 frack113
|
1cfca93354
|
Missing status in rules (#2284)
* add missing status
|
2021-11-19 22:32:26 +01:00 |
|
|
frack113
|
264db60c5e
|
Merge pull request #2276 from phantinuss/master
Rule Fix: Paths with Quotes
|
2021-11-19 19:05:36 +01:00 |
|
|
Florian Roth
|
4acbb15713
|
Merge branch 'master' into rule-devel
|
2021-11-19 15:52:21 +01:00 |
|
|
Florian Roth
|
ecc7181d6e
|
fix: FP with Windows Update Client LOLBIN rule
|
2021-11-18 13:34:55 +01:00 |
|
|
phantinuss
|
84476e1dd4
|
fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes
|
2021-11-18 10:06:03 +01:00 |
|
|
Florian Roth
|
7dce83033b
|
rule: Winrar suspicious folder
|
2021-11-17 19:01:48 +01:00 |
|
|
phantinuss
|
0109694e26
|
enhance emotet rundll32 execution pattern for current campaign
|
2021-11-17 15:59:05 +01:00 |
|
|
Florian Roth
|
8d6d8c2c92
|
fix: several FPs
|
2021-11-16 17:30:23 +01:00 |
|
|
Florian Roth
|
4fb833700f
|
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
|
2021-11-16 12:17:46 +01:00 |
|
|
Florian Roth
|
3be53dfb72
|
refactor: tightened rule
|
2021-11-16 12:17:43 +01:00 |
|
|
Florian Roth
|
760266ab34
|
Merge branch 'master' into rule-devel
|
2021-11-16 12:13:20 +01:00 |
|
|
Florian Roth
|
4c1fab644d
|
fix: FPs with Windows Update Client LOLBIN rule
|
2021-11-16 12:09:03 +01:00 |
|
|
frack113
|
51744b31b4
|
fix name
|
2021-11-15 13:38:38 +01:00 |
|
|
frack113
|
b9be5b262f
|
Add win_pc_susp_reg_bitLocker
|
2021-11-15 13:24:26 +01:00 |
|
|
Austin Songer
|
5a542431ac
|
Update win_susp_registration_via_cscript.yml
|
2021-11-12 11:12:31 -06:00 |
|
|
Florian Roth
|
5d0c160e41
|
Merge branch 'master' into pr/2228
|
2021-11-11 18:10:05 +01:00 |
|
|
Florian Roth
|
791736cb3e
|
Merge pull request #2243 from SigmaHQ/rule-devel
CobaltStrike DNS beaconing, some FP fixes
|
2021-11-11 17:21:33 +01:00 |
|
|
Florian Roth
|
b61e92ae1d
|
fix: FP with VSCode
|
2021-11-11 16:12:49 +01:00 |
|
|
frack113
|
b7b1ebf772
|
Fix LogonId - SubjectLogonId
|
2021-11-10 19:12:51 +01:00 |
|
|
frack113
|
a4951a29bb
|
Fix detection
|
2021-11-10 18:57:54 +01:00 |
|
|
frack113
|
3c3bf75aa8
|
fix detection from test
|
2021-11-09 17:04:27 +01:00 |
|
|
frack113
|
24f3e9db5b
|
fix detection from ref
|
2021-11-09 16:44:11 +01:00 |
|
|
frack113
|
c5fa73c328
|
fix ProcessCommandLine to ParentCommandLine
|
2021-11-09 16:13:29 +01:00 |
|
|
frack113
|
73e2b5fae6
|
Merge pull request #2233 from frack113/zipexec
Add win_pc_susp_zipexec
|
2021-11-08 22:46:17 +01:00 |
|
|
frack113
|
d3c3cd9930
|
Merge pull request #2230 from frack113/process_creation_clean
Process creation directory clean
|
2021-11-08 21:27:25 +01:00 |
|
|
frack113
|
4672762010
|
add win_pc_susp_zipexec
|
2021-11-07 21:57:40 +01:00 |
|
|
frack113
|
aa8694fdef
|
add missing category
|
2021-11-06 10:17:12 +01:00 |
|
|
frack113
|
68d30293b5
|
Cleanup process_creation
|
2021-11-06 10:16:16 +01:00 |
|
|
Austin Songer
|
b30aec65de
|
Update win_susp_registration_via_cscript.yml
|
2021-11-05 18:45:49 -05:00 |
|
|
Austin Songer
|
aec6f40203
|
Update win_susp_registration_via_cscript.yml
|
2021-11-05 18:15:24 -05:00 |
|
|
Austin Songer
|
5778b6e24f
|
Update win_susp_registration_via_cscript.yml
|
2021-11-05 18:14:42 -05:00 |
|
|
Austin Songer
|
588c3a1b0b
|
Create win_susp_registration_via_cscript.yml
|
2021-11-05 18:12:57 -05:00 |
|
|
frack113
|
a3f3ec84c9
|
fix product windows case
|
2021-11-05 13:16:24 +01:00 |
|
|
frack113
|
3416db7301
|
Merge pull request #2225 from frack113/cmdl32
add win_pc_susp_cmdl32_lolbas
|
2021-11-04 20:58:50 +01:00 |
|
|
frack113
|
e058e56c22
|
fix unknown
|
2021-11-04 18:07:16 +01:00 |
|
|
frack113
|
5506b1c566
|
add OriginalFileName
|
2021-11-04 13:42:04 +01:00 |
|
|
frack113
|
edb1458791
|
add win_pc_susp_cmdl32_lolbas
|
2021-11-03 20:45:21 +01:00 |
|
|
frack113
|
be6186fa1c
|
Forget the Local
|
2021-11-03 17:01:34 +01:00 |
|
|
frack113
|
5a4db26ec7
|
add win_pc_susp_schtasks_user_temp
|
2021-11-03 15:14:34 +01:00 |
|
|
frack113
|
2a2bfab06e
|
add win_pc_set_policies_to_unsecure_level
|
2021-11-01 15:35:46 +01:00 |
|
|
frack113
|
8b86a79ef0
|
Merge pull request #2206 from frack113/order
Move rules to correct directory
|
2021-10-28 06:26:45 +02:00 |
|
|
frack113
|
d91eb0d0c0
|
Merge pull request #2204 from phantinuss/newrules
New Rule: windows commandline path obfuscation
|
2021-10-28 06:25:52 +02:00 |
|
|
frack113
|
957ba042f0
|
Merge pull request #2203 from OTRF/feature/Sysmon-v1330-Rules
Unsupported rules now possible with Sysmonv13.30
|
2021-10-28 06:25:35 +02:00 |
|
|
Roberto Rodriguez
|
7543b3e2a6
|
added definition to Sysmon 13.30 rule for priv escalation
|
2021-10-27 11:56:19 -04:00 |
|
|
frack113
|
c228cde0cb
|
Move to correct directory
|
2021-10-27 14:38:51 +02:00 |
|
|
phantinuss
|
8b12794486
|
fix: change title and filename
|
2021-10-27 14:07:27 +02:00 |
|
|
phantinuss
|
eb4ef6bcfc
|
fix: single list item to value
|
2021-10-27 11:16:12 +02:00 |
|
|
Roberto Rodriguez
|
d80f73625f
|
Added the right System string to User filter
|
2021-10-27 01:22:19 -04:00 |
|
|
Roberto Rodriguez
|
9c7a736ca6
|
added integrity level for user
|
2021-10-27 01:06:37 -04:00 |
|
|
Roberto Rodriguez
|
5aac1b6879
|
Unsupported rule now possible with Sysmonv13.30
|
2021-10-27 01:04:24 -04:00 |
|