aa5dab332e
Update win_multiple_suspicious_cli.yml
...
Modify modified field
2021-06-14 08:54:07 +02:00
9a98a6dbed
Update sysmon_powershell_network_connection.yml
...
Add of the french OS value for User field
2021-06-14 08:48:24 +02:00
ecfb42fcb2
Update win_multiple_suspicious_cli.yml
...
Add contains in CommandLine condition
2021-06-13 13:43:43 +02:00
ae06ebcae0
Merge pull request #1551 from xg5-simon/xg5-simon
...
Support for VMware Carbon Black Cloud EEDR
2021-06-10 18:35:16 +02:00
ff314b1220
Merge pull request #1550 from humpalum/master
...
Rules: persitence by exploiting Outlook or Exchange
2021-06-10 18:34:43 +02:00
3f46d0ea28
Update sysmon_outlook_newform.yml
2021-06-10 17:41:57 +02:00
54e98c8441
Merge branch 'master' of github.com:humpalum/sigma
2021-06-10 16:41:22 +02:00
1f52763878
Removed EventIDs
2021-06-10 16:41:00 +02:00
e8c38a9d6c
Renamed file to all lowercase
2021-06-10 16:35:02 +02:00
83dddf99b4
Update win_exchange_TransportAgent.yml
2021-06-10 16:07:22 +02:00
cd0531b345
fix: removed process_creation log source
2021-06-10 15:37:00 +02:00
cd2792f82c
Merge pull request #1547 from frack113/new_filter_condition
...
Add New filter condition
2021-06-10 14:42:44 +02:00
3970934252
Switched EventID:1 to category: process_creation
2021-06-10 14:13:29 +02:00
b1913deaca
Removed extra whitespace
2021-06-10 14:09:16 +02:00
1d081e300d
Support for VMware Carbon Black Cloud EEDR
...
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
2021-06-10 21:45:29 +10:00
56d200bad0
Fixed meta informations
2021-06-10 12:44:19 +02:00
bbc8633c67
Merge branch 'master' of github.com:humpalum/sigma
2021-06-10 11:32:08 +02:00
4d6e7e1338
Rules persitence by exploiting Outlook or Exchange
2021-06-10 11:26:21 +02:00
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel
...
Rule devel
2021-06-10 10:19:47 +02:00
45c3d4702b
Merge pull request #1520 from SyeedHasan/master
...
Detection rule for 'ISO mounts'
2021-06-10 09:51:29 +02:00
78817d100b
style: removed unneeded space chars
2021-06-10 09:42:19 +02:00
9c0700bc56
Powershell artefacts to critical
2021-06-10 09:42:07 +02:00
04faf985d2
more PowerShell suspicious keywords
2021-06-10 09:41:55 +02:00
f52ed7604c
BabyShark Pattern
2021-06-10 09:41:36 +02:00
28abdf3a81
Update win_iso_mount.yml
2021-06-10 09:31:40 +02:00
b2d0fbba2c
Adjustments
2021-06-10 09:12:37 +02:00
ab3baa9463
Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled
...
MDATP ServiceInstalled mapping
2021-06-10 09:05:56 +02:00
3dca4425d5
Merge pull request #1546 from frack113/issues_1525
...
Add missing sysmon EventID
2021-06-10 09:05:35 +02:00
a600e2dcaa
forget a print debug
2021-06-10 08:49:15 +02:00
af1aee9541
Add filter condition= and condition!=
2021-06-10 08:26:19 +02:00
1b4d4cfb82
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
ced94bb728
Merge pull request #1545 from roysjosh/eql
...
Add support for Elastic EQL
2021-06-08 21:19:37 +02:00
2034d36677
Add support for Elastic EQL
...
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
2021-06-08 13:38:38 -04:00
8a04bea6aa
Merge pull request #1535 from mvelazc0/master
...
Password Spraying Sigma Rules
2021-06-08 16:14:52 +02:00
16fc76bd5e
Merge pull request #1544 from Karneades/patch-1
...
Revert renaming of ngrok rule
2021-06-08 15:42:38 +02:00
2d44803bf5
Revert renaming of ngrok rule
...
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
2021-06-08 13:09:35 +02:00
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies
...
Add t1490 powershell delete volume shadow copie
2021-06-08 11:02:34 +02:00
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender
...
Windows tamper with windows defender
2021-06-08 11:02:14 +02:00
242b56031f
Merge pull request #1542 from Karneades/patch-1
...
Update ngrok usage rule
2021-06-08 11:01:45 +02:00
3a85b9073b
Merge pull request #1543 from frack113/Disable_Microsoft_Office_Security_Features
...
T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features
2021-06-08 11:00:59 +02:00
c1f43cc4ca
T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features
2021-06-08 09:32:01 +02:00
0a6f7763aa
Split original to existing file
2021-06-07 20:27:14 +02:00
cea2d5cd81
Add modified date to ngrok rule
2021-06-07 18:17:17 +02:00
e1ef13bb24
Update ngrok usage rule
...
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
2021-06-07 17:20:18 +02:00
5914e46d4a
fix typo errors
2021-06-07 15:15:36 +02:00
e66a3f9513
T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp.
2021-06-07 15:03:19 +02:00
321c31cb7b
Merge pull request #1540 from frack113/sysmon_amsi_bypass_remove_key
...
T1562.001 Remove the AMSI Provider registry key
2021-06-07 11:09:16 +02:00
43ccc07ad0
T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
2021-06-07 10:09:21 +02:00
a17bd970db
Merge pull request #1539 from frack113/basic_sysmon_modif
...
Detect modification of sysmon configuration by sysmon
2021-06-07 09:12:38 +02:00
178df3f056
fixing title lengths
2021-06-04 10:57:52 -04:00
mlp1515