valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1974 from frack113/tags_pack2

Browse Source 
Add missing Tags
This commit is contained in:
frack113 2021-09-03 19:13:32 +02:00 committed by GitHub
commit 6780182c37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
View File

@ -15,3 +15,6 @@ detection:
falsepositives:
- unknown
level: high
tags:
- attack.command_and_control
- attack.t1219

5
rules/windows/other/win_defender_amsi_trigger.yml
View File

@ -17,4 +17,7 @@ detection:
condition: selection
falsepositives:
- unlikely
level: high
level: high
tags:
- attack.execution
- attack.t1059

3
rules/windows/other/win_defender_threat.yml
View File

@ -20,3 +20,6 @@ detection:
falsepositives:
- unlikely
level: high
tags:
- attack.execution
- attack.t1059

3
rules/windows/process_creation/win_malware_conti_shadowcopy.yml
View File

@ -23,3 +23,6 @@ detection:
falsepositives:
- Some rare backup scenarios
level: medium
tags:
- attack.impact
- attack.t1490

3
rules/windows/process_creation/win_malware_dtrack.yml
View File

@ -21,3 +21,6 @@ fields:
falsepositives:
- Unlikely
level: critical
tags:
- attack.impact
- attack.t1490

3
rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
View File

@ -17,3 +17,6 @@ detection:
falsepositives:
- Some rare backup scenarios
level: medium
tags:
- attack.impact
- attack.t1490

3
rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
View File

@ -20,3 +20,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1055

3
rules/windows/process_creation/win_susp_screenconnect_access.yml
View File

@ -21,3 +21,6 @@ detection:
falsepositives:
- Legitimate use by administrative staff
level: high
tags:
- attack.initial_access
- attack.t1133

3
rules/windows/process_creation/win_susp_userinit_child.yml
View File

@ -24,3 +24,6 @@ fields:
falsepositives:
- Administrative scripts
level: medium
tags:
- attack.defense_evasion
- attack.t1055

3
rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
View File

@ -29,3 +29,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.t1547.001

4
rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
View File

@ -25,4 +25,6 @@ detection:
falsepositives:
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium
tags:
- attack.resource_development
- attack.t1588.002

3
rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
View File

@ -11,6 +11,9 @@ falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
tags:
- attack.resource_development
- attack.t1588.002
---
logsource:
product: windows