 phantinuss
|
eb4ef6bcfc
|
fix: single list item to value
|
2021-10-27 11:16:12 +02:00 |
|
|
phantinuss
|
3983baf2b0
|
windows commandline obfuscation
|
2021-10-26 16:35:06 +02:00 |
|
|
frack113
|
b4d5b44ea8
|
Merge pull request #2180 from 0xThiebaut/workfolders
Add LOLBin rule win_susp_workfolders
|
2021-10-21 19:11:08 +02:00 |
|
|
frack113
|
8595478b36
|
Merge pull request #2149 from OTRF/feature/Sysmon-For-Linux-Rules
OTR - Migrating rules to Sysmon for Linux schema :)
|
2021-10-21 19:10:32 +02:00 |
|
|
frack113
|
963f32063f
|
Merge pull request #2148 from SigmaHQ/rule-devel
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
|
2021-10-21 19:10:08 +02:00 |
|
|
frack113
|
217ac5c9a3
|
Merge pull request #2170 from frack113/redcanary_T1564_003
add rule powershell_suspicious_windowstyle
|
2021-10-21 18:07:48 +02:00 |
|
|
frack113
|
39fac24ee6
|
Merge pull request #2169 from frack113/ExecutionPolicy_Unrestricted
Add rule powershell_set_policies_to_unsecure_level
|
2021-10-21 18:07:26 +02:00 |
|
|
frack113
|
ab58db3545
|
Merge pull request #2177 from V1D1AN/V1D1AN-ecs-auditbeat
Modify event.provider to event.module
|
2021-10-21 15:52:29 +02:00 |
|
|
Maxime THIEBAUT
|
9c25c89dbb
|
Add LOLBin rule win_susp_workfolders
|
2021-10-21 11:43:27 +02:00 |
|
|
Florian Roth
|
1c51b3d0a9
|
Merge pull request #2174 from frack113/fix_sysmon_cred_dump_lsass_access
fix sysmon_cred_dump_lsass_access
|
2021-10-21 08:41:19 +02:00 |
|
|
V1D1AN
|
a47645a084
|
Modify event.provider to event.module
|
2021-10-21 08:34:41 +02:00 |
|
|
frack113
|
a074b11264
|
Merge pull request #2166 from securepeacock/patch-2
Create registry_event_mal_netwire.yml
|
2021-10-21 06:39:13 +02:00 |
|
|
frack113
|
1da5199a49
|
Merge pull request #2165 from phantinuss/master
feat: mstsc history cleared
|
2021-10-21 06:38:44 +02:00 |
|
|
frack113
|
216b2d65d9
|
fix SourceImage
|
2021-10-20 19:45:38 +02:00 |
|
|
frack113
|
20e760733a
|
Merge pull request #2171 from StefanGrimminck/add-mitre-mapping
add MITRE technique mapping
|
2021-10-20 17:08:53 +02:00 |
|
|
frack113
|
f45450a7dc
|
Merge pull request #2173 from al3t/patch-1
Update winlogbeat-modules-enabled.yml
|
2021-10-20 17:08:24 +02:00 |
|
|
al3t
|
7500346ce7
|
Update winlogbeat-modules-enabled.yml
updating field mapping
|
2021-10-20 17:06:55 +03:00 |
|
|
Stefan Grimminck
|
47502e6701
|
add MITRE technique mapping
|
2021-10-20 14:29:57 +02:00 |
|
|
frack113
|
a9bc26f37c
|
add powershell_suspicious_windowstyle
|
2021-10-20 13:57:24 +02:00 |
|
|
frack113
|
f9efc127de
|
add powershell_set_policies_to_unsecure_level
|
2021-10-20 12:58:43 +02:00 |
|
|
frack113
|
90bcc61ce3
|
Merge pull request #2152 from frack113/sysmon_linux
move lnx_system_network_discovery.yml
|
2021-10-20 06:32:32 +02:00 |
|
|
securepeacock
|
8f4a0cf4d6
|
Update registry_event_mal_netwire.yml
|
2021-10-19 18:23:42 -04:00 |
|
|
securepeacock
|
ff439099bc
|
Create registry_event_mal_netwire.yml
|
2021-10-19 18:20:23 -04:00 |
|
|
phantinuss
|
75193321f8
|
feat: mstsc history cleared
|
2021-10-19 18:30:02 +02:00 |
|
|
frack113
|
66a37298a7
|
Merge pull request #2158 from frack113/powershell_optimize
Powershell deals with the last 4 rules in powershell directory
|
2021-10-19 14:24:34 +02:00 |
|
|
frack113
|
f61127f04e
|
