valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,405 Commits 20 Branches 25 Tags 21 MiB
057c33354a
Commit Graph

3916 Commits

Author SHA1 Message Date
yugoslavskiy
34e64a6570
Update win_susp_codepage_switch.yml 2020-11-28 12:42:27 +01:00
yugoslavskiy
5278fcd476
Update win_susp_cmd_http_appdata.yml 2020-11-28 12:34:28 +01:00
yugoslavskiy
fd102c1b5f
Update win_susp_certutil_encode.yml 2020-11-28 12:31:40 +01:00
yugoslavskiy
68365f29c2
Update win_susp_certutil_command.yml 2020-11-28 12:29:30 +01:00
yugoslavskiy
c9596d7e30
Update win_susp_adfind.yml 2020-11-28 12:11:53 +01:00
yugoslavskiy
331a177f69
Update win_proc_wrong_parent.yml 2020-11-28 12:10:37 +01:00
yugoslavskiy
dbb054777a
Update win_plugx_susp_exe_locations.yml 2020-11-28 12:02:16 +01:00
yugoslavskiy
0fdd8e7128
Update win_netsh_port_fwd_3389.yml 2020-11-28 11:32:35 +01:00
yugoslavskiy
5d457f4f79
Update win_netsh_port_fwd.yml 2020-11-28 11:31:27 +01:00
yugoslavskiy
78193d3e3a
Update win_mal_adwind.yml 2020-11-28 11:25:28 +01:00
yugoslavskiy
de41e34d53
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00
yugoslavskiy
fe499d8838
Update win_apt_judgement_panda_gtr19.yml 2020-11-28 11:14:23 +01:00
yugoslavskiy
11c18e14d8
Update win_hack_koadic.yml 2020-11-28 11:12:06 +01:00
yugoslavskiy
eaf2fde6eb
Update win_netsh_fw_add_susp_image.yml 2020-11-28 11:05:04 +01:00
yugoslavskiy
5eec5d485b
Update sysmon_in_memory_assembly_execution.yml 2020-11-28 10:55:18 +01:00
yugoslavskiy
9445d18474
Update win_netsh_wifi_credential_harvesting.yml 2020-11-28 10:39:37 +01:00
yugoslavskiy
687f6d8946
Update win_powershell_download.yml 2020-11-28 10:37:30 +01:00
yugoslavskiy
fe0029e738
Update win_powersploit_empire_schtasks.yml 2020-11-28 10:29:07 +01:00
yugoslavskiy
de5cac99d9
Update win_malware_wannacry.yml 2020-11-28 10:28:04 +01:00
yugoslavskiy
5a4b01662e
Update win_netsh_fw_add.yml 2020-11-28 10:22:24 +01:00
yugoslavskiy
9ae26e2674
Update win_apt_cloudhopper.yml 2020-11-28 10:20:12 +01:00
yugoslavskiy
4a2cce0b40
Update win_apt_chafer_mar18.yml 2020-11-28 10:15:39 +01:00
Florian Roth
30c0b440e2
Merge pull request #1228 from stvetro/oscd-GfxDownloadWrapper 
[OSCD] GfxDownloadWrapper downloads file (LoLBin)
 2020-11-28 10:10:30 +01:00
Florian Roth
1ea4bb0b87
wrong field name 2020-11-28 10:10:00 +01:00
yugoslavskiy
17813c947c
Update win_apt_bluemashroom.yml 2020-11-28 09:48:30 +01:00
yugoslavskiy
26fa500e21
Update win_control_panel_item.yml 2020-11-28 09:38:49 +01:00
yugoslavskiy
2e5e4a20d2
Update powershell_clear_powershell_history.yml 2020-11-28 09:26:18 +01:00
yugoslavskiy
016a89c186
Update win_susp_net_recon_activity.yml 2020-11-28 08:00:07 +01:00
Jonhnathan
702f697168
Update win_powershell_download.yml 2020-11-27 16:10:10 -03:00
