:22:47 +01:00 |
|
|
Nasreddine Bencherchali
|
7f18403f51
|
Merge pull request #4077 from frack113/firewall
feat: add win_firewall_as_add_rule_susp_folder
|
2023-02-27 21:26:39 +01:00 |
|
|
frack113
|
506e124135
|
Update win_firewall_as_add_rule_susp_folder.yml
|
2023-02-27 17:36:44 +01:00 |
|
|
frack113
|
ca5cde25aa
|
Update win_firewall_as_add_rule_susp_folder.yml
|
2023-02-27 17:25:27 +01:00 |
|
|
Nasreddine Bencherchali
|
e10353e59a
|
Merge pull request #4080 from phantinuss/master
chore: remove unnecessary provider_name filter for security log
|
2023-02-27 16:47:48 +01:00 |
|
|
Nasreddine Bencherchali
|
2a9a842083
|
Update rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
|
2023-02-27 15:23:07 +01:00 |
|
|
Gude5
|
39928d2cdf
|
feat: update del related detection (#4046)
|
2023-02-27 15:19:28 +01:00 |
|
|
Nasreddine Bencherchali
|
d3b7b69c59
|
Update dns_query_win_malware_socgholish_second_stage_c2.yml
|
2023-02-27 13:29:53 +01:00 |
|
|
Nasreddine Bencherchali
|
9f591a3a9a
|
fix: update category
Update rule category to reflect the fields
|
2023-02-27 13:24:10 +01:00 |
|
|
Nasreddine Bencherchali
|
737525227f
|
fix: update logsource.json
|
2023-02-27 13:20:29 +01:00 |
|
|
Nasreddine Bencherchali
|
9f229069b2
|
Update dns_query_win_malware_socgholish_second_stage_c2.yml
|
2023-02-27 13:13:44 +01:00 |
|
|
Nasreddine Bencherchali
|
3bd9f844b5
|
fix: update metadata and logic
|
2023-02-27 13:11:27 +01:00 |
|
|
phantinuss
|
6e1853cd1a
|
chore: remove unnecessary provider_name filter for security log
|
2023-02-27 13:04:39 +01:00 |
|
|
sai prashanth pulisetti
|
46ed735d4a
|
feat: add co-author to posh_pc_abuse_nslookup_with_dns_records.yml (#4079)
|
2023-02-27 12:16:55 +01:00 |
|
|
Nasreddine Bencherchali
|
c533f8fcf2
|
fix: typos and title
|
2023-02-27 11:37:52 +01:00 |
|
|
frack113
|
d7e8407d0d
|
Update detection
|
2023-02-26 16:28:46 +01:00 |
|
|
frack113
|
d29474079d
|
Add win_firewall_as_add_rule_susp_folder
|
2023-02-26 15:50:17 +01:00 |
|
|
Nasreddine Bencherchali
|
587fbbce58
|
chore: update pipe-notation rules to unsupported
|
2023-02-24 19:54:14 +01:00 |
|
|
frack113
|
4d8a6ca51f
|
Merge pull request #4073 from nasbench/nasbench-rule-devel
feat: updates and fixes
|
2023-02-24 17:50:50 +01:00 |
|
|
Nasreddine Bencherchali
|
60c0b5fdd0
|
fix: remove pptx:zone
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
|
2023-02-24 16:36:14 +01:00 |
|
|
Nasreddine Bencherchali
|
41e6b17610
|
fix: remove pptx extension
|
2023-02-24 13:34:49 +01:00 |
|
|
Nasreddine Bencherchali
|
80c0c5b391
|
fix: apply rewording suggestion
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
|
2023-02-24 13:33:08 +01:00 |
|
|
Nasreddine Bencherchali
|
47de3e1857
|
fix: remove pwsh+cmd
|
2023-02-24 13:32:43 +01:00 |
|
|
Nasreddine Bencherchali
|
4da9252bba
|
fix: add missing space
|
2023-02-23 19:33:00 +01:00 |
|
|
Bhabesh
|
d3cfc7a7fa
|
Fixed field name
|
2023-02-24 00:12:16 +05:45 |
|
|
Bhabesh
|
dee1558a8d
|
Added rule (fixed) for CVE-2023-23752 in Joomla
|
2023-02-23 23:40:08 +05:45 |
|
|
Nasreddine Bencherchali
|
5258f795a6
|
Merge pull request #4070 from securepeacock/patch-40
chore: add new ref link for rule
|
2023-02-23 16:28:18 +01:00 |
|
|
pfpt-dmiller
|
3bcf7dc401
|
Update net_dns_socgholish_c2_detection.yml
Update references
|
2023-02-23 10:11:29 -05:00 |
|
|
pfpt-dmiller
|
e6fdd61726
|
Create net_dns_socgholish_c2_detection.yml
This is looking for the DNS queries that the SocGholish .js payload makes before communicating with the Command and Control server.
