dfd9e6d8f0
Merge pull request #1857 from frack113/fix_HostApplication
...
Update definition for powershell-classic rule
2021-08-16 17:18:24 +02:00
eb406ba36f
Merge pull request #1844 from frack113/cleanup
...
Add more compliance test
2021-08-16 17:17:25 +02:00
669308a37a
Merge pull request #1855 from frack113/coti_sqlcmd
...
Rule to detect Coti sqlcmd
2021-08-16 14:27:24 +02:00
141ca03c9b
Merge pull request #1853 from secDre4mer/contileak
...
feat: Add some rules to detect Conti behaviour
2021-08-16 14:18:43 +02:00
911579023c
fix powershell_alternate_powershell_hosts.yml
2021-08-16 13:30:45 +02:00
2dbf9af27d
add definition to powershell-classic
2021-08-16 12:56:24 +02:00
fda11e3608
fix very bad cut and paste
2021-08-16 11:22:50 +02:00
a861f55e5c
fix title
2021-08-16 11:15:32 +02:00
a70607bce7
add process_creation_coti_sqlcmd.yml
2021-08-16 11:08:19 +02:00
f8bedfa759
docs: added link to leak file on VT
2021-08-16 10:12:35 +02:00
dc9bb22a00
fix duplicate id
2021-08-16 09:29:22 +02:00
78e2c0da92
fix: Clean up duplicated ID
2021-08-16 09:26:45 +02:00
fb80b35141
fix condition
2021-08-16 09:21:38 +02:00
5b09dff1fb
cleanup win_malware_conti_shadowcopy.yml
2021-08-16 09:21:04 +02:00
ed424c55c8
fix selection
2021-08-16 09:20:25 +02:00
26d632bf05
fix condition
2021-08-16 09:19:46 +02:00
e8723e892a
clean-up powershell_invoke_nightmare.yml
2021-08-16 09:19:10 +02:00
f69868b5aa
Merge pull request #1834 from secDre4mer/master
...
Correct incorrect message / keyword usage
2021-08-16 09:16:33 +02:00
5b60e0ea5a
feat: Add some rules to detect Conti behaviour
...
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
2021-08-16 09:13:51 +02:00
d2a35edae9
fix: Remove powershell_alternate_hosts from PR
...
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
2021-08-16 08:42:17 +02:00
db0de126a5
test author for Detection Rule License 1.1
2021-08-14 19:16:36 +02:00
e45557316e
Fix selection with only 1 element
2021-08-14 09:54:27 +02:00
ce326cb903
fix: Correct broken rules, add documentation
2021-08-13 15:46:30 +02:00
1b480f2ee6
Merge pull request #1819 from frack113/split_1802_builtin
...
Correct lists with only 1 value
2021-08-13 12:43:26 +02:00
5e42187062
remove change for Message rule
2021-08-13 11:01:33 +02:00
e1ef8f4055
fix: Rewrite another message rule
...
Rewrites another message rule. This one is a bit more complex
since a bitmap is used and the string representation is not
available.
2021-08-13 10:28:34 +02:00
62e541ec7f
Merge pull request #1784 from frack113/winlogbeat-modules-enabled
...
Update Mapping Winlogbeat modules enabled
2021-08-12 19:14:17 +02:00
6f05e33feb
fix: Correct incorrect message / keyword usage
...
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
2021-08-12 16:28:07 +02:00
62c9468180
Merge pull request #1832 from SigmaHQ/rule-devel
...
Whoami Refactoring
2021-08-12 14:28:28 +02:00
d9d543e545
refactor: removed OriginalFileName from rule to improve compatibilty
2021-08-12 13:28:24 +02:00
34d70de084
rule: whoami anomalies
2021-08-12 13:28:00 +02:00
bd0a2a1b9f
rule: renamed whoami
2021-08-12 13:27:51 +02:00
418a0bbf7e
Merge pull request #1827 from phantinuss/master
...
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
2021-08-12 11:41:50 +02:00
6ed62b431e
Merge pull request #1830 from SigmaHQ/rule-devel
...
SystemNightmare and Typo
2021-08-12 11:41:16 +02:00
08883c8e32
refactor: removed old rule that uses Message field
...
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.
We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
2021-08-12 09:27:50 +02:00
a880663d51
fix: add missing 'all of' for 'and' conjunction of the assignment keywords
2021-08-11 17:46:10 +02:00
1c919c07c7
exchange mailbox export with generic keyword search (Message is not a real field)
2021-08-11 16:57:15 +02:00
c8d481fd83
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-08-11 10:10:32 +02:00
c1f9c33730
rule: SystemNightmare
2021-08-11 10:10:30 +02:00
d9d1e2c578
Merge pull request #1823 from SigmaHQ/rule-devel
...
rule: ProxyLogon rule for MS Exchange
2021-08-11 09:43:41 +02:00
62eca463ac
new rule LittleCorporal generated maldoc process injection
2021-08-11 09:25:23 +02:00
63ead346e8
fix modified value
2021-08-10 19:09:34 +02:00
73a4bd74dc
fix: FPs script exec from temp
2021-08-10 17:10:46 +02:00
6d869feb43
update modified
2021-08-10 15:12:45 +02:00
1544a351a3
Correcting regex in win_modif_of_services_for_via_commandline.yml
...
The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.
2021-08-10 08:29:39 -04:00
17c6fc7038
rule: ProxyLogon rule for MS Exchange
2021-08-10 09:16:30 +02:00
17fb418271
Merge pull request #1817 from SigmaHQ/rule-devel
...
rules: ProxyShell refactoring and new rule
2021-08-10 08:18:32 +02:00
78e0e570dd
Split PR 1802 builtin net rules
2021-08-09 20:23:35 +02:00
dbf8aecd83
fix: typo in cmdlet name
2021-08-09 18:05:51 +02:00
a9ad4eda4a
rules: ProxyShell refactoring and new rule
2021-08-09 17:57:34 +02:00
frack113