Jonhnathan
fb119d6112
Remove additional backslash 2020-11-27 16:06:15 -03:00
Jonhnathan
bf5aa947e3
Update win_office_spawn_exe_from_users_directory.yml 2020-11-27 16:04:55 -03:00
Jonhnathan
f6aaa957ff
Update win_netsh_wifi_credential_harvesting.yml 2020-11-27 16:01:25 -03:00
Jonhnathan
d996e97fdd
Update win_netsh_port_fwd_3389.yml 2020-11-27 16:00:04 -03:00
Jonhnathan
b816754018
Update win_netsh_port_fwd_3389.yml 2020-11-27 15:59:25 -03:00
Jonhnathan
5acd8d622b
Update win_netsh_port_fwd.yml 2020-11-27 15:57:53 -03:00
Jonhnathan
9171d8913c
Remove Additional backslash 2020-11-27 15:45:08 -03:00
Jonhnathan
0bf996d66e
Update win_netsh_fw_add.yml 2020-11-27 15:44:22 -03:00
Jonhnathan
3f5a2af2db
Update win_mshta_spawn_shell.yml 2020-11-27 15:43:29 -03:00
Jonhnathan
345c6627a8
Update win_mmc_spawn_shell.yml 2020-11-27 15:42:22 -03:00
Jonhnathan
3854a0ed8d
Update Logic 2020-11-27 15:38:16 -03:00
Jonhnathan
84b35dd6b8
Update win_malware_script_dropper.yml 2020-11-27 15:30:53 -03:00
Jonhnathan
217dd53c62
Update win_malware_notpetya.yml 2020-11-27 15:29:29 -03:00
Jonhnathan
3410a1eece
Update win_malware_formbook.yml 2020-11-27 15:26:15 -03:00
Jonhnathan
253c0839ec
Update logic 2020-11-27 15:25:38 -03:00
Florian Roth
c17c034cb5
Changed selections and condition 
see manpage for security tool on macOS
https://gist.github.com/Capybara/6228955
 2020-11-27 19:23:31 +01:00
Jonhnathan
5f5af0bd36
Update win_malware_dridex.yml 2020-11-27 15:10:31 -03:00
Jonhnathan
7672db2aeb
Update Logic 2020-11-27 12:37:04 -03:00
Jonhnathan
22ae395e4a
Update win_impacket_lateralization.yml 2020-11-27 12:35:27 -03:00
Jonhnathan
e18829697f
Update Logic 2020-11-27 12:33:31 -03:00
Jonhnathan
9331686368
Update Logic 2020-11-27 12:27:23 -03:00
Jonhnathan
dbd97647f6
Remove Additional backslash and update logic 2020-11-27 12:22:04 -03:00
Jonhnathan
421ab4dc5f
Update win_exploit_cve_2017_0261.yml 2020-11-27 12:18:06 -03:00
Jonhnathan
3f9edf19a9
Update win_control_panel_item.yml 2020-11-27 12:15:12 -03:00
Jonhnathan
bde2b95cdc
Remove Additional backslash 2020-11-27 12:14:34 -03:00
Jonhnathan
e58333f808
Update win_commandline_path_traversal.yml 2020-11-27 12:13:45 -03:00
Jonhnathan
a403082631
Update win_bypass_squiblytwo.yml 2020-11-26 23:33:00 -03:00
Jonhnathan
d5803b89ef
Update win_apt_zxshell.yml 2020-11-26 23:31:10 -03:00
Jonhnathan
89a4aa84bf
Update win_apt_winnti_pipemon.yml 2020-11-26 23:29:10 -03:00
Jonhnathan
df93846117
Update win_apt_unidentified_nov_18.yml 2020-11-26 23:26:18 -03:00
Jonhnathan
b234d577d6
Update win_apt_sofacy.yml 2020-11-26 23:21:53 -03:00
Jonhnathan
77bae30bef
Update win_apt_slingshot.yml 2020-11-26 23:18:32 -03:00
Jonhnathan
f2dd516b7c
Fix logic 2020-11-26 23:16:03 -03:00
