sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonhnathan	7004c99ef5	[New Rule] Unusual Process For MSSQL Service Accounts (#3040 ) * [New Rule] Unusual Process For MSSQL Service Accounts * Update initial_access_unusual_process_sql_accounts.toml * Update initial_access_unusual_process_sql_accounts.toml * Update collection_archive_data_zip_imageload.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update initial_access_unusual_process_sql_accounts.toml * Update rules_building_block/initial_access_unusual_process_sql_accounts.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope. * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-08-29 09:10:25 -03:00
Jonhnathan	460919a9d7	[Rule Tuning] Compression DLL Loaded by Unusual Process (#3017 )	2023-08-25 05:08:36 -03:00
Jonhnathan	7949b8a03e	[New Rule] Building Block Rules - Part 1 (#2912 ) * [New Rule] Building Block Rules - Part 1 * Update defense_evasion_powershell_clear_logs_script.toml * Update discovery_posh_generic.toml * . * Apply suggestions from code review Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-18 20:01:43 -03:00

Author

SHA1

Message

Date

Jonhnathan

7004c99ef5

[New Rule] Unusual Process For MSSQL Service Accounts (#3040 )

* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2023-08-29 09:10:25 -03:00

Jonhnathan

460919a9d7

[Rule Tuning] Compression DLL Loaded by Unusual Process (#3017 )

2023-08-25 05:08:36 -03:00

Jonhnathan

7949b8a03e

[New Rule] Building Block Rules - Part 1 (#2912 )

* [New Rule] Building Block Rules - Part 1

* Update defense_evasion_powershell_clear_logs_script.toml

* Update discovery_posh_generic.toml

* .

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

2023-07-18 20:01:43 -03:00

3 Commits