8a87fc35b2
Update win_susp_security_eventlog_cleared.yml
2020-10-11 19:48:07 +05:30
672bf99c6b
Silenttrinity stager communication to c2
2020-10-11 19:45:58 +05:30
364ef1e61f
[OSCD] Security Eventlog Cleared
...
Adding new changes to main
2020-10-05 22:30:09 +05:30
a0c9f1594e
Rule: renamed file - name was too generic
2019-06-02 10:57:44 +02:00
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
df35d70ab1
Merge pull request #361 from neu5ron/patch-4
...
update correct process name
2019-06-01 20:51:55 +02:00
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
8a0f706cca
Merge branch 'master' of https://github.com/Neo23x0/sigma
2019-05-30 23:24:37 +02:00
1986bcb843
Sigma tools release 0.11
2019-05-30 22:56:38 +02:00
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156
...
added rule .bash_profile and .bashrc T1156
2019-05-30 22:43:33 +02:00
673973e523
Merge pull request #357 from agix/es_dsl_bug
...
fix missing condition when unique plus timeframe
2019-05-30 22:42:09 +02:00
fa0aaa7d2b
Merge branch 'agix-elastalert_dsl_backend'
2019-05-30 22:38:41 +02:00
67707b6c82
Added test for new elastalert-dsl backend
2019-05-30 22:38:12 +02:00
8023011bb1
Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend
2019-05-30 22:33:57 +02:00
89c1d7b63d
Wrong fix, self.queries should be emptied after copied to rule_object
2019-05-29 16:10:14 +02:00
748ac2e206
Dont combine multiple queries
2019-05-29 16:05:53 +02:00
2cf402aa1f
Merge pull request #360 from spellanser/patch-1
...
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:07:46 +02:00
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword
...
Allow empty keyword_field
2019-05-28 21:45:55 +02:00
2ecc55c13f
Merge pull request #351 from ipninichuck/master
...
added metadata field to the watcher alert
2019-05-28 21:42:27 +02:00
f3edc39535
Merge pull request #346 from tuckner/master
...
Add Azure Log Analytics / Azure Sentinel to README list of integrations
2019-05-28 21:41:19 +02:00
d866e75750
Be sure there is a key in the single condition
2019-05-27 17:27:16 +02:00
e8a7c5f7b9
fix missing condition when unique plus timeframe
2019-05-27 17:22:28 +02:00
6bf010fb4b
introduce elastalert-dsl
...
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
2019-05-27 17:18:19 +02:00
4168c0ec64
Allow empty keyword_field
2019-05-27 15:08:33 +02:00
36ba9f78da
Improved message if configuration is missing
2019-05-27 13:18:36 +02:00
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
84690280c5
Improved behavior on missing configuration
...
Listing all configus usable with chosen backend
2019-05-24 22:41:47 +02:00
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
253417a367
Merge pull request #350 from olafhartong/master
...
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 13:54:45 +02:00
75ec169d5c
added metadata field to the watcher alert
...
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
7d10491bf2
Update README.md
2019-05-20 17:46:28 -05:00
5867b5da74
Update README.md
2019-05-20 17:45:18 -05:00
194afa739f
Generate rule name for each condition
...
In backends kibana and xpack-watcher.
Fixes #329
2019-05-21 00:36:19 +02:00
af0bd1b082
Removed debug code from backend option handling
...
Additionally: code simplification
2019-05-21 00:21:52 +02:00
97541ac267
Added -C shortcut for --backend-config
2019-05-21 00:15:01 +02:00
7e163d71eb
Added option to use old URL in xpack-watcher backend
2019-05-21 00:01:21 +02:00
S.kiran kumar