Jonhnathan
127607c5e7
Remove Additional backslash 2020-11-26 23:14:51 -03:00
Jonhnathan
bce74198ab
Remove Additional backslash 2020-11-26 23:14:24 -03:00
Jonhnathan
fda266adb6
Update win_apt_hurricane_panda.yml 2020-11-26 23:12:26 -03:00
Jonhnathan
d0b6694767
Update win_apt_greenbug_may20.yml 2020-11-26 23:05:44 -03:00
Jonhnathan
707fbe048e
Update win_apt_evilnum_jul20.yml 2020-11-26 23:05:08 -03:00
Jonhnathan
a113c0f3b4
Remove Additional backslash 2020-11-26 23:00:05 -03:00
Jonhnathan
d57d7c1e5b
Remove Additional backslash 2020-11-26 22:59:35 -03:00
Jonhnathan
f61317b2f9
Update sysmon_in_memory_assembly_execution.yml 2020-11-26 22:50:48 -03:00
Jonhnathan
784cab1dfe
Fix missing logic and Field 2020-11-26 22:46:17 -03:00
Jonhnathan
48f16a0ca8
Update win_susp_net_recon_activity.yml 2020-11-26 22:39:49 -03:00
Tim I
78d201ad15 Fix value modifier and add a slash 2020-11-24 23:06:21 +03:00
Alejandro Ortuno
000c038ede Retrigger tests 2020-11-20 09:30:43 +01:00
Alejandro Ortuno
cfcda8d25f Trigger new test execution 2020-11-20 09:29:09 +01:00
Jonhnathan
31e0cfb13f
Update win_susp_covenant.yml 2020-11-20 02:36:20 -03:00
Jonhnathan
ec1944e2d7
Update win_susp_copy_system32.yml 2020-11-20 02:31:26 -03:00
Jonhnathan
5d7131bbf2
Update win_susp_compression_params.yml 2020-11-20 02:29:41 -03:00
Jonhnathan
32ed588adb
Update detection Logic 2020-11-20 02:27:58 -03:00
Jonhnathan
b274be8d4e
Update detection Logic 2020-11-20 02:25:32 -03:00
Jonhnathan
c31c0d981a
Update detection logic 2020-11-20 02:23:18 -03:00
Jonhnathan
23edcc6dc6
Update win_susp_certutil_command.yml 2020-11-20 02:21:55 -03:00
Jonhnathan
8af17dda5b
Update win_spn_enum.yml 2020-11-20 02:17:31 -03:00
Jonhnathan
d5cb4246c2
Remove additional backlash 2020-11-20 02:16:51 -03:00
Jonhnathan
0606cd3dde
Update detection Logic 2020-11-20 02:10:27 -03:00
Jonhnathan
ebb4580378
Remove additional backlash 2020-11-20 02:04:28 -03:00
Jonhnathan
2ba146be07
Remove additional backlash 2020-11-20 02:03:06 -03:00
Jonhnathan
493fa3d5ee
Update sysmon_susp_mic_cam_access.yml 2020-11-20 02:02:26 -03:00
Jonhnathan
9e3a612953
Remove additional backlash 2020-11-20 02:01:43 -03:00
Jonhnathan
6c88dd700e
Update sysmon_stickykey_like_backdoor.yml 2020-11-20 02:00:53 -03:00
Jonhnathan
1e640b50f9
Remove additional backlash 2020-11-20 01:58:20 -03:00
Jonhnathan
acff5ef4f9
Update sysmon_registry_persistence_key_linking.yml 2020-11-20 01:57:34 -03:00
Jonhnathan
e35b09e1a6
Remove out of context falsepositive 2020-11-20 01:55:48 -03:00
Jonhnathan
d595df2879
Fix 2020-11-20 01:53:15 -03:00
Jonhnathan
6f3daad053
Update sysmon_apt_oceanlotus_registry.yml 2020-11-20 01:51:53 -03:00
Jonhnathan
9967bd1fe5
Update sysmon_apt_oceanlotus_registry.yml 2020-11-20 01:51:01 -03:00
