 Nasreddine Bencherchali
|
2145eb75f9
|
Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel
|
2022-11-21 11:23:27 +01:00 |
|
|
Nasreddine Bencherchali
|
4084bba9d1
|
feat: add new variations to the rule
|
2022-11-21 11:23:18 +01:00 |
|
|
Nasreddine Bencherchali
|
e158555dcd
|
Merge branch 'SigmaHQ:master' into nasbench-rule-devel
|
2022-11-21 11:22:32 +01:00 |
|
|
Florian Roth
|
497beea08d
|
Merge pull request #3714 from frack113/net_clr
.NET CLR Usage Log
|
2022-11-19 11:35:19 +01:00 |
|
|
Florian Roth
|
916bee6fce
|
Merge pull request #3715 from nasbench/add-missing-cmd-flags
feat: add missing cmd flags
|
2022-11-19 11:34:44 +01:00 |
|
|
Florian Roth
|
74e2d1bd3c
|
Merge pull request #3718 from SigmaHQ/rule-devel
Rule devel
|
2022-11-19 11:33:53 +01:00 |
|
|
Florian Roth
|
66adbb43f7
|
chore: change modified date
|
2022-11-19 08:48:43 +01:00 |
|
|
Florian Roth
|
4e36ec7175
|
Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 08:45:58 +01:00 |
|
|
Florian Roth
|
009ef39ca0
|
Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 08:45:50 +01:00 |
|
|
Florian Roth
|
37f6586987
|
Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 08:45:39 +01:00 |
|
|
Florian Roth
|
4e27fec49b
|
Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 08:45:30 +01:00 |
|
|
BlueTeamOps
|
16ed9f2632
|
Merge branch 'SigmaHQ:master' into master
|
2022-11-19 15:12:06 +11:00 |
|
|
BlueTeamOps
|
fcd41ed3e3
|
Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 15:06:36 +11:00 |
|
|
BlueTeamOps
|
09d6d3e407
|
Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 15:06:10 +11:00 |
|
|
BlueTeamOps
|
0de44fcf5b
|
Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-19 15:06:01 +11:00 |
|
|
Nasreddine Bencherchali
|
6df8df3116
|
feat: update defender reg tamper rule
|
2022-11-18 18:11:59 +01:00 |
|
|
Nasreddine Bencherchali
|
87ff47c074
|
fix: rename rule to be conform to the title
|
2022-11-18 17:54:13 +01:00 |
|
|
Nasreddine Bencherchali
|
16e104952a
|
feat: update nsudo rule
|
2022-11-18 17:53:16 +01:00 |
|
|
Nasreddine Bencherchali
|
9b1a6cc7c9
|
feat: update disable defender rule
|
2022-11-18 17:53:06 +01:00 |
|
|
Nasreddine Bencherchali
|
dd51b85546
|
Merge branch 'SigmaHQ:master' into nasbench-rule-devel
|
2022-11-18 17:51:11 +01:00 |
|
|
Tim Shelton
|
e0c53c1948
|
FP: ignore calling function Convert-GuidToCompressedGuid, part of amazon ssm worker
|
2022-11-18 16:35:48 +00:00 |
|
|
jstnk9
|
f0bac30cfb
|
Update netflow_cleartext_protocols.yml (#3716)
|
2022-11-18 15:55:11 +01:00 |
|
|
frack113
|
cc340f2247
|
Apply suggestions from code review
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-18 15:43:08 +01:00 |
|
|
frack113
|
58a732e4b6
|
Update rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-18 15:42:37 +01:00 |
|
|
Nasreddine Bencherchali
|
6fe9eff838
|
feat: add missing /r
|
2022-11-18 13:46:51 +01:00 |
|
|
Nasreddine Bencherchali
|
15f3896922
|
feat: rename rule to fit convention
|
