8e7187e861
Rename azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml to azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
2023-01-10 20:37:56 +01:00
2820210945
fix: broken title
2023-01-10 19:43:19 +01:00
cb21d5d23e
Merge pull request #3903 from frack113/mitre_url
...
Clean attack.mitre.org techniques ref
2023-01-10 19:32:51 +01:00
15757c2b7d
fix: remove tactic links
2023-01-10 19:20:31 +01:00
486ee8f435
Apply suggestions from code review
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-01-10 19:13:38 +01:00
49d7eb244f
Remove mitre url
2023-01-10 18:24:22 +01:00
4023bf2c83
Remove mitre url
2023-01-10 18:09:04 +01:00
a6116a5fdc
Merge pull request #3894 from TheLawsOfChaos/patch-5
...
Update azure_device_or_configuration_modified_or_deleted.yml
2023-01-10 17:49:12 +01:00
9d6a41edc6
fix: fp found in testing
2023-01-10 15:11:40 +01:00
23278ead62
Merge pull request #3893 from TheLawsOfChaos/patch-4
...
Update azure_dns_zone_modified_or_deleted.yml
2023-01-10 13:50:11 +01:00
6025922440
Merge pull request #3899 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2023-01-10 10:48:18 +01:00
c3fabfe2a8
Update image_load_side_load_non_existent_dlls.yml
2023-01-10 10:41:48 +01:00
74279768f7
Merge pull request #3900 from frack113/simple_order
...
Order file
2023-01-10 10:37:21 +01:00
d52e30fbe3
Apply suggestions from code review
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-01-10 10:31:44 +01:00
f9e1419760
Order file
2023-01-10 06:24:48 +01:00
82c2b635a9
fix: yaml syntax
2023-01-10 00:49:44 +01:00
3b149675b2
Merge pull request #3896 from TheLawsOfChaos/patch-7
...
Patch 7
2023-01-10 00:45:38 +01:00
b80b358427
fix: fp with defender
2023-01-10 00:44:52 +01:00
b0e3bb5d28
fix: broken condition
2023-01-10 00:33:38 +01:00
81f75c1d2e
feat: updates and enhancements
2023-01-10 00:13:37 +01:00
907252c00f
New rule
...
Detecting risky user sign from non AD registered device with single factor authenciation
2023-01-09 17:07:39 -05:00
032db9f799
Merge pull request #3897 from TheLawsOfChaos/patch-8
...
Update azure_firewall_modified_or_deleted.yml
2023-01-09 22:39:41 +01:00
da569af6fa
Merge pull request #3890 from TheLawsOfChaos/patch-1
...
Update proxy_download_susp_tlds_whitelist.yml
2023-01-09 22:38:19 +01:00
f0505a7a22
fix: remove mitre links from ref section
2023-01-09 22:34:13 +01:00
e237aec830
Merge pull request #3895 from TheLawsOfChaos/patch-6
...
Update azure_creating_number_of_resources_detection.yml
2023-01-09 22:33:30 +01:00
10c81f1ed0
fix: change to uppercase
2023-01-09 22:32:22 +01:00
2a75a4318b
Merge pull request #3892 from TheLawsOfChaos/patch-3
...
Update azure_application_deleted.yml
2023-01-09 22:24:33 +01:00
3ec4c3e98b
fix: apply suggestions from code review
2023-01-09 22:23:19 +01:00
c8cbdefba5
fix: remove unnecessary spaces
2023-01-09 22:22:40 +01:00
b728332228
fix: remove mitre link from the reference section
2023-01-09 22:21:46 +01:00
0e06d9e9b9
fix: remove mitre link from the reference section
2023-01-09 22:21:21 +01:00
a3cee700af
fix: add missing "t" to mitre tag
2023-01-09 22:20:48 +01:00
0f75a1d361
fix: remove mitre reference link
2023-01-09 22:19:57 +01:00
8caf115e33
Update azure_firewall_modified_or_deleted.yml
...
Added sub-tech reference, new tactic, and sub-tech.
2023-01-09 16:09:18 -05:00
e97efe445c
Update azure_change_to_authentication_method.yml
2023-01-09 15:46:05 -05:00
42875d2bba
Update azure_change_to_authentication_method.yml
...
Updated description, added two tactics and one technique, and added technique reference.
2023-01-09 15:43:07 -05:00
1c0c29f45f
Update azure_creating_number_of_resources_detection.yml
...
Added tactic and MITRE reference for technique.
2023-01-09 15:35:00 -05:00
57a23e0b41
Update azure_device_or_configuration_modified_or_deleted.yml
...
Added technique and sub-tech, along with references.
2023-01-09 15:32:02 -05:00
a7208e7f69
Update azure_dns_zone_modified_or_deleted.yml
...
Added sub-tech and reference to the page. Didn't modify the date per earlier discussion.
2023-01-09 15:27:15 -05:00
8956242b43
fix: rollback modified date
2023-01-09 21:14:42 +01:00
8563b4265a
fix: duplicate title + add related field
2023-01-09 21:13:04 +01:00
8aac18a554
Update azure_application_deleted.yml
...
Updated modified date.
2023-01-09 15:06:39 -05:00
3415cfb658
Update proxy_download_susp_tlds_whitelist.yml
...
Per @nasbench I have made the following updates
- Modified date : ✅
- Description : still applies, the files themselves are executable either by themselves or by other processes.
- Capital letters : I actually didn't touch that, but just capitalized the F in from from whoever modified it before!
2023-01-09 15:03:31 -05:00
a992ed6372
Update azure_application_deleted.yml
...
Added Tactic impact and t1489.
https://attack.mitre.org/tactics/TA0040/
https://attack.mitre.org/techniques/T1489
Deleting an application absolutely is part of Impact, and Stop/Disable a service if that application was running it.
2023-01-09 14:58:16 -05:00
8e38593f2f
Merge pull request #3891 from TheLawsOfChaos/patch-2
...
Update azure_ad_only_single_factor_auth_required.yml
2023-01-09 20:30:29 +01:00
ea26adb55a
Update azure_ad_only_single_factor_auth_required.yml
...
.004 is for valid cloud accounts
2023-01-09 14:00:09 -05:00
0df15d18b0
Update proxy_download_susp_tlds_whitelist.yml
...
This rule checks for more than just EXE downloads so changed the title. The description is fine. New title matches the blacklist version, and if it's desired to have both have a different titles, I recommend putting 'inclusion' and 'exclusion'.
2023-01-09 10:52:03 -05:00
17aaf7fdcd
Merge pull request #3888 from SigmaHQ/aurora-false-positive-fixing
...
fix: FPs noticed with Aurora
2023-01-09 10:39:54 +01:00
25dcb1d425
Merge branch 'iso_evtx' of github.com:frack113/sigma into iso_evtx
2023-01-09 10:20:27 +01:00
9b550f6858
Add win_vhdmp_mount_iso
2023-01-09 10:19:41 +01:00
frack113