Jonhnathan
1af9e9ed48
Update sysmon_win_reg_persistence.yml 2020-11-20 01:47:19 -03:00
Jonhnathan
8d8c29e0fe
Update sysmon_uac_bypass_sdclt.yml 2020-11-20 01:42:17 -03:00
Jonhnathan
372f000b7f
Update sysmon_uac_bypass_eventvwr.yml 2020-11-20 01:41:20 -03:00
Jonhnathan
e8aa9a854a
Update sysmon_uac_bypass_eventvwr.yml 2020-11-20 01:40:29 -03:00
Jonhnathan
57e98e3957
Remove additional backlash 2020-11-20 01:38:57 -03:00
Jonhnathan
9cf2ea5862
Update sysmon_susp_service_installed.yml 2020-11-20 01:38:17 -03:00
Jonhnathan
1acc19a8d5
Remove additional backlash 2020-11-20 01:37:24 -03:00
Jonhnathan
ab2edd1ff0
Update sysmon_malware_verclsid_shellcode.yml 2020-11-20 01:34:43 -03:00
Jonhnathan
240a8b9aa0
Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:33:04 -03:00
Jonhnathan
ebd9973dcb
Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:32:41 -03:00
Jonhnathan
2194744803
Update sysmon_invoke_phantom.yml 2020-11-20 01:30:58 -03:00
Jonhnathan
4af7f00f4a
Improve logic 2020-11-20 01:30:01 -03:00
Jonhnathan
728276ef13
Improve Logic 2020-11-20 01:22:20 -03:00
Jonhnathan
ee43919eec
Change detection logic 2020-11-20 01:05:06 -03:00
Jonhnathan
c42911cb47
Update win_wmi_persistence.yml 2020-11-20 00:58:49 -03:00
Jonhnathan
718792e0ba
Update win_tool_psexec.yml 2020-11-20 00:57:16 -03:00
Jonhnathan
b3e0b55250
Remove additional backslash 2020-11-20 00:53:13 -03:00
Jonhnathan
813afd4f4c
Remove additional backslash 2020-11-20 00:52:54 -03:00
Jonhnathan
f6a89e9707
Fix Detection Logic 2020-11-20 00:51:22 -03:00
Jonhnathan
0ffd1ef47f
Remove additional backslash 2020-11-19 23:15:38 -03:00
Jonhnathan
351a9920ed
Update win_mal_flowcloud.yml 2020-11-19 23:14:44 -03:00
Jonhnathan
43ffb80d94
Remove additional backslash 2020-11-19 23:09:50 -03:00
Jonhnathan
44652c4ffd
Remove additional backslash 2020-11-19 23:08:40 -03:00
Jonhnathan
9a5b17f2bb
Remove additional backslash 2020-11-19 23:04:26 -03:00
Jonhnathan
f79caba72a
Remove additional backslash 2020-11-19 22:58:50 -03:00
Jonhnathan
6ecafac619
Update sysmon_susp_driver_load.yml 2020-11-19 22:56:34 -03:00
Jonhnathan
f42ef96140
Fix Reference 2020-11-19 22:50:27 -03:00
Jonhnathan
fdd28556cf
Fix ref 2020-11-19 22:48:20 -03:00
Jonhnathan
4f4fcbc576
Update win_susp_wmi_login.yml 2020-11-19 22:47:20 -03:00
Jonhnathan
ea385767b9
Update win_susp_ntlm_auth.yml 2020-11-19 22:40:43 -03:00
Jonhnathan
5d85bbba56
Improve detection logic 2020-11-19 22:37:13 -03:00
Jonhnathan
c20bce4a77
Update win_susp_msmpeng_crash.yml 2020-11-19 22:30:48 -03:00
Jonhnathan
7fe2c00ac1
Update win_net_ntlm_downgrade.yml 2020-11-19 22:14:37 -03:00
Jonhnathan
371c112143
Fix the detection logic 
ObjectName = admin was included in the query using AND, not OR.