2022-11-18 13:45:18 +01:00 |
|
|
Nasreddine Bencherchali
|
87b709a3e6
|
feat: add missing /r to cmd
|
2022-11-18 13:45:01 +01:00 |
|
|
frack113
|
4bd0cd07ea
|
.NET CLR Usage Log
|
2022-11-18 13:24:58 +01:00 |
|
|
Nasreddine Bencherchali
|
eb41e8cd4a
|
Merge branch 'SigmaHQ:master' into nasbench-rule-devel
|
2022-11-18 11:34:25 +01:00 |
|
|
frack113
|
59ccb74bc6
|
Add proc_creation_win_susp_powercfg
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-18 11:26:04 +01:00 |
|
|
Nasreddine Bencherchali
|
6603ca9202
|
fix: update rules to not use regex
|
2022-11-18 11:16:13 +01:00 |
|
|
Nasreddine Bencherchali
|
7804decd2d
|
feat: add more clarification to the test (#3710)
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
|
2022-11-18 11:15:50 +01:00 |
|
|
Nasreddine Bencherchali
|
20b0a6bad8
|
Rule Dev
|
2022-11-18 11:15:28 +01:00 |
|
|
nikitah4x
|
0f496be1e5
|
Add new rule to detect PST export when eDiscovery alert policy is disabled (M365)
|
2022-11-18 08:40:39 +01:00 |
|
|
frack113
|
cd3082c3f2
|
Add proc_creation_win_susp_msbuild (#3708)
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-11-18 08:29:50 +01:00 |
|
|
frack113
|
71690c8618
|
Update posh_ps_get_adcomputer.yml
|
2022-11-18 08:07:09 +01:00 |
|
|
frack113
|
59b7294f05
|
Update dns_query_win_susp_ipify.yml
|
2022-11-18 08:05:07 +01:00 |
|
|
frack113
|
359393aec0
|
Merge pull request #3707 from sysradwin/master
Update proc_creation_win_base64_reflective_assembly_load.yml
|
2022-11-17 19:25:02 +01:00 |
|
|
Nasreddine Bencherchali
|
607f3c6f63
|
feat: add new value
Co-Authored-By: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
|
2022-11-17 19:13:07 +01:00 |
|
|
Nasreddine Bencherchali
|
6b6a0f95d2
|
fix: update metadata of the rule
|
2022-11-17 19:05:03 +01:00 |
|
|
sysradwin
|
b851fe17b9
|
Update proc_creation_win_base64_reflective_assembly_load.yml
|
2022-11-17 13:03:32 -05:00 |
|
|
Florian Roth
|
5c5639cfc6
|
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
|
2022-11-17 17:34:50 +01:00 |
|
|
Florian Roth
|
860b290f32
|
fix: change casing
|
2022-11-17 17:34:48 +01:00 |
|
|
Nasreddine Bencherchali
|
c9fb23ab04
|
feat: add PowerShell variants of rules
Posh variants of the Get-AdComputer and Get-AdUser rules
|
2022-11-17 16:00:24 +01:00 |
|
|
Nasreddine Bencherchali
|
e4a580f9bf
|
fix: update selection
|
2022-11-17 15:59:29 +01:00 |
|
|
Nasreddine Bencherchali
|
1e82c0eb61
|
fix: fix #3706
|
2022-11-17 15:50:02 +01:00 |
|
|
Nasreddine Bencherchali
|
7ef5f9b76e
|
fix: rename rule to remove susp from rule name
The rule are with a low score and do not represent suspiciousness at this state
|
2022-11-17 15:48:56 +01:00 |
|
|
Nasreddine Bencherchali
|
8ff90e589b
|
feat: add another domain
|
2022-11-17 15:47:22 +01:00 |
|
|
Nasreddine Bencherchali
|
278808f166
|
feat: add another case to the selection
|
2022-11-17 15:47:13 +01:00 |
|
|
Nasreddine Bencherchali
|
c4719bdba7
|
fix: add missing definition
|
2022-11-17 15:46:49 +01:00 |
|