valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
984 Commits 20 Branches 25 Tags 21 MiB
040ba0338d
Commit Graph

984 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yt0ng
6a014a3dc8
MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth
ed470feb21
Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng
b21afc3bc8
user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng
f84c33d005
Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth
7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth
e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
Thomas Patzke
0cdfc776de Sigma tools release 0.5 2018-07-03 00:07:43 +02:00
Thomas Patzke
3e40a48ce1 Merge branch 'SaltyHash123-master' 2018-07-02 23:31:43 +02:00
Thomas Patzke
0bacba05aa Added backend 'splunkxml' to CI tests 2018-07-02 23:20:02 +02:00
Thomas Patzke
67158ba1d2 Merge branch 'master' of https://github.com/SaltyHash123/sigma into SaltyHash123-master 2018-07-02 23:14:04 +02:00
yt0ng
42941ee105
Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth
48582a1c93 Bugfix in Flash Downloader Rule 2018-06-30 23:39:38 +02:00
Florian Roth
2a74a62c67 Config file for SPARK scanner 2018-06-29 16:42:16 +02:00
Florian Roth
c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth
fa98595ad6
Added SPARK Sigma rule scan feature to list 2018-06-28 16:28:07 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Florian Roth
336f4c83e0
Merge pull request #97 from scherma/patch-1 
False positive circumstance
 2018-06-27 23:18:56 +02:00
scherma
19ba5df207
False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Thomas Patzke
c3d582bc13 Cleanup 2018-06-26 23:37:21 +02:00
Florian Roth
5843fe2590
Update README.md 2018-06-25 18:59:36 +02:00
Florian Roth
467b8c80f4
Update README.md 2018-06-25 18:58:05 +02:00
Florian Roth
2ae57166ac
Updated README 2018-06-25 18:29:02 +02:00
Florian Roth
3283c52c0f
Added WDATP in the list of supported backends 2018-06-25 18:09:21 +02:00
Florian Roth
f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth
1a1011b0ad
Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng
c59d0c7dca
Added additional options 2018-06-23 15:54:31 +02:00
yt0ng
cc3fd9f5d0
Detects the creation of a schtask via PowerSploit Default Configuration 
8690399ef7/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Roey
14464f8c79 Added support of splunk dashboards (xml) 2018-06-22 14:17:58 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
d8e036f737 sigmac: Parameter for ignoring "not supported" errors 
Used to pass tests with complete rule set that would fail for backends
which target systems don't support required features.
 2018-06-22 00:23:59 +02:00
Thomas Patzke
31727b3b25 Added Windows Defender ATP backend 
Missing:
* Aggregations
 2018-06-22 00:03:10 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Thomas Patzke
e72c0d5de4 SingleTextQueryBackend ignores empty components in composed queries 
Example: one component of a AND-composition is ignored if invoked
generate* call returns None.
 2018-06-21 23:59:41 +02:00
Thomas Patzke
d8a7bcad39 Reordered rule generation 
Generation of query parts before and after main query gives access to
information possibly gathered while main query generation.
 2018-06-21 23:50:13 +02:00
Florian Roth
b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth
3d52030391 Changed help text for -r flag 2018-06-13 00:08:46 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
7edd95744a Windows NTLM 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
c9658074dd Removed "not yet implemented" comment from -r flag 2018-06-13 00:08:46 +02:00
Florian Roth
df2745ec6c
Merge pull request #92 from yt0ng/patch-2 
Update proxy_ua_apt.yml
 2018-06-10 10:29:16 +02:00
Florian Roth
f6f718c54f
Cosmetics 2018-06-10 10:28:59 +02:00
yt0ng
3166bf5b05
Update proxy_ua_apt.yml 
user Agent seen in https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
 2018-06-10 10:17:02 +02:00
Thomas Patzke
dbc25b6bfa Integrated Qualys backend to CI testing 2018-06-07 23:33:47 +02:00