valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,814 Commits 20 Branches 25 Tags 21 MiB
0460536444
Commit Graph

6814 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sittikorn S
0506e10697
Create sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:09:07 +07:00
thegoatreich
d14e0f1aaa
add logrhythm lucene backend 
Copied and modded the es-qs backend for logrhythm's lucene syntax.
 2021-07-16 13:02:05 +01:00
thegoatreich
f0f1653e42
config file for logrhythm support 
a config file and field mappings Windows event logs for LogRhythm using Lucene. 
This uses a custom backend which is mostly based on the es-qs backend.
 2021-07-16 07:54:02 -04:00
Tran Trung Hieu
8effde4e1d More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00
Tran Trung Hieu
1cb631017a Suspicious behaviours related to SOURGUM 2021-07-16 14:13:48 +07:00
Bhabesh Rai
be8fce8e82 Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45
frack113
9a7f3036e4 update ref in win_manage-bde_lolbas.yml 2021-07-16 08:34:30 +02:00
frack113
d6dc217c6d Add process_creation_syncappvpublishingserver_vbs_execute_powershell.yml 2021-07-16 08:28:25 +02:00
Florian Roth
e2e28e68e1
Merge pull request #1697 from frack113/small_fix 
fix missing references and duplicate UUID
 2021-07-15 12:47:06 +02:00
Florian Roth
021f211c14 fix: FP with WCE and Windows Cluster Service 2021-07-15 12:09:28 +02:00
frack113
c6cb7f1247 fix missing references and duplicate UUID 2021-07-15 11:06:54 +02:00
Florian Roth
e40b859254
Merge pull request #1695 from frack113/fix_re 
escape / in regex
 2021-07-15 09:25:58 +02:00
Florian Roth
680e01d309
Merge pull request #1686 from leegengyu/patch-12 
Update winlogbeat-modules-enabled.yml
 2021-07-15 08:37:09 +02:00
Florian Roth
abb8df887a
Merge pull request #1690 from WuerthIT/patch_rule 
update rule: powershell_accessing_win_api.yml
 2021-07-15 08:36:38 +02:00
Florian Roth
f3d24e27c2
Merge pull request #1694 from leegengyu/patch-13 
Update win_remote_powershell_session_process.yml
 2021-07-15 08:36:12 +02:00
Florian Roth
2055da991f
Merge pull request #1691 from SigmaHQ/rule-devel 
Rules: scripts from Temp folders, reg disable sec services
 2021-07-15 08:35:54 +02:00
frack113
0ef3dc2082 escape / in regex 2021-07-15 08:13:49 +02:00
G Y
8bbea58786
Update win_remote_powershell_session_process.yml 
Updated TTP and formatting.
 2021-07-15 11:20:25 +08:00
Florian Roth
e516aecc74 fix: error in selector 2021-07-14 15:58:55 +02:00
Florian Roth
530e04faec rule: Script Execution from Temp Folder 2021-07-14 15:52:52 +02:00
Florian Roth
0d794357e8 rule: reg disable security services 2021-07-14 15:52:35 +02:00
k-vdv
12b172039f fixed some typos and adjusted capitalization to original 2021-07-14 15:47:17 +02:00
Florian Roth
3ff4e99d44
Merge pull request #1688 from SigmaHQ/rule-devel 
refactor: improved Raccine uninstall rule
 2021-07-14 09:57:08 +02:00
Florian Roth
04370c7e91 refactor: improved Raccine uninstall rule 2021-07-14 09:56:35 +02:00
Florian Roth
1ec9473472
Merge pull request #1687 from SigmaHQ/rule-devel 
Rule adjustments and new Serv-U exploitation rules
 2021-07-14 08:59:33 +02:00
Florian Roth
5e2e6c9b72 Merge branch 'config-adjustments' into rule-devel 2021-07-14 08:35:47 +02:00
Florian Roth
e0f166aba2 rule: Serv-U exploitation 
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 2021-07-14 08:35:25 +02:00
Florian Roth
85d47aeabc
Merge pull request #1678 from frack113/redcanary_t1228 
Some Redcanary T1228
 2021-07-14 08:18:52 +02:00
Florian Roth
9fce0fb42d
Merge pull request #1680 from phantinuss/master 
medium level Rule for Windows Defender Exclusions
 2021-07-14 08:18:39 +02:00
Florian Roth
3faef2d94a
Merge pull request #1681 from frack113/redcanary_t1228_v2 
Redcanary t1228 end
 2021-07-14 08:18:23 +02:00
Florian Roth
f8afbf62aa
Merge pull request #1682 from w0rk3r/master 
Remove Field Value Wildcard in ALA Backend
 2021-07-14 08:18:08 +02:00
G Y
aacb5f767c
Update winlogbeat-modules-enabled.yml 
Update mapping for EventID and TargetObject.
 2021-07-14 11:01:45 +08:00
Jonhnathan
f6e7fc446f Remove Wildcard 2021-07-13 11:21:12 -03:00
frack113
8b14dc6c99 fix [colons] too many spaces after colon 2021-07-13 14:42:47 +02:00
frack113
c00dd0bf65 add win_susp_athremotefxvgpudisablementcommand.yml 2021-07-13 14:29:00 +02:00
frack113
6d1e8268ba update win_workflow_compiler.yml 2021-07-13 13:55:27 +02:00
phantinuss
bf9b82fc45
medium level rule for Windows Defender Exclusions 2021-07-13 13:16:25 +02:00
frack113
6b9466ec20 Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00
frack113
33832acf5b fix Error: [colons] too many spaces before colon 2021-07-13 10:09:52 +02:00
frack113
c2d9b05191 Add process_creation_infdefaultinstall.yml 2021-07-13 09:56:34 +02:00
frack113
fd377fe163 update process_creation_syncappvpublishingserver_execute_arbitrary_powershell 2021-07-13 09:45:46 +02:00
Thomas Patzke
82b8b6890f
Merge pull request #1663 from heyibrahimkhan/patch-4 
Create ala-azure-ad_auditlogs.yml
 2021-07-12 23:37:55 +02:00
Thomas Patzke
294a405481
Merge pull request #1662 from heyibrahimkhan/patch-3 
Create ala-azure-activitylogs.yml
 2021-07-12 23:37:46 +02:00
Thomas Patzke
98165cdd09
Merge pull request #1661 from heyibrahimkhan/patch-2 
Create ecs-azure-ad_auditlogs.yml
 2021-07-12 23:37:37 +02:00
Thomas Patzke
a73c371c66
Merge pull request #1672 from mf1d3l:splunkdm_backend 
SplunkDM Backend: Splunk datamodels accelerated searches support
 2021-07-12 23:05:51 +02:00
Florian Roth
3761cd1b34
Merge pull request #1660 from heyibrahimkhan/patch-1 
Create ecs-azure-activitylogs.yml
 2021-07-12 17:42:49 +02:00
frack113
82f666c5da add process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml 2021-07-12 16:17:40 +02:00
frack113
d6a86a3fa0 add T1218 sysmon_creation_mavinject_dll.yml 2021-07-12 16:08:18 +02:00
Florian Roth
730e9eb883
Merge pull request #1667 from leegengyu/patch-10 
Update winlogbeat-modules-enabled.yml - Imphash Field
 2021-07-12 15:37:33 +02:00
Florian Roth
ac7270ff32
Merge pull request #1669 from leegengyu/patch-11 
Update winlogbeat.yml - Imphash Field
 2021-07-12 15:37:00 +02:00