 2020-11-19 21:45:19 -03:00
Ömer Günal
1582c5230a
Update lnx_process_discovery.yml 2020-11-18 23:25:15 +03:00
Thomas Patzke
199a897f75 Fix rule indent 2020-11-17 10:12:55 +01:00
v3t0
3d206b08d8 [OSCD] Added a rule to detect potential persistence using registry keys 2020-11-15 19:04:12 -05:00
yugoslavskiy
2939b33ab5
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00
Ömer Günal
edc416a1d8
Update lnx_system_info_discovery.yml 2020-11-14 19:24:23 +03:00
Ömer Günal
821bdf8ab4
Update lnx_install_root_certificate.yml 2020-11-14 19:19:28 +03:00
stvetro
19eb8306d3 Removed unnessary antifalse positive 2020-11-14 09:50:29 +04:00
Ömer Günal
19cad11a4a
Update lnx_system_info_discovery.yml 2020-11-10 20:11:49 +03:00
Ömer Günal
ab959394ab
Update lnx_install_root_certificate.yml 2020-11-10 20:09:46 +03:00
Ömer Günal
f41accab33
Update lnx_install_root_certificate.yml 2020-11-10 20:09:03 +03:00
Ryan Plas
d4d694b4da Logic fix for sysmon_non_priv_program_files_move 2020-11-10 10:01:47 -05:00
Alejandro Ortuno
ad031d97ee Filter out listening mode on nc 2020-11-09 10:32:56 +01:00
Ömer Günal
577165b7f7
Update lnx_system_info_discovery.yml 2020-11-08 11:09:27 +03:00
Ömer Günal
0e4a5baf1a
Update lnx_install_root_certificate.yml 2020-11-08 11:08:30 +03:00
Ömer Günal
499a8f85b0
Update lnx_install_root_certificate.yml 2020-11-08 11:06:11 +03:00
Ömer Günal
5dc3472af0
Update lnx_system_info_discovery.yml 2020-11-07 11:51:53 +03:00
Ömer Günal
89a24d4bfa
Update lnx_install_root_certificate.yml 2020-11-07 11:50:30 +03:00
yugoslavskiy
c17e8574d0
change the syntax a bit and removed .service suffix as it is 
[redundant](https://www.freedesktop.org/software/systemd/man/systemctl.html]:

```
Unit commands listed above take either a single unit name (designated as UNIT), or multiple unit specifications (designated as PATTERN…). In the first case, the unit name with or without a suffix must be given. If the suffix is not specified (unit name is "abbreviated"), systemctl will append a suitable suffix, ".service" by default, and a type-specific suffix in case of commands which operate only on specific unit types. For example,

# systemctl start sshd
and
# systemctl start sshd.service

are equivalent
```
 2020-11-06 20:56:08 +01:00
Alejandro Ortuno
7c5067ade4 Making it a global rule 2020-11-06 10:25:59 +01:00
Alejandro Ortuno
a9a90e024c make it global rule 2020-11-06 09:56:49 +01:00
yugoslavskiy
efc3f298b8
simplify syntax 2020-11-04 23:03:34 +01:00
yugoslavskiy
2f789c45dc
change a syntax a bit to re-run the tests 2020-11-04 22:30:27 +01:00
GlebSukhodolskiy
8068487340
test trigger 2020-11-03 12:04:03 +03:00
GlebSukhodolskiy
544876951f
fixed duplication v2 2020-11-03 02:34:34 +03:00
GlebSukhodolskiy
48e46c279a
fixed duplication 2020-11-03 02:25:22 +03:00
GlebSukhodolskiy
cf8c721662
fixed optimization and references 2020-11-03 02:16:13 +03:00
GlebSukhodolskiy
e2c4af012b
Changed to Placeholders Usage 
A query was too big to pass a test, so I changed logic to placeholders usage.
 2020-11-03 00:56:42 +03:00
feedb
e93dd7fe61 fix 2020-11-01 15:25:12 +03:00
Vasiliy Burov
903ce08277
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-01 14:21:27 +03:00
yugoslavskiy
ea71828d34
change syntax a bit to re-run the test 2020-10-31 23:57:13 +01:00
stvetro
8dc8fdc44b Added antifalsepositive condition 
4688 always has non empty cmd
 2020-10-31 12:46:30 +04:00
Vasiliy Burov
ab60fdcef4
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 23:38:22 +03:00
Alejandro Ortuno
5918cc0a3d remove cat 2020-10-29 09:58:58 +01:00
Vasiliy Burov
683824ee46
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:44:45 +03:00
