valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #695 from cobsec/master

Browse Source 
Date typos
This commit is contained in:
Florian Roth 2020-04-02 10:20:18 +02:00 committed by GitHub
commit 1196f8d60f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/builtin/win_susp_mshta_execution.yml
View File

@ -2,8 +2,8 @@ title: MSHTA Suspicious Execution 01
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: experimental
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
date: 22/02/2019
modified: 22/02/2019
date: 2019/02/22
modified: 2019/02/22
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files

2
rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
View File

@ -5,7 +5,7 @@ description: Trickbot enumerates domain/network topology and executes certain co
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1482
logsource:

2
rules/windows/process_creation/win_susp_svchost_no_cli.yml
View File

@ -5,7 +5,7 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1055
logsource:

2
rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
View File

@ -6,7 +6,7 @@ description: Detects the access to processes by other suspicious processes which
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 27/10/2019
date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/

2
rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
View File

@ -4,7 +4,7 @@ status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:

2
rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
View File

@ -8,7 +8,7 @@ author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
date: 2018/08/25
modified: 2020/02/26
logsource:
product: windows

2
rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
View File

@ -6,7 +6,7 @@ description: Offensive tradecraft is switching away from using APIs like "Create
notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references: