 Jonhnathan
|
39787da128
|
Update proxy_cobalt_ocsp.yml
|
2020-10-15 23:19:56 -03:00 |
|
|
Jonhnathan
|
60b7e1caff
|
Update proxy_cobalt_amazon.yml
|
2020-10-15 23:19:39 -03:00 |
|
|
Jonhnathan
|
68d8a903af
|
Update proxy_chafer_malware.yml
|
2020-10-15 23:16:17 -03:00 |
|
|
Jonhnathan
|
05e0dd1ae6
|
Update zeek_susp_kerberos_rc4.yml
|
2020-10-15 23:15:23 -03:00 |
|
|
Jonhnathan
|
f04394467b
|
Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
|
2020-10-15 23:14:34 -03:00 |
|
|
Jonhnathan
|
de29d778a5
|
Update zeek_smb_converted_win_susp_psexec.yml
|
2020-10-15 23:14:15 -03:00 |
|
|
Jonhnathan
|
3e600dab82
|
Update zeek_smb_converted_win_impacket_secretdump.yml
|
2020-10-15 23:13:47 -03:00 |
|
|
Jonhnathan
|
50abab7f11
|
Update zeek_http_executable_download_from_webdav.yml
|
2020-10-15 23:13:20 -03:00 |
|
|
Jonhnathan
|
aeb3218dfb
|
Update net_susp_dns_txt_exec_strings.yml
|
2020-10-15 23:11:16 -03:00 |
|
|
Jonhnathan
|
4b8a47e35f
|
Update net_susp_dns_b64_queries.yml
|
2020-10-15 23:10:57 -03:00 |
|
|
Jonhnathan
|
28cfda7676
|
Update net_mal_dns_cobaltstrike.yml
|
2020-10-15 23:10:42 -03:00 |
|
|
Jonhnathan
|
3361b62cc2
|
Update lnx_auditd_susp_exe_folders.yml
|
2020-10-15 23:09:06 -03:00 |
|
|
tas_kmanager
|
23358b8db5
|
[OSCD] Always Install Elevated - Slide 50 - Rule 1
Page 50 from #574 Rule 1
Look for msiexec spawning command line or powershell
|
2020-10-15 22:08:45 -04:00 |
|
|
Jonhnathan
|
d655ebf092
|
Update lnx_auditd_masquerading_crond.yml
|
2020-10-15 23:08:08 -03:00 |
|
|
Jonhnathan
|
e26e5a1e7e
|
Update lnx_auditd_create_account.yml
|
2020-10-15 23:07:39 -03:00 |
|
|
Jonhnathan
|
8fd768aa66
|
Update lnx_susp_ssh.yml
|
2020-10-15 23:05:53 -03:00 |
|
|
Jonhnathan
|
d4284e60f9
|
Update lnx_susp_named.yml
|
2020-10-15 23:04:16 -03:00 |
|
|
Jonhnathan
|
83bad3de98
|
Update lnx_sudo_cve_2019_14287.yml
|
2020-10-15 23:03:40 -03:00 |
|
|
tas_kmanager
|
65c2e5daa4
|
[OSCD] Always Install Elevated
Page 48 from #574
Since the slide showing the usage of correlation of events, it was suggested to add the rules to rules-unsupported. Following suggestion from @yugoslavskiy - https://github.com/Neo23x0/sigma/issues/574#issuecomment-707441823
|
2020-10-15 21:59:37 -04:00 |
|
|
Jonhnathan
|
0ca17e88f6
|
Update lnx_setgid_setuid.yml
|
2020-10-15 22:55:41 -03:00 |
|
|
Jonhnathan
|
68ad66f390
|
Update lnx_proxy_connection.yml
|
2020-10-15 22:54:27 -03:00 |
|
|
Jonhnathan
|
41396636f9
|
Update lnx_file_copy.yml
|
2020-10-15 22:53:20 -03:00 |
|
|
Jonhnathan
|
6185640442
|
Update lnx_clamav.yml
|
2020-10-15 22:49:42 -03:00 |
|
|
Jonhnathan
|
1979906bae
|
Revert "Create win_susp_replace_lolbin.yml"
This reverts commit e6a6549676.
|
2020-10-15 22:45:33 -03:00 |
|
|
Jonhnathan
|
b0ddaf5ac9
|
Revert "Changed the rule to download only and not the copy"
This reverts commit 1324bc1ad1.
|
2020-10-15 22:45:30 -03:00 |
|
|
Yugoslavskiy Daniil
|
d8a6048492
|
update /macos_create_hidden_account.yml
|
2020-10-16 02:05:22 +02:00 |
|
|
Jonhnathan
|
2332e42e4c
|
Update win_susp_copy_lateral_movement.yml
|
2020-10-15 21:01:23 -03:00 |
|
|
Jonhnathan
|
d4603d196b
|
Update win_susp_adfind.yml
|
2020-10-15 21:00:15 -03:00 |
|
|
Jonhnathan
|
fc6c727c70
|
Update powershell_malicious_commandlets.yml
|
2020-10-15 20:59:27 -03:00 |
|
|
Jonhnathan
|
1584ddf918
|
Update sysmon_susp_service_installed.yml
|
2020-10-15 20:50:42 -03:00 |
|
|
Jonhnathan
|
f4872118a2
|
Update win_powershell_dll_execution.yml
|
2020-10-15 20:38:55 -03:00 |
|
|
Jonhnathan
|
3566dd1594
|
Fix
|
2020-10-15 20:35:50 -03:00 |
|
|
Jonhnathan
|
44c909a4a4
|
Update win_apt_mustangpanda.yml
|
2020-10-15 20:33:00 -03:00 |
|
|
Jonhnathan
|
5fc348fd45
|
Fix
|
2020-10-15 20:32:16 -03:00 |
|
|
Jonhnathan
|
37ee747dfe
|
Update win_apt_chafer_mar18.yml
|
2020-10-15 20:30:52 -03:00 |
|
|
Jonhnathan
|
1fac65dad0
|
Fix
|
2020-10-15 20:29:02 -03:00 |
|
|
Jonhnathan
|
0dfacd1f63
|
Fix
|
2020-10-15 20:27:10 -03:00 |
|
|
Jonhnathan
|
9795c95a9b
|
Update av_webshell.yml
|
2020-10-15 20:25:34 -03:00 |
|
|
Jonhnathan
|
345c3c6451
|
Fix
|
2020-10-15 20:24:31 -03:00 |
|
|
Jonhnathan
|
86ade194a4
|
Fix
|
2020-10-15 20:22:56 -03:00 |
|
|
Jonhnathan
|
0666d21b06
|
Update win_dcsync.yml
|
2020-10-15 20:19:06 -03:00 |
|
|
Jonhnathan
|
d7eda3fe7e
|
Update sysmon_wmi_susp_scripting.yml
|
2020-10-15 20:15:22 -03:00 |
|
|
Jonhnathan
|
92aaeca075
|
Update sysmon_susp_powershell_rundll32.yml
|
2020-10-15 20:14:23 -03:00 |
|
|
Jonhnathan
|
26b36086c7
|
Update sysmon_cmstp_execution.yml
|
2020-10-15 20:13:39 -03:00 |
|
|
Jonhnathan
|
df81f5180d
|
Update sysmon_cactustorch.yml
|
2020-10-15 20:12:54 -03:00 |
|
|
Jonhnathan
|
457217bfc0
|
Update sysmon_win_reg_persistence.yml
|
2020-10-15 20:11:52 -03:00 |
|
|
Jonhnathan
|
229e57777a
|
Update sysmon_win_reg_persistence.yml
|
2020-10-15 20:11:37 -03:00 |
|
|
Jonhnathan
|
8a52610bf8
|
Update sysmon_uac_bypass_eventvwr.yml
|
2020-10-15 20:11:11 -03:00 |
|
|
Jonhnathan
|
6ea18efdaf
|
Update sysmon_sysinternals_eula_accepted.yml
|
2020-10-15 20:10:44 -03:00 |
|
|
Jonhnathan
|
7dfb8f0e99
|
Update sysmon_suspicious_keyboard_layout_load.yml
|
2020-10-15 20:10:21 -03:00 |
|