sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonhnathan	2c07e88c07	[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )	2024-10-15 23:57:44 +05:30
Jonhnathan	7c78e4081f	[Rule Tuning] min_stack New Rules that use the S1 Integration (#4079 ) * [Rule Tuning] min_stack New Rules that use the S1 Integration * Update execution_windows_powershell_susp_args.toml * Update execution_initial_access_foxmail_exploit.toml	2024-09-16 11:02:46 -03:00
Samirbous	56fc2beb46	[New] Suspicious PowerShell Execution via Windows Scripts (#4060 ) * [New] Suspicious PowerShell Execution via Windows Scripts this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon. * Update execution_powershell_susp_args_via_winscript.toml * Create defense_evasion_script_via_html_app.toml * ++ * Update defense_evasion_script_via_html_app.toml * Update execution_powershell_susp_args_via_winscript.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2024-09-15 19:51:21 +01:00

Author

SHA1

Message

Date

Jonhnathan

2c07e88c07

[Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156 )

2024-10-15 23:57:44 +05:30

Jonhnathan

7c78e4081f

[Rule Tuning] min_stack New Rules that use the S1 Integration (#4079 )

* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml

2024-09-16 11:02:46 -03:00

Samirbous

56fc2beb46

[New] Suspicious PowerShell Execution via Windows Scripts (#4060 )

* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2024-09-15 19:51:21 +01:00

3 Commits