sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonhnathan	15177246cc	[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462 )	2025-02-17 07:04:34 -03:00
Samirbous	27e8b85840	Update execution_windows_script_from_internet.toml (#4452 )	2025-02-07 14:52:56 +00:00
Samirbous	8f73b88884	[Tuning / New] Execution of a downloaded windows script (#4434 ) * [New] Execution of a downloaded windows script using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution * Update defense_evasion_posh_assembly_load.toml * Update execution_powershell_susp_args_via_winscript.toml * Update guides * Update defense_evasion_network_connection_from_windows_binary.toml * Update execution_windows_script_from_internet.toml * Update execution_windows_script_from_internet.toml * Update rules/windows/execution_windows_script_from_internet.toml * Update rules/windows/execution_powershell_susp_args_via_winscript.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/execution_windows_script_from_internet.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update execution_windows_script_from_internet.toml * Create command_and_control_tool_transfer_via_curl.toml * Update command_and_control_tool_transfer_via_curl.toml * Update command_and_control_tool_transfer_via_curl.toml * Update execution_windows_script_from_internet.toml * Create defense_evasion_indirect_exec_forfiles.toml * Update execution_windows_script_from_internet.toml --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2025-02-03 14:33:59 +00:00

Author

SHA1

Message

Date

Jonhnathan

15177246cc

[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462 )

2025-02-17 07:04:34 -03:00

Samirbous

27e8b85840

Update execution_windows_script_from_internet.toml (#4452 )

2025-02-07 14:52:56 +00:00

Samirbous

8f73b88884

[Tuning / New] Execution of a downloaded windows script (#4434 )

* [New] Execution of a downloaded windows script

using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution

* Update defense_evasion_posh_assembly_load.toml

* Update execution_powershell_susp_args_via_winscript.toml

* Update guides

* Update defense_evasion_network_connection_from_windows_binary.toml

* Update execution_windows_script_from_internet.toml

* Update execution_windows_script_from_internet.toml

* Update rules/windows/execution_windows_script_from_internet.toml

* Update rules/windows/execution_powershell_susp_args_via_winscript.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_windows_script_from_internet.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_windows_script_from_internet.toml

* Create command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update command_and_control_tool_transfer_via_curl.toml

* Update execution_windows_script_from_internet.toml

* Create defense_evasion_indirect_exec_forfiles.toml

* Update execution_windows_script_from_internet.toml

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2025-02-03 14:33:59 +00:00

3 Commits