fd2429bd34
Update lnx_setuid_setgid.yml
2020-06-16 19:46:50 +02:00
06fe720165
Update lnx_sudo_enumeration.yml
2020-06-16 19:33:39 +02:00
545c05d4d3
Update lnx_setuid_setgid.yml
2020-06-16 19:31:34 +02:00
0027415fa2
Update lnx_setuid_setgid.yml
2020-06-16 20:26:50 +03:00
41b2309418
file type changed
2020-06-16 20:24:09 +03:00
0d0058da43
added id
2020-06-16 20:21:07 +03:00
bbcd506fb1
added id
2020-06-16 20:21:02 +03:00
ace575aaa6
added id
2020-06-16 20:20:42 +03:00
4b1557a587
Setuid and Setgid
...
Detects suspicious change of file privileges with chown and chmod commands
2020-06-16 20:12:24 +03:00
b7e1c6750c
sudo caching
...
attack.t1206
2020-06-16 19:31:02 +03:00
e43f13ed67
Update lnx_sudo_enumeration.yml
...
attack.t1169
2020-06-16 19:20:42 +03:00
52487159c5
Detect Sudo enumeration commands
2020-06-16 19:17:00 +03:00
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier
...
Identifiers shared between global document and rule gets overwritten
2020-06-15 20:20:23 +02:00
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash
...
Fix match for double-backslash
2020-06-15 20:19:56 +02:00
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id
...
Rule lists extra Sysmon ID (11). Should just match registry events (1…
2020-06-15 20:19:27 +02:00
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match
...
Rule needs endwith, not exact match.
2020-06-15 20:19:12 +02:00
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation
...
Fix logsource field name from service->category
2020-06-15 20:18:53 +02:00
3d962bdb47
Merge pull request #836 from rtkbkish/fix-escaping
...
Fix rules with incorrect escaping of wildcars
2020-06-15 20:18:34 +02:00
dfae2a6df6
Rule needs endwith, not exact match.
...
Fix ImageLoaded filter to match with endswith, rather than exact match.
2020-06-15 13:54:02 -04:00
a9c6fa904f
Rule lists extra Sysmon ID (11). Should just match registry events (12-14)
...
Remove extraneous event ID 11. It will never match.
2020-06-15 13:52:12 -04:00
f196046b3d
Fix match for double-backslash
...
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
2020-06-15 13:39:50 -04:00
422b2bffd7
Fix rules with incorrect escaping of wildcars
...
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
8d58c8f5c8
Fix logsource field name from service->category
...
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
2020-06-15 13:18:05 -04:00
f5aa871e5d
Identifiers shared between global document and rule gets overwritten
...
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
2020-06-15 13:14:31 -04:00
d371fd864c
Merge pull request #834 from ebeahan/elastic-updates
...
Elastic section updates
2020-06-13 10:04:49 +02:00
f907c49ab5
Improved test coverage
...
* Added test case
* Removed unused code
2020-06-13 01:11:08 +02:00
05ced1a3d5
Exclude heatmap.json from versioning
2020-06-13 00:05:57 +02:00
b129556388
Automatic inclusion of all configuration files
2020-06-13 00:04:45 +02:00
80e8f0e5fa
Release 0.17.0
2020-06-12 23:52:06 +02:00
24d83b80cd
Merge branch 'script_entry_points'
2020-06-12 23:13:11 +02:00
bba0b2d851
Elastic documentation improvements
2020-06-12 13:40:39 -05:00
b48e7d8d71
Merge pull request #833 from neu5ron/sigmacs
...
typo and another example
2020-06-12 17:39:14 +02:00
db6c9dc721
Merge remote-tracking branch 'neu5ron-sigma/sigmacs' into sigmacs
...
# Conflicts:
# tools/README.md
2020-06-12 11:37:39 -04:00
aac1af1832
typo, was missing the = and *.
...
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-06-12 11:37:32 -04:00
db0292afd2
typo, was missing the = and *.
...
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.
2020-06-12 11:36:19 -04:00
52ff2e12ab
Merge pull request #832 from Iveco/master
...
Cmd.exe Path Traversal Detection / Argument Spoofing
2020-06-12 10:33:15 +02:00
40f0fd989d
- moved to "process_creation" folder instead of "sysmon"
...
- renamed .yml file
2020-06-11 19:21:17 +02:00
34d7ea2974
removed one field
2020-06-11 16:23:15 +02:00
2081baafe5
updated to process_creation
2020-06-11 15:58:05 +02:00
f56e2599b1
Cmd.exe Path Traversal Detection
2020-06-11 15:48:48 +02:00
bbcbed4742
Add parentheses about field list groups in CB
...
This should address the grouping issue from #660 .
The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.
2020-06-11 15:33:02 +02:00
a7136481f1
Update win_pcap_drivers.yml
2020-06-11 11:14:43 +02:00
97c45f9d46
Merge pull request #812 from tliffick/master
...
added new rules for malware
2020-06-10 17:37:19 +02:00
9835c6d67d
add win_pcap_drivers.yml
2020-06-10 15:53:22 +01:00
96309d247b
fix: cosmetic fault
2020-06-10 16:41:03 +02:00
6e4aa01baa
Cosmetics
2020-06-10 16:36:17 +02:00
13c7d40a22
Cosmetics
2020-06-10 16:35:41 +02:00
f553fb2e33
Cosmetics
2020-06-10 16:35:14 +02:00
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll
...
Fax Service DLL search order hijacking detection
2020-06-10 16:33:12 +02:00
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence
...
Office persistence by addin detection
2020-06-10 16:32:50 +02:00
Florian Roth