valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,066 Commits 20 Branches 25 Tags 21 MiB
045e87058b
Commit Graph

850 Commits

Author SHA1 Message Date
frack113
92999468ee
Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
Austin Songer
1ea9aab455
Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer
9d9a5088bb
Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
frack113
0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113
ac9ea531ae
Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
Cyb3rEng
f4155010ff
Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng
4af244b135
Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Cyb3rEng
361121c402
changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng
a3a12375b5
changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng
6cae20b9b8
Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng
ca19f43a06
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng
d14c26f5f1
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng
ba995ef442
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00
Cyb3rEng
f7b8fd571d
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:31:57 -06:00
Cyb3rEng
6a7ac098ed
changed id uuid to v4 
b45e1519-5de5-4dfe-bef6-73bc48c2b983
 2021-09-09 21:31:20 -06:00
Cyb3rEng
7c9be6da32
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:24:05 -06:00
Cyb3rEng
ff08de6d20
Completed Changes based on review 
selection2:
     ParentPrcessName|endswith:
 2021-09-09 21:02:11 -06:00
frack113
d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113
312ffe69e2
Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:28:48 +02:00
Cyb3rEng
b2c44ebd6e
Changed selection1 
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
 2021-09-08 21:27:15 -06:00
Cyb3rEng
fe9b91c504
Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:26:01 -06:00
Cyb3rEng
851dfeee46
Changed selection2 condition 
changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines
 2021-09-08 21:24:18 -06:00
Cyb3rEng
6ddc83901b
Changed Category 
Category Changed from process_creation to file_event
 2021-09-08 20:38:07 -06:00
Cyb3rEng
5ac0fded26
Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
frack113
e712d9696b
Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00
Cyb3rEng
e3b376e945
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:26:42 -06:00
Cyb3rEng
4130ceb208
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:25:52 -06:00
Cyb3rEng
8d47f9531b
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:22:01 -06:00
Cyb3rEng
13e6262055
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:20:51 -06:00
Cyb3rEng
8dc1b03fef
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:19:43 -06:00
Cyb3rEng
932b7cf2ba
Merge branch 'SigmaHQ:master' into master 2021-09-07 19:58:09 -06:00
Thomas Patzke
143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113
0e5e4fa19d Split global rules 2021-09-07 13:30:32 +02:00
frack113
be442182fe convert to LF 2021-09-06 21:10:08 +02:00
frack113
9ef299c4f4 Change to LF 2021-09-06 21:07:49 +02:00
frack113
d02ee1eddd Update global ID 2021-09-02 21:16:55 +02:00
frack113
f90c7558a7 update global id 2021-09-02 21:03:25 +02:00
frack113
086a15fc45 Update global ID 2021-09-02 20:07:03 +02:00
Cyb3rEng
c5507658c0
Updated Rule 
updated title
 2021-08-31 22:13:31 -06:00
Cyb3rEng
785fc98ee3
Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:05:10 -06:00
Cyb3rEng
d5f73a8910
Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:03:31 -06:00
Cyb3rEng
fa3b882fdc
Updated Rule 
Removed " " from falsepositives section
 2021-08-31 21:58:50 -06:00
Cyb3rEng
c7c49c55d2
Updated Rule 
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:58:09 -06:00
Cyb3rEng
d5fa226180
Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:54:32 -06:00
Cyb3rEng
900f71e6b2
Rule Update Review 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:50:44 -06:00
Cyb3rEng
6c9b2a2f37
Add files via upload 2021-08-30 21:48:03 -06:00
frack113
a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113
c2302a15da fix cve tags 2021-08-24 10:10:45 +02:00
Max Altgelt
6f05e33feb
fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
frack113
cf8d8d3ed4 fix TargetFilename case error 2021-08-06 08:43:05 +02:00