Alejandro Ortuno
0c0c1725fa refactor detections 2020-10-29 09:34:47 +01:00
Vasiliy Burov
d743cbbe4b
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:14:43 +03:00
yugoslavskiy
167e9745cd
Update macos_remote_system_discovery.yml 2020-10-29 02:06:45 +01:00
yugoslavskiy
81f6f24155
Update lnx_remote_system_discovery.yml 2020-10-29 02:06:20 +01:00
Semanur Guneysu
46c52b4347 Update sysmon_abusing_debug_privilege.yml 2020-10-28 20:11:29 +03:00
nsaddler
07f777d1b5
Update powershell_CL_Mutexverifiers_LOLScript_v2.yml 2020-10-28 19:32:18 +03:00
nsaddler
7ee644eac0
Update powershell_CL_Invocation_LOLScript_v2.yml 2020-10-28 19:30:21 +03:00
nsaddler
d0a796439b
Update powershell_CL_Invocation_LOLScript.yml 2020-10-28 19:25:43 +03:00
Наталья Шорникова
a4a3e01f25 Splitting into two rules 2020-10-28 19:13:29 +03:00
Наталья Шорникова
55a7fe6b9d Splitting into two rules 2020-10-28 19:08:23 +03:00
Alejandro Ortuno
80b1a19246 Added the space at the beginning of the IP ranges. 2020-10-28 10:16:29 +01:00
Alejandro Ortuno
3a58c00feb Removing the echo detection 2020-10-28 10:07:59 +01:00
Alejandro Ortuno
e31c8f96e9 added the category 2020-10-28 09:56:01 +01:00
Vasiliy Burov
d90ec67cce
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:44:21 +03:00
Vasiliy Burov
744c637125
Delete win_rdp_session_hijacking.yml 2020-10-28 11:38:39 +03:00
Vasiliy Burov
931ccde3e6 Merge branch 'patch-15' of https://github.com/vburov/sigma into patch-15 2020-10-28 11:27:48 +03:00
Vasiliy Burov
eec398ea0e Merge branch 'master' into patch-15 2020-10-28 11:27:28 +03:00
Vasiliy Burov
2d2464ba22
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:20:26 +03:00
Vasiliy Burov
fdbd8de219 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit eb166222bd.
 2020-10-28 10:51:18 +03:00
Vasiliy Burov
00f1326ae6 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit 64e48ed94d.
 2020-10-28 10:50:53 +03:00
Jonhnathan
28febe5dd2
Update win_apt_chafer_mar18.yml 2020-10-27 23:28:04 -03:00
Jonhnathan
0860978412
Update win_apt_bear_activity_gtr19.yml 2020-10-27 23:26:34 -03:00
Jonhnathan
e24e6da3b5
Update win_apt_apt29_thinktanks.yml 2020-10-27 23:24:04 -03:00
Jonhnathan
467af2ebb5
Update sysmon_susp_prog_location_network_connection.yml 2020-10-27 22:56:32 -03:00
Jonhnathan
266109f3d8
Update win_mal_ryuk.yml 2020-10-27 22:47:41 -03:00
Jonhnathan
514f9ccd28
Update win_mal_ryuk.yml 2020-10-27 22:42:15 -03:00
Jonhnathan
187d1d3e3b
Update win_user_driver_loaded.yml 2020-10-27 22:37:50 -03:00
Jonhnathan
dbad6c637f
Update av_webshell.yml 2020-10-27 22:35:45 -03:00
Jonhnathan
0afe48a0a0
Update av_relevant_files.yml 2020-10-27 22:34:57 -03:00
Jonhnathan
95da1ec500
Update av_relevant_files.yml 2020-10-27 22:32:16 -03:00
Jonhnathan
d3c6d9df31
Update win_mal_ryuk.yml 2020-10-27 22:21:16 -03:00
Jonhnathan
98c7639db7
Update mal_azorult_reg.yml 2020-10-27 22:19:04 -03:00
Jonhnathan
8f4d6f802b
Update mal_azorult_reg.yml 2020-10-27 22:18:41 -03:00
Jonhnathan
bfb50a3d42
Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-27 22:13:02 -03:00
Jonhnathan
3477866451
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 2020-10-27 22:10:17 -03:00
Jonhnathan
9fd203e2a3
Update mal_azorult_reg.yml 2020-10-27 22:07:45 -03:00
Jonhnathan
ebb84486f5
Update sysmon_susp_adsi_cache_usage.yml 2020-10-27 22:04:31 -03:00
Jonhnathan
182b12614b
Update sysmon_quarkspw_filedump.yml 2020-10-27 22:02:47 -03:00
Jonhnathan
dde5b46726
Update win_susp_sam_dump.yml 2020-10-27 22:01:31 -03:00
Jonhnathan
61ccdc598d
Update win_susp_local_anon_logon_created.yml 2020-10-27 22:00:42 -03:00
Jonhnathan
3eea825898
