 frack113
|
558bcd5ceb
|
Fix all the rules to pass the test
|
2021-06-14 07:33:26 +02:00 |
|
|
Florian Roth
|
45c3d4702b
|
Merge pull request #1520 from SyeedHasan/master
Detection rule for 'ISO mounts'
|
2021-06-10 09:51:29 +02:00 |
|
|
Florian Roth
|
28abdf3a81
|
Update win_iso_mount.yml
|
2021-06-10 09:31:40 +02:00 |
|
|
Florian Roth
|
b2d0fbba2c
|
Adjustments
|
2021-06-10 09:12:37 +02:00 |
|
|
mvelazco
|
178df3f056
|
fixing title lengths
|
2021-06-04 10:57:52 -04:00 |
|
|
mvelazco
|
d8aa0ae124
|
adding references
|
2021-06-03 23:38:10 -04:00 |
|
|
mvelazco
|
d4f66f2af6
|
rolling back unwanted changes
|
2021-06-03 18:29:06 -04:00 |
|
|
mvelazco
|
7ebab6f872
|
Merge branch 'master' of github.com:mvelazc0/sigma
|
2021-06-03 18:26:09 -04:00 |
|
|
mvelazco
|
103fe2b344
|
minor fixes and 3 extra sigma rules
|
2021-06-03 18:26:07 -04:00 |
|
|
mvelazco
|
f53675f41a
|
Merge branch 'SigmaHQ:master' into master
|
2021-06-03 14:54:41 -07:00 |
|
|
mvelazco
|
50d734a17a
|
Adding 4 initial sigma rules
|
2021-06-03 17:51:47 -04:00 |
|
|
Remco Hofman
|
12c822511e
|
Consistency: Service File Name to ServiceFileName
|
2021-06-03 21:33:11 +02:00 |
|
|
Florian Roth
|
42036049ec
|
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration
Filtering Platform Connection are in security channel not system
|
2021-06-03 20:50:23 +02:00 |
|
|
Florian Roth
|
eb4300756e
|
Update win_cobaltstrike_service_installs.yml
|
2021-06-01 21:53:25 +02:00 |
|
|
WojciechLesicki
|
cc4c55ed10
|
Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations
|
2021-06-01 16:18:23 +02:00 |
|
|
frack113
|
5f98f00a36
|
Filtering Platform Connection are in security channel not system
|
2021-06-01 08:19:26 +02:00 |
|
|
Hasan
|
fdeb8a8e7f
|
Added rule to detect ISO mounts
|
2021-05-29 22:48:29 +05:00 |
|
|
frack113
|
9a0604029e
|
duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
|
2021-05-27 21:06:07 +02:00 |
|
|
Florian Roth
|
71625c54f0
|
Merge pull request #1514 from SigmaHQ/rule-devel
ProcessHacker rule, NCCGroup rclone rules
|
2021-05-27 16:30:30 +02:00 |
|
|
Florian Roth
|
d1582944a7
|
fix: dates in new rules
|
2021-05-27 16:30:09 +02:00 |
|
|
Florian Roth
|
d5e8d1153f
|
fix: missing condition
|
2021-05-27 15:04:13 +02:00 |
|
|
Florian Roth
|
a80c29a7c2
|
Merge pull request #1491 from w0rk3r/patch-1
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
|
2021-05-27 12:52:14 +02:00 |
|
|
Florian Roth
|
059e669ac6
|
Merge pull request #1496 from frack113/falsepositives_NOT_a_list
Fix rule where Falsepositives not a valid value
|
2021-05-27 12:51:54 +02:00 |
|
|
Florian Roth
|
3cd2730a26
|
rule: process hacker priv esc
|
2021-05-27 12:49:54 +02:00 |
|
|
Florian Roth
|
adbdb5b22f
|
Merge branch 'master' into falsepositives_NOT_a_list
|
2021-05-27 10:23:19 +02:00 |
|
|
frack113
|
2a68700991
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:43:08 +02:00 |
|
|
frack113
|
30cc64a349
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:41:19 +02:00 |
|
|
frack113
|
e4c32c353a
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:39:16 +02:00 |
|
|
frack113
|
a878f3b0a5
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:36:47 +02:00 |
|
|
frack113
|
cbce61bc8c
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:34:46 +02:00 |
|
|
frack113
|
8d8df10687
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:31:57 +02:00 |
|
|
frack113
|
ce53a5a67b
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:30:00 +02:00 |
|
|
frack113
|
417da3ac95
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:28:06 +02:00 |
|
|
frack113
|
f0d1c9aa7d
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:26:08 +02:00 |
|
|
frack113
|
788ebbafdc
|
use same trick as Invoke-Obfuscation Obfuscated IEX Invocation
|
2021-05-27 09:20:29 +02:00 |
|
|
Florian Roth
|
a5fe7af25f
|
Cobalt Strike Service Installation
|
2021-05-26 18:05:38 +02:00 |
|
|
Jonhnathan
|
1b32a5c0f3
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:54 -03:00 |
|
|
Jonhnathan
|
93087d2130
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:35 -03:00 |
|
|
Jonhnathan
|
d3afed53ac
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:59:04 -03:00 |
|
|
Jonhnathan
|
7007287832
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:58:23 -03:00 |
|
|
Jonhnathan
|
2e139b4264
|
Update win_protected_storage_service_access.yml
|
2021-05-22 00:57:25 -03:00 |
|
|
Jonhnathan
|
085218b25a
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:57:01 -03:00 |
|
|
Jonhnathan
|
3fb5f1c47e
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:32 -03:00 |
|
|
Jonhnathan
|
943e2c8c88
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:56:03 -03:00 |
|
|
Jonhnathan
|
9765fcbd0c
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:55:29 -03:00 |
|
|
Jonhnathan
|
e23147111b
|
Update Threat Hunter Playbook Reference
|
2021-05-22 00:54:57 -03:00 |
|
|
frack113
|
1e2f7c7abf
|
Fix falsepositives list
|
2021-05-21 12:35:37 +02:00 |
|
|
Florian Roth
|
a0efd7a4dc
|
Merge pull request #1494 from Karneades/patch-1
Add keyword WinRM to remote powershell rules
|
2021-05-21 10:35:18 +02:00 |
|
|
Andreas Hunkeler
|
d8ec5fa6af
|
Add modified field in WinRM rule
|
2021-05-21 09:28:45 +02:00 |
|
|
Florian Roth
|
a30391f3b4
|
Merge pull request #1495 from SigmaHQ/rule-devel
rule refactoring: Cobalt Strike service start
|
2021-05-20 17:43:29 +02:00 |
|