2385d06221
Update powershell_cmdline_specific_comb_methods.yml
2020-10-11 21:09:21 +03:00
6094fd4e9c
[OSCD] Create powershell_cmdline_specific_comb_methods.yml
2020-10-11 20:56:45 +03:00
94efeda45d
modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
2020-10-11 19:11:54 +02:00
64b07ff51a
Update powershell_cmdline_reversed_strings.yml
2020-10-11 19:42:39 +03:00
c868ef655c
Update powershell_cmdline_reversed_strings.yml
2020-10-11 17:37:07 +03:00
7aaf4654cd
Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml
2020-10-11 17:28:56 +03:00
00f5d1ec92
Update powershell_cmdline_reversed_strings
2020-10-11 17:24:46 +03:00
51f00c153c
Update powershell_cmdline_reversed_strings
2020-10-11 17:18:15 +03:00
dd9c29377b
Update powershell_cmdline_reversed_strings
2020-10-11 17:11:58 +03:00
8f2ddc632e
Create powershell_cmdline_reversed_strings
2020-10-11 17:02:02 +03:00
a5dea8c596
[OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013
2020-10-10 23:08:39 +02:00
6dcd4a6c6d
[OSCD] Create powershell_icmp_exfiltration.yml #1013
2020-10-10 23:05:31 +02:00
414c98e7ba
Detects Obfuscated Powershell via use Clip.exe in Scripts
2020-10-09 19:37:07 +03:00
02e826def3
Update powershell_invoke_obfuscation_via_use_mhsta.yml
2020-10-09 16:29:20 +03:00
31095033ab
Update powershell_invoke_obfuscation_via_use_rundll32.yml
2020-10-09 16:25:59 +03:00
27410d3c8e
Detects Obfuscated Powershell via use MSHTA in Scripts
2020-10-08 18:19:59 +03:00
80a3a6c048
Update powershell_invoke_obfuscation_via_use_rundll32.yml
2020-10-08 17:52:01 +03:00
b4377ed632
Update powershell_invoke_obfuscation_via_use_rundll32.yml
2020-10-08 17:45:07 +03:00
3ba4eeac7b
Update powershell_invoke_obfuscation_via_use_rundll32.yml
2020-10-08 17:36:20 +03:00
2db2ab30c4
Detects Obfuscated Powershell via use Rundll32 in Scripts
2020-10-08 17:08:43 +03:00
d3f0ddd2b1
Update powershell_code_injection.yml
2020-10-07 14:50:00 +03:00
bfa3635cd2
Update powershell_accessing_win_api.yml
2020-10-07 14:47:29 +03:00
0fe1850bf4
Update powershell_suspicious_mounted_share_deletion.yml
2020-10-07 17:54:48 +11:00
a7442328eb
Create powershell_suspicious_mounted_share_deletion.yml
2020-10-07 17:44:05 +11:00
3dafef411f
Delete powershell_suspicious_mounted_share_deletion.yml
2020-10-07 17:42:25 +11:00
5c2ef0dd35
Update powershell_suspicious_mounted_share_deletion.yml
2020-10-07 17:33:12 +11:00
d7acbb369e
Created powershell_suspicious_mounted_share_deletion.yml
2020-10-07 17:22:09 +11:00
0ad9fc61de
Detecting Code injection with PowerShell in another process
2020-10-06 20:52:18 +03:00
c90d99c0f9
Accessing WinAPI in PowerShell
2020-10-06 19:57:57 +03:00
05d2de4c26
- Cleaned up some more rules where 'service: sysmon' was combined with category
...
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent
modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
modified: rules/windows/malware/mal_azorult_reg.yml
modified: rules/windows/powershell/powershell_suspicious_profile_create.yml
modified: rules/windows/process_creation/sysmon_cmstp_execution.yml
modified: rules/windows/process_creation/win_apt_chafer_mar18.yml
modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml
modified: rules/windows/process_creation/win_hktl_createminidump.yml
modified: rules/windows/process_creation/win_mal_adwind.yml
modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml
2020-10-02 10:45:29 +02:00
eb6b9be5a2
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
c28fce6273
fix duplication of key "modified" in mapping
2020-08-25 00:53:09 +00:00
c22273d162
fix duplication of key modified in mapping
2020-08-25 00:50:38 +00:00
399f378269
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
ba2e891433
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
de53a08746
Merge branch 'master' of github.com:Neo23x0/sigma
2020-07-15 10:27:33 -04:00
58b68758b4
fix: wrong MITRE ATT&CK ids used in the beta version
2020-07-14 17:53:32 +02:00
04fd598bcf
Update additional rules to have correct logsource attributes
2020-07-13 17:02:17 -04:00
25d978d9bd
Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values
2020-07-11 22:17:06 -04:00
7eb499ad85
Added rule id
2020-07-07 22:54:55 +02:00
360b5714a8
Splitted and improved new rule
2020-07-07 22:47:14 +02:00
0ce5f2cc75
Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483
2020-07-07 22:37:11 +02:00
649e4eaa63
Added new rule for pwsh_xor_cmd
2020-06-29 22:09:58 +02:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
1a598282f4
Add 'Add-Content' to powershell_ntfs_ads_access
2020-05-13 11:57:10 +02:00
40539a0c0e
fix incorrect use of action global
2020-05-06 22:53:02 +02:00
4f469c0e39
Adjusted level
2020-04-14 13:37:10 +02:00
1501331f77
Create powershell_create_local_user.yml
...
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
2020-04-11 02:51:05 -06:00
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master
...
New sigma rules to detect new MITRE technique in last update (T1502)
2020-04-03 09:59:36 +02:00
f4928e95bc
Update powershell_suspicious_profile_create.yml
2020-04-03 09:36:17 +02:00
Vasiliy Burov