d385cbfa69
Fix quoting for AD Object WriteDAC Access
...
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
e2a16087c9
Merge pull request #851 from ozirus/master
...
Update for new method
2020-06-22 20:11:39 +02:00
b091e3b1c4
Update for new method
...
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
2020-06-22 01:06:34 +03:00
1ef81a36af
Merge pull request #850 from Neo23x0/rule-devel
...
K3chang and IE Registry Mods
2020-06-19 11:25:43 +02:00
912ad94771
fix: missing ATT&CK id in tests
2020-06-19 10:00:44 +02:00
e1225784f7
fix: fixed indentation
2020-06-19 09:54:08 +02:00
62632db818
refactor: added variant to IE rule
2020-06-19 09:53:35 +02:00
5cb6f5da9d
fix: title adjusted
2020-06-19 09:39:11 +02:00
b8a5cd4787
Disabled IE Security Features
2020-06-19 09:37:10 +02:00
da060bfb90
Ke3chang rule
2020-06-19 09:36:54 +02:00
b675c4c706
Merge branch 'master' into rule-devel
2020-06-19 09:24:26 +02:00
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp
...
add WMI module load false positives
2020-06-18 12:50:40 +02:00
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2
...
ATT&CK subtechniques v2
2020-06-18 09:10:09 +02:00
69760f6446
Added subtechniques to MITRE_TECHNIQUES
2020-06-17 11:51:48 -06:00
b343df2225
Further subtechnique updates
2020-06-17 11:31:40 -06:00
99bfa14ae0
add 1 more FP
2020-06-17 12:49:27 -04:00
0022705373
fix: filter not functional
...
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
2020-06-17 16:09:44 +02:00
5c0bb0e94f
Fixed indentation
2020-06-16 15:01:13 -06:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
d24ec665fd
Merge pull request #838 from rtkbkish/fix-identifier
...
Identifiers shared between global document and rule gets overwritten
2020-06-15 20:20:23 +02:00
87053502a3
Merge pull request #839 from rtkbkish/fix-double-backslash
...
Fix match for double-backslash
2020-06-15 20:19:56 +02:00
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id
...
Rule lists extra Sysmon ID (11). Should just match registry events (1…
2020-06-15 20:19:27 +02:00
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match
...
Rule needs endwith, not exact match.
2020-06-15 20:19:12 +02:00
46bd56a708
Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation
...
Fix logsource field name from service->category
2020-06-15 20:18:53 +02:00
3d962bdb47
Merge pull request #836 from rtkbkish/fix-escaping
...
Fix rules with incorrect escaping of wildcars
2020-06-15 20:18:34 +02:00
dfae2a6df6
Rule needs endwith, not exact match.
...
Fix ImageLoaded filter to match with endswith, rather than exact match.
2020-06-15 13:54:02 -04:00
a9c6fa904f
Rule lists extra Sysmon ID (11). Should just match registry events (12-14)
...
Remove extraneous event ID 11. It will never match.
2020-06-15 13:52:12 -04:00
f196046b3d
Fix match for double-backslash
...
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
2020-06-15 13:39:50 -04:00
422b2bffd7
Fix rules with incorrect escaping of wildcars
...
A backslash before a wildcard needs to be escaped with another backslash.
2020-06-15 13:38:18 -04:00
8d58c8f5c8
Fix logsource field name from service->category
...
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
2020-06-15 13:18:05 -04:00
f5aa871e5d
Identifiers shared between global document and rule gets overwritten
...
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
2020-06-15 13:14:31 -04:00
d371fd864c
Merge pull request #834 from ebeahan/elastic-updates
...
Elastic section updates
2020-06-13 10:04:49 +02:00
f907c49ab5
Improved test coverage
...
* Added test case
* Removed unused code
2020-06-13 01:11:08 +02:00
05ced1a3d5
Exclude heatmap.json from versioning
2020-06-13 00:05:57 +02:00
b129556388
Automatic inclusion of all configuration files
2020-06-13 00:04:45 +02:00
80e8f0e5fa
Release 0.17.0
2020-06-12 23:52:06 +02:00
24d83b80cd
Merge branch 'script_entry_points'
2020-06-12 23:13:11 +02:00
bba0b2d851
Elastic documentation improvements
2020-06-12 13:40:39 -05:00
b48e7d8d71
Merge pull request #833 from neu5ron/sigmacs
...
typo and another example
2020-06-12 17:39:14 +02:00
db6c9dc721
Merge remote-tracking branch 'neu5ron-sigma/sigmacs' into sigmacs
...
# Conflicts:
# tools/README.md
2020-06-12 11:37:39 -04:00
aac1af1832
typo, was missing the = and *.
...
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-06-12 11:37:32 -04:00
db0292afd2
typo, was missing the = and *.
...
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.
2020-06-12 11:36:19 -04:00
52ff2e12ab
Merge pull request #832 from Iveco/master
...
Cmd.exe Path Traversal Detection / Argument Spoofing
2020-06-12 10:33:15 +02:00
40f0fd989d
- moved to "process_creation" folder instead of "sysmon"
...
- renamed .yml file
2020-06-11 19:21:17 +02:00
34d7ea2974
removed one field
2020-06-11 16:23:15 +02:00
2081baafe5
updated to process_creation
2020-06-11 15:58:05 +02:00
f56e2599b1
Cmd.exe Path Traversal Detection
2020-06-11 15:48:48 +02:00
97c45f9d46
Merge pull request #812 from tliffick/master
...
added new rules for malware
2020-06-10 17:37:19 +02:00
96309d247b
fix: cosmetic fault
2020-06-10 16:41:03 +02:00
6e4aa01baa
Cosmetics
2020-06-10 16:36:17 +02:00
Brad Kish