ba541c3952
Fix title for new netsh wifi rule
2020-04-20 16:20:45 +02:00
d9e5274c9e
Add rule to detect wifi creds harvesting using netsh
2020-04-20 16:14:44 +02:00
e67dddcc35
rule: PwnDrp access
2020-04-17 08:55:54 +02:00
514bd8657b
Merge pull request #704 from Iveco/master
...
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-14 14:11:27 +02:00
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4
...
Create powershell_create_local_user.yml
2020-04-14 14:11:15 +02:00
3175a48bdc
Casing
2020-04-14 13:40:34 +02:00
ecdec93800
Casing
2020-04-14 13:39:58 +02:00
5cbe008350
Casing
2020-04-14 13:39:22 +02:00
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence
...
Update win_susp_netsh_dll_persistence.yml
2020-04-14 13:37:53 +02:00
4f469c0e39
Adjusted level
2020-04-14 13:37:10 +02:00
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks
...
Update win_GPO_scheduledtasks.yml
2020-04-14 13:36:17 +02:00
b2754af46b
Merge pull request #711 from 0xThiebaut/sysmon_registry_persistence_search_order
...
Add Windows Registry Persistence COM Search Order Hijacking
2020-04-14 13:35:56 +02:00
86c6891427
Add Windows Registry Persistence COM Search Order Hijacking
2020-04-14 12:59:29 +02:00
1f918253e8
Add additional reference
2020-04-13 11:09:36 -05:00
9cdb3a4a64
Fix typo
2020-04-13 11:09:00 -05:00
7ac685882c
comments for usage
2020-04-11 15:47:23 +02:00
1501331f77
Create powershell_create_local_user.yml
...
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
2020-04-11 02:51:05 -06:00
6312f381bf
C# backend
...
Converts Sigma rule into C# Regex in LINQ query
2020-04-10 16:12:05 +02:00
3889be6255
Replace reference link for win_susp_netsh_dll_persistence
2020-04-10 01:05:10 -05:00
82db80bee6
Remove wrong mitre technique
2020-04-10 01:02:43 -05:00
72b821e046
Update win_susp_netsh_dll_persistence.yml
2020-04-09 11:16:18 -05:00
61b9234d7f
Update win_user_driver_loaded.yml
...
removed internal field
2020-04-09 11:28:19 +02:00
1c5c8047fd
Fixes
...
* Removed commented debug print statements
* Defined nullExpression
* Removed unneeded generateMapItemNode method
* Value cleaning bug on matching of wildcard at first character
2020-04-08 23:43:46 +02:00
72c2241bb4
Cleanup
...
* Added CI test
* Added changelog entry
2020-04-08 23:39:38 +02:00
3277cec7aa
Reverted list sorting
...
This was already implemented meanwhile in a previous commit.
2020-04-08 23:23:44 +02:00
cf896c3093
Merge branch 'master' of https://github.com/abhikhnvasara/sigma into pr-630
2020-04-08 23:16:39 +02:00
551a94af04
Merge branch 'master' of https://github.com/tileo/sigma into pr-658
2020-04-08 22:43:48 +02:00
7224af54b2
Merge pull request #664 from j91321/es-rule-options
...
es-rule backend options for index-patterns and time interval
2020-04-08 22:39:45 +02:00
1b7f33f5e2
Fixed undefined value in exception handling
...
Fixes issue #702 .
2020-04-08 22:28:47 +02:00
e913db0dca
Update win_user_driver_loaded.yml
...
CI
2020-04-08 18:54:59 +02:00
c5211eb94a
Update sysmon_susp_service_installed.yml
...
CI
2020-04-08 18:54:46 +02:00
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
CI
2020-04-08 18:54:37 +02:00
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
Fixed Author
2020-04-08 18:41:33 +02:00
fc1febdebe
Update sysmon_susp_service_installed.yml
...
Fixed Author
2020-04-08 18:41:25 +02:00
d0746b50f4
Update win_user_driver_loaded.yml
...
Fixed author
2020-04-08 18:41:16 +02:00
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
...
Fixed CI
2020-04-08 18:23:29 +02:00
5e724a0a54
Update sysmon_susp_service_installed.yml
...
Fixed CI
2020-04-08 18:22:51 +02:00
d1b9c0c34a
Update win_user_driver_loaded.yml
...
Fixed CI
2020-04-08 18:21:59 +02:00
e87f2705a7
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
2020-04-08 18:01:04 +02:00
f50767c400
Merge pull request #703 from 0xThiebaut/downgrade
...
Update the NTLM downgrade registry paths
2020-04-07 18:13:29 +02:00
73a6428345
Update the NTLM downgrade registry paths
...
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package ). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
3470011ac3
Revert time interval, use index values provided by sigmaparser
2020-04-05 20:30:57 +02:00
693830fa83
Merge pull request 659
2020-04-03 23:46:53 +02:00
2a579a0a1b
Merge pull request #699 from mpavlunin/patch-2
...
Create new rule T1223
2020-04-03 19:32:50 +02:00
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
81d0f82272
Create new rule T1223
...
Suspicious Compiled HTML File
2020-04-03 16:56:26 +03:00
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master
...
New sigma rules to detect new MITRE technique in last update (T1502)
2020-04-03 09:59:36 +02:00
f4928e95bc
Update powershell_suspicious_profile_create.yml
2020-04-03 09:36:17 +02:00
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack
...
Powershell downgrade attack (small improvements)
2020-04-03 09:31:33 +02:00
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1
...
Typo fix for powershell_suspicious_invocation_generic.yml
2020-04-03 09:30:32 +02:00
Andreas Hunkeler