6c8d08942e
Rule: Fixed field in RDP rule
2019-01-29 15:17:29 +01:00
f61b44efa8
Rule: Netsh port forwarding
2019-01-29 14:04:48 +01:00
086e62a495
Rule: Netsh RDP port forwarding rule
2019-01-29 14:04:28 +01:00
a2eac623a6
Rule: Adjusted RDP login from localhost rule level
2019-01-29 14:04:10 +01:00
c9ec469180
style: cosmetics - removed empty lines at file end
2019-01-29 12:54:07 +01:00
516bfc88ff
Added rule: RDP login from localhost
2019-01-28 22:43:22 +01:00
7e4bb1d21a
Removed duplicate filters
2019-01-25 12:21:57 +03:00
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework
...
Rule testing framework
2019-01-23 23:16:46 +01:00
ecffe28933
Correct MITRE tag
2019-01-22 21:26:07 +03:00
90e8eba530
rule: false positive reduction in PowerShell rules
2019-01-22 16:37:36 +01:00
cc6e0baef1
rule: extended certutil rule to include verifyctl and allows renamed certutil
...
https://twitter.com/egre55/status/1087685529016193025
2019-01-22 16:20:06 +01:00
b1ea976f66
fix: fixed bug inntdsutil rule that included a white space
2019-01-22 16:18:43 +01:00
8c4b21f063
Rule: Apache threading errors
2019-01-22 08:49:10 +01:00
f99df33b01
SSP added to LSA configuration
2019-01-18 14:05:21 -05:00
96eb460944
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
5645c75576
Rule: updated relevant AV signatures - exploiting
...
https://twitter.com/haroldogden/status/1085556071891173376
2019-01-16 18:43:28 +01:00
f759e8b07c
Rule: Suspicious Program Location Process Starts
2019-01-15 15:40:51 +01:00
7622b17415
Moved test rule to final location/naming scheme
2019-01-14 23:58:25 +01:00
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint
...
Fix yamllint config
2019-01-13 23:55:14 +01:00
9a6b3b5389
Rule: PowerShell script run in AppData folders
2019-01-12 12:03:36 +01:00
604d88cf1e
Rule: WMI Event Subscription
2019-01-12 12:03:36 +01:00
63f96d58b4
Rule: Renamed PowerShell.exe
2019-01-12 12:03:36 +01:00
b7eb79f8da
Rule: UserInitMprLogonScript persistence method
2019-01-12 12:03:36 +01:00
d4a1fe786a
Rule: Dridex pattern
2019-01-12 12:03:36 +01:00
44f18db80d
Fix YAML errors reported by yamllint
...
Especially the config for ArcSight, that was invalid:
tools/config/arcsight.yml
89:5 error duplication of key "product" in mapping (key-duplicates)
90:5 error duplication of key "conditions" in mapping (key-duplicates)
rules/windows/builtin/win_susp_commands_recon_activity.yml
10:9 error too many spaces after colon (colons)
2019-01-10 09:51:39 +01:00
8b94860ee6
Corrected class B private IP range to prevent false negatives
2019-01-04 12:50:41 +03:00
925ffae9b8
Removed Outlook detection which is a subset of the Office one
2019-01-02 07:47:44 +03:00
0a5e79b1e0
Fixed the RC section to use rc.exe instead of oleview.exe
2019-01-01 13:30:26 +03:00
f318f328d6
Corrected reference to references as per Sigma's standard
2018-12-25 16:25:12 +03:00
c8c419f205
Rule: Hacktool Rubeus
2018-12-19 09:31:22 +01:00
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master
...
Field-Index Mapping File & SIGMA Rules Field names fix
2018-12-19 00:38:06 +01:00
a7fa20546a
Rule: proxy user agents updated with MacControl user agent
2018-12-17 14:18:03 +01:00
99f773dcf6
Rule: false positive reduction in rule
2018-12-17 10:02:55 +01:00
172236e130
Rule: updated ATT&CK tags in MavInject rule
2018-12-12 09:17:58 +01:00
188d3a83b8
Rule: docs: reference update in MavInject rule
2018-12-12 08:37:00 +01:00
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue
...
Bugfix: wrong field for 4688 process creation events
2018-12-12 08:24:07 +01:00
49eb03cda8
Rule: MavInject process injection
2018-12-12 08:18:43 +01:00
b0cb0abc01
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
b5d78835b6
Removed overlapping rule with sysmon_office_shell.yml
2018-12-11 13:37:47 +01:00
a0486edeea
Field-Index Mapping File & SIGMA Rules Field names fix
...
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
9567ce588d
Merge remote-tracking branch 'upstream/master'
2018-12-09 09:27:43 +03:00
8c577a329f
Improve Rule & Updated HELK SIGMA Standardization Config
...
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.
SIGMA HELK standardization config updated to match latest HELK Common Information Model
2018-12-08 11:30:21 +03:00
a35f945c71
Update win_disable_event_logging.yml
...
Description value breaking SIGMA Elastalert Backend
2018-12-06 05:09:41 +03:00
2e5a739c6c
fix: fixed author string (cannot be list according to sigma specs)
2018-12-05 11:59:10 +01:00
9b15b64a9a
fix: fixed author string (cannot be list according to sigma specs)
2018-12-05 11:44:20 +01:00
87ce07088f
Update sysmon_plugx_susp_exe_locations.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location
This impats Elastalert integration since you cannot have two rules with the same name
2018-12-05 07:58:13 +03:00
bff7ec52db
Update av_relevant_files.yml
...
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection
This affetcs Elastalert integration
2018-12-05 07:53:53 +03:00
104ee6c33b
Update win_susp_commands_recon_activity.yml
...
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
2018-12-05 05:55:36 +03:00
328762ed67
Update powershell_xor_commandline.yml
...
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
2018-12-05 05:51:41 +03:00
Florian Roth