4aae26cabd
Grouping filters
2021-05-01 21:05:34 +02:00
80dc6aaf59
Add FP and fix filters
2021-05-01 20:54:26 +02:00
10fb216c9a
Bump requests to 2.25
2021-04-30 12:03:27 -04:00
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel
...
Different FP filters
2021-04-30 08:31:02 +02:00
020e6c9e29
fix: FP with Edge and call by ordinal
2021-04-29 18:23:14 +02:00
04709ab9f4
refactor: renamed procdump rule
2021-04-29 17:59:49 +02:00
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8
...
Create win_lateral_movement
2021-04-29 14:39:52 +02:00
8af86fa97e
docs: change title and add references
2021-04-29 12:33:10 +02:00
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel
...
Rule devel
2021-04-29 12:28:12 +02:00
f2181e6779
Merge pull request #1448 from refractionPOINT/linux-platforms
...
Add support for macOS rules and fix case sensitivity.
2021-04-29 12:28:01 +02:00
3e5f7aeb5e
rule: PowerShell Cmdlet Defender Exclusions
2021-04-29 09:56:26 +02:00
11982abec0
Add support for macOS rules and fix case sensitivity.
2021-04-28 16:49:59 -07:00
6420224c1c
Merge pull request #1447 from secDre4mer/master
...
chore: Revert log file changes for THOR sigma configuration
2021-04-28 19:26:44 +02:00
7c8cca744f
chore: Revert log file changes for THOR sigma configuration
...
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
2021-04-28 17:48:17 +02:00
544994dba1
Merge pull request #1446 from secDre4mer/master
...
fix: Distinguish Windows and Linux logfiles by path separator
2021-04-28 13:26:32 +02:00
161180c357
refactor: extended shellshock rule
2021-04-28 11:47:24 +02:00
47504fbd56
fix: shellshock expression
2021-04-28 11:46:49 +02:00
de2cedf213
fix: Distinguish Windows and Linux logfiles by path separator
...
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
2021-04-28 11:45:19 +02:00
59d23535ce
Update win_lateral_movement.yml
2021-04-27 23:03:03 +10:00
793504dd6b
Rename win_lateral_movement to win_lateral_movement.yml
2021-04-27 22:59:52 +10:00
f75ad98903
Create win_lateral_movement
...
EID 4674 with the proposed attributes is very rare in prod environment.
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
2021-04-27 22:55:58 +10:00
9166167447
Merge pull request #1433 from d4rk-d4nph3/master
...
Added rule for Lazarus activity of Apr 2021
2021-04-26 20:34:51 +02:00
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy
...
Fix typo on CommandLine field
2021-04-26 20:33:56 +02:00
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas
...
Fix typo on CommandLine field
2021-04-26 20:33:45 +02:00
65294d97c4
Update win_scm_database_handle_failure.yml
...
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
2021-04-26 11:28:16 -07:00
8efa10465e
Update win_scm_database_privileged_operation.yml
...
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43
Query should match where SubjectLogonID != "0x3e4"
2021-04-26 11:25:16 -07:00
6d2acb1660
Merge pull request #1441 from SigmaHQ/rule-devel
...
feat: generic registry events compatible with native audit logging
2021-04-26 10:24:44 +02:00
d24f0b8988
feat: generic registry events compatible with native audit logging
2021-04-26 09:31:36 +02:00
66d0f910dd
feat: windows native events - registry_event
2021-04-25 22:35:23 +02:00
9a14557136
Merge pull request #1437 from SigmaHQ/rule-devel
...
feat: generic categories, thor config, revert splunk config
2021-04-25 21:54:17 +02:00
08234c4620
Revert "fix: splunk for windows config errors"
...
This reverts commit 13347df263
2021-04-25 21:52:29 +02:00
748005fc14
Fix typo on CommandLine field
2021-04-25 15:52:59 +02:00
c580db166c
Fix typo on CommandLine field
2021-04-25 15:50:44 +02:00
d766c12888
feat: generic categories - thor config
2021-04-23 17:47:09 +02:00
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel
...
Rule devel
2021-04-23 17:33:07 +02:00
f2fa8dd956
rules: CobaltStrike named pipes
2021-04-23 17:16:09 +02:00
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master
...
Updated sysmon config and rewrite rules to use categories
2021-04-23 16:52:25 +02:00
a29ac79a3f
refactor: extended comsvcs.dll MiniDump rule
2021-04-23 16:46:04 +02:00
6f12a1b099
docs: FPs and changed level
2021-04-23 16:45:52 +02:00
1333a95c51
rule: get-process lsass
2021-04-23 16:44:53 +02:00
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel
...
fix: FPs with certutil command and McAfee Chromium Container
2021-04-23 14:55:31 +02:00
85582c540e
docs: changed modification date
2021-04-23 14:55:04 +02:00
ce03ca9485
fix: Jitter keyword prone to FPs
2021-04-23 14:54:32 +02:00
6256261d0e
fix: FPs with Certutil and McAfee Chromium Container
2021-04-23 12:49:16 +02:00
886079ce8f
Merge pull request #1434 from phantinuss/master
...
THOR: search generic *.log files for product: linux
2021-04-23 12:35:24 +02:00
95fa99b4a3
search generic log files for product: linux
2021-04-23 12:00:48 +02:00
6d1b9f36e8
feat: thor config - process all *.log files
2021-04-23 10:31:07 +02:00
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel
...
fix: splunk windows config, additional rule
2021-04-23 10:30:44 +02:00
d5e88d369c
fix: fixed rule title
2021-04-23 09:51:31 +02:00
13347df263
fix: splunk for windows config errors
2021-04-23 09:50:13 +02:00
SomeOne