c3d807f53a
Add More Malicious PowerShell Script/Cmdlet Names
2022-05-24 22:02:08 +01:00
c7b90f108f
Merge pull request #3039 from jstnk9/master
...
New sigma rule to detect the use of Jlaive antivirus defense evasion
2022-05-24 20:25:42 +02:00
a6202f7961
Merge pull request #3041 from SigmaHQ/rule-devel
...
refactor: old rule additions, rule: new powershell rules
2022-05-24 20:24:42 +02:00
4b100116d4
Merge pull request #3031 from CD-R0M/master
...
Create proc_creation_win_rundll32_parent_explorer.yml
2022-05-24 20:19:11 +02:00
0e62d5b204
fix: bugs in rules
2022-05-24 20:18:41 +02:00
7a33aac1ed
Update lnx_auditd_keylogging_with_pam_d.yml
...
adding missing uuid
2022-05-24 17:15:54 +02:00
89d88288d6
New detection - Linux Keylogging
2022-05-24 17:05:38 +02:00
37cef9b153
rule: PowerShell obfuscate Net.WebClient
2022-05-24 15:20:21 +02:00
642a334d9e
rule: suspicious PowerShell encoded command patterns
2022-05-24 15:20:01 +02:00
a296bfe667
rule: suspicious anydesk start location
2022-05-24 15:19:45 +02:00
9d11505aa8
refactor: rule additions
2022-05-24 15:19:25 +02:00
6f1602d243
New sigma rule to detect the use of Jlaive antivirus defense evasion
2022-05-24 02:40:08 +02:00
0fb943dc2c
FP: fixing modifier
2022-05-23 21:43:43 +00:00
c807191ab7
FP: filtering out Amaazon AWS header
2022-05-23 21:41:13 +00:00
87de0d39db
Update proc_creation_win_rundll32_parent_explorer.yml
2022-05-23 16:49:40 -04:00
61c10d73e0
fix: FP found in testing environment
2022-05-23 16:45:27 +02:00
9c26e12358
Update proc_creation_win_rundll32_parent_explorer.yml
2022-05-22 15:23:25 -04:00
e9976bc3db
Update proc_creation_win_rundll32_parent_explorer.yml
2022-05-22 15:21:41 -04:00
1e728d9598
Create proc_creation_win_rundll32_parent_explorer.yml
2022-05-21 17:07:31 -04:00
bea6f18d35
Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared
...
Making a derived detection for system/application/security event logs…
2022-05-20 20:56:00 +02:00
946e4582a3
Merge pull request #3030 from SigmaHQ/aurora-false-positive-fixing
...
fix: detection with Windows Defender
2022-05-20 20:05:43 +02:00
e86d007d35
Merge pull request #3027 from elhoim/rename_suspicious
...
Renamed suspicious in filenames to susp
2022-05-20 19:28:24 +02:00
e8f59c8d0f
fix: detection with Windows Defender
2022-05-20 19:27:48 +02:00
10f0a82b94
Fix detection
2022-05-19 21:09:47 +03:00
600a7cd0e8
Re-adding accidently removed entry
2022-05-19 17:16:39 +00:00
60e6a147b4
merging remote change
2022-05-19 16:11:58 +00:00
3f6cabcae8
Updating to include match on Channel
2022-05-19 16:08:34 +00:00
74b9f97b9c
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
003e5bee6d
Merge pull request #3018 from SigmaHQ/rule-devel
...
refactor: rule addition
2022-05-19 07:50:36 +02:00
3fe86e3b84
rule: grpconv execution
2022-05-18 17:56:26 +02:00
04a3dfeb01
Merge pull request #3025 from nasbench/master
...
Quick Updates and Fixes
2022-05-18 17:35:18 +02:00
7d296ef078
fix: change on deleted rule
2022-05-18 17:34:39 +02:00
99e81ea2eb
Merge branch 'pr/3023'
2022-05-18 17:33:10 +02:00
a55e8f2ac1
refactor: PoSh Defender Tampering
2022-05-18 17:29:38 +02:00
15cee5c0b1
Update proc_creation_win_susp_taskkill.yml
2022-05-18 17:28:26 +02:00
d620f11e84
Merge pull request #3021 from redsand/fix_err_in_assignment
...
User meant to use service vs category. currently no category assignme…
2022-05-18 17:16:30 +02:00
dcf236fede
Quick Updates and Fixes
...
- Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts"
- Added "OriginalFileName" to "proc_creation_win_susp_taskkill"
- Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs
2022-05-18 12:50:59 +01:00
354e8ded4e
Merge pull request #3020 from nasbench/master
...
Rule Update (Batch 2)
2022-05-18 07:05:34 +02:00
28e0e157fe
Update win_system_susp_eventlog_cleared.yml
2022-05-17 21:32:00 +02:00
60a38a95ef
removing duplicate keywords entry
2022-05-17 18:54:01 +00:00
b5b7adcb9c
Making a derived detection for system/application/security event logs being cleared, vs any in general. fp due to custom applications clearing their eventlog
2022-05-17 18:49:54 +00:00
07a79acede
Update proc_creation_win_lolbas_extrac32.yml
2022-05-17 15:33:18 +01:00
389240855d
Update proc_creation_win_lolbas_extrac32.yml
2022-05-17 15:17:09 +01:00
3bbeab2a7b
Requested Changes
2022-05-17 15:04:26 +01:00
7ea6ed3db6
Merge pull request #3016 from frack113/ttdinjec
...
ttdinject lolbin
2022-05-17 06:28:22 +02:00
b49633d32b
#2902 : Remove t1547.006
2022-05-16 21:57:30 -05:00
4bafd1317b
User meant to use service vs category. currently no category assignment for "system". We need a unit test to detect new sections here, vs backends. this was untested in the field.
2022-05-16 22:18:35 +00:00
3a629e8a2e
Update proc_creation_win_certoc_download.yml
2022-05-16 22:05:00 +01:00
f0e05ccb3c
Rule Update (Batch 2)
...
- Added 5 more PowerShell scripts for the rule "file_event_win_powershell_exploit_scripts.yml"
- Created new rule for "certoc" lolbin to cover "Download" option as described in the LOLBAS project
- Created specific rule for the "IEExec" lolbin to cover "Download" option as described in the LOLBAS Project
- Updated some rules to use "OriginalFileName" in addition to the "Image" selection
- Updated some rules to increase coverage.
2022-05-16 22:02:41 +01:00
73706c96ab
fix: missing modified date mod
2022-05-16 17:24:26 +02:00
Nasreddine Bencherchali