|
2023-02-23 10:00:00 -05:00 |
|
|
Nasreddine Bencherchali
|
af84545616
|
fix: fp found in baseline
|
2023-02-23 13:39:17 +01:00 |
|
|
Nasreddine Bencherchali
|
75281c8c20
|
fix: typo in modifier name
|
2023-02-23 13:30:31 +01:00 |
|
|
Nasreddine Bencherchali
|
c37df2fa83
|
fix: remove incorrect field
|
2023-02-23 13:19:21 +01:00 |
|
|
Nasreddine Bencherchali
|
d799ad9982
|
fix: revert change to rule
|
2023-02-23 12:55:46 +01:00 |
|
|
Nasreddine Bencherchali
|
078e3ab500
|
feat: updates and fixes
|
2023-02-23 12:49:44 +01:00 |
|
|
phantinuss
|
cca426c5a3
|
fix: FP with empty user and ip address
|
2023-02-23 11:38:47 +01:00 |
|
|
Nasreddine Bencherchali
|
09110727fd
|
fix: change to permalink
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
|
2023-02-23 10:47:52 +01:00 |
|
|
securepeacock
|
807b41c003
|
Update registry_set_wdigest_enable_uselogoncredential.yml
Added Atomic Red Team test in references.
|
2023-02-22 15:38:12 -05:00 |
|
|
Nasreddine Bencherchali
|
aa8c18c0a5
|
Merge pull request #4066 from nasbench/nasbench-rule-devel
feat: multiple updates and fixes
|
2023-02-22 17:20:58 +01:00 |
|
|
frack113
|
ae45af68ab
|
Update proc_creation_win_hktl_jlaive_batch_execution.yml
|
2023-02-22 17:13:48 +01:00 |
|
|
frack113
|
f2c3954e74
|
Update proc_creation_win_hktl_crackmapexec_execution_patterns.yml
|
2023-02-22 17:13:02 +01:00 |
|
|
Nasreddine Bencherchali
|
69c28fedbc
|
fix: typo
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
|
2023-02-22 12:16:49 +01:00 |
|
|
Nasreddine Bencherchali
|
02d6d571cb
|
fix: apply suggestions from 2nd code review
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
|
2023-02-22 12:15:49 +01:00 |
|
|
Nasreddine Bencherchali
|
fc3c6ef4c7
|
fix: apply suggestions from code review
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
|
2023-02-22 11:05:50 +01:00 |
|
|
phantinuss
|
db4fb9ff8e
|
Merge pull request #4056 from D4rkCiph3r/installer-child
Create proc_creation_macos_susp_installer_child_process.yml
|
2023-02-22 09:04:58 +01:00 |
|
|
phantinuss
|
3fc4a344f2
|
Merge pull request #4062 from qasimqlf/patch-34
fix: One value of imagePath was wrong
|
2023-02-22 09:03:39 +01:00 |
|
|
frack113
|
1a14cd58db
|
Update proc_creation_win_msiexec_dll.yml
|
2023-02-22 06:34:02 +01:00 |
|
|
frack113
|
bc5ec4fc88
|
Update proc_creation_win_auditpol_susp_execution.yml
|
2023-02-22 06:26:30 +01:00 |
|