Merge pull request #2157 from frack113/update_wmic_uninstall
win_susp_wmic_security_product_uninstall update product list
|
2021-10-19 14:24:09 +02:00 |
|
|
frack113
|
57cdfd2612
|
Merge pull request #2155 from hieuttmmo/master
Create new rule for detecting Microsfot Defender Tampering via Registry
|
2021-10-19 14:23:50 +02:00 |
|
|
Florian Roth
|
270adfa251
|
Merge pull request #2159 from phantinuss/fp-tuning
FP tuning when CommandLine logging is not activated for 4688 events
|
2021-10-19 14:20:20 +02:00 |
|
|
Florian Roth
|
ecbb5289e9
|
Merge pull request #2163 from Karneades/patch-1
Fix MITRE tag in COM hijacking rule
|
2021-10-19 14:19:06 +02:00 |
|
|
Andreas Hunkeler
|
a63cc967fe
|
Fix MITRE tag in COM hijacking rule
|
2021-10-19 13:51:25 +02:00 |
|
|
phantinuss
|
deecced962
|
fix: FP tuning when CommandLine logging is not activated for 4688 events
|
2021-10-19 13:37:28 +02:00 |
|
|
Florian Roth
|
2984d7d248
|
Merge pull request #2161 from WojciechLesicki/master
Description changes acording to merge in sysmon config
|
2021-10-18 23:13:00 +02:00 |
|
|
WojciechLesicki
|
6c86500414
|
Description changes acording to https://github.com/SwiftOnSecurity/sysmon-config/pull/151
|
2021-10-18 21:34:05 +02:00 |
|
|
frack113
|
faa407dacc
|
cleanup list
|
2021-10-18 14:52:35 +02:00 |
|
|
frack113
|
0e1c156ddf
|
fix related
|
2021-10-18 14:26:06 +02:00 |
|
|
frack113
|
d866b10590
|
add ps_script verison
|
2021-10-18 14:13:29 +02:00 |
|
|
frack113
|
19da3ac07f
|
add ps_module version
|
2021-10-18 14:12:52 +02:00 |
|
|
frack113
|
278c01c59f
|
move to deprecated
|
2021-10-18 14:12:10 +02:00 |
|
|
frack113
|
40e8dc506a
|
update product list
|
2021-10-18 11:19:18 +02:00 |
|
|
Tran Trung Hieu
|
ccf6c8df38
|
Create new rule for detecting Microsfot Defender Tampering via Registry
|
2021-10-18 10:07:44 +04:00 |
|
|
Florian Roth
|
6cca98704a
|
Merge pull request #2154 from wagga40/master
Fix a missing var reset in SQLite backend
|
2021-10-17 17:24:40 +02:00 |
|
|
Wagga
|
17d78a5c4c
|
Fix a missing var reset in SQLite backend
|
2021-10-17 16:21:59 +02:00 |
|
|
frack113
|
a8a0d546f3
|
Merge pull request #2113 from austinsonger/process_creation_lolbins_suspicious_driver_install_by_pnputil.yml
process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
|
2021-10-17 08:10:18 +01:00 |
|
|
frack113
|
5756888b1b
|
adds the alternative options
|
2021-10-17 08:33:32 +02:00 |
|
|
frack113
|
e5b3a1cc14
|
Merge pull request #2151 from frack113/ps_category
Powershell category
|
2021-10-17 07:15:31 +01:00 |
|
|
frack113
|
ca4e32c00f
|
Merge pull request #2153 from frack113/fix_yml
fix tools/config/splunk-windows.yml
|
2021-10-17 07:14:53 +01:00 |
|
|
frack113
|
7fc6532665
|
fix yml
|
2021-10-16 22:49:20 +02:00 |
|
|
Thomas Patzke
|
76c02a14b2
|
Merge pull request #1558 from maketsi/splunk-search-ext
Added ability to define free-text searches in the logsource mapping
|
2021-10-16 20:49:14 +02:00 |
|
|
Thomas Patzke
|
9d8828a0ed
|
Merge pull request #1696 from denny-lclin/lclin/fix-ada-wildcard
Fix [ALA] Convesion of wildcard not as expected for ada backend #1689
|
2021-10-16 20:46:23 +02:00 |
|
|
Thomas Patzke
|
f3c01a3f65
|
Merge pull request #1948 from zazzzSec/fix_cb_paths
fixing cb path wildcards that don't work
|
2021-10-16 20:44:14 +02:00 |
|