Update win_net_ntlm_downgrade.yml 2020-10-27 21:59:49 -03:00
Jonhnathan
53ff19f167
Update win_mmc20_lateral_movement.yml 2020-10-27 21:55:17 -03:00
Vasiliy Burov
64e48ed94d
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:33:56 +03:00
Vasiliy Burov
eb166222bd
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:15:28 +03:00
Vasiliy Burov
172c619719
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:50:09 +03:00
Vasiliy Burov
edede617cf
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:36:12 +03:00
Vasiliy Burov
515c4dd9cd
Added some false positives issues 2020-10-27 20:35:22 +03:00
Vasiliy Burov
66965cec33
Added some false positives issues 2020-10-27 17:31:46 +03:00
Semanur Guneysu
1e32391e59 Merge branch 'master' of https://github.com/semanurguneysu/sigma into oscd 2020-10-26 19:49:56 +03:00
Semanur Guneysu
27dbf73c0d Update sysmon_abusing_debug_privilege.yml 
comment added
 2020-10-26 19:25:36 +03:00
invrep-de
8a9db12d30
Enhanced to improve specificity 
Enhanced to improve specificity per feedback received;
 2020-10-26 12:05:16 -04:00
invrep-de
dc41f64023
[OSCD] Bad Opsec Defaults Sacrificial Processes 
Incorporate feedback from @yugoslavskiy;
 2020-10-26 11:52:16 -04:00
Semanur Guneysu
1b3cb8a64b
Delete .DS_Store 2020-10-26 18:15:57 +03:00
Semanur Guneysu
db49c436a3 Update sysmon_abusing_debug_privilege.yml 2020-10-26 18:08:05 +03:00
Semanur Guneysu
bc5e9b57e9 Update sysmon_abusing_debug_privilege.yml 2020-10-26 17:45:13 +03:00
Semanur Guneysu
2dab2d420c Update sysmon_abusing_debug_privilege.yml 2020-10-26 15:24:00 +03:00
Semanur Guneysu
4e1143502e Create .DS_Store 2020-10-26 15:18:20 +03:00
Semanur Guneysu
cb5a541a5e Update sysmon_abusing_debug_privilege.yml 
NT AUTHORITY\SYSTEM
 2020-10-26 14:56:25 +03:00
Semanur Guneysu
3ff10b160f Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:44:27 +03:00
Semanur Guneysu
e65b8249d7 Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:39:43 +03:00
S.kiran kumar
b5e07f0a37
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 17:00:50 +05:30
Semanur Guneysu
70beef515d Update sysmon_abusing_debug_privilege.yml 
mitre tag added.Checked.
 2020-10-26 14:01:46 +03:00
Vasiliy Burov
b84fc7850c
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-26 13:48:19 +03:00
Vasiliy Burov
779596334c
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-26 12:35:16 +03:00
Vasiliy Burov
6da58584c5
Update win_susp_multiple_files_renamed_or_deleted.yml 
Added an issue into 'falsepositives' section.
 2020-10-26 12:14:59 +03:00
Alejandro Ortuno
c83d5a3d65 Added some minor tuning of ip ranges 2020-10-26 09:45:13 +01:00
S.kiran kumar
708fe7f8fa
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 14:13:33 +05:30
S.kiran kumar
630365cb4b
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 14:13:11 +05:30
S.kiran kumar
6c5bb72491
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 12:28:04 +05:30
S.kiran kumar
d7e9a87feb
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 12:10:46 +05:30
S.kiran kumar
02ce1196c3
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 11:58:32 +05:30
S.kiran kumar
2469ad14d8
Update silenttrinity_stager_msbuild_activity.yml 2020-10-26 11:47:21 +05:30
S.kiran kumar
15a6352da6
Removed event ID 2020-10-24 17:40:29 +05:30
invrep-de
e5567631eb
Minor changes to incorporate feedback 
Incorporated feedback from @yugoslavskiy. Thank you!
 2020-10-24 07:27:59 -04:00
invrep-de
d623685c2c [OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 23:27:52 +02:00
stvetro
f27a7832ad Small fix 
Added "\" at file path end
Optimised exclusion of empty cmds
 2020-10-23 13:25:32 +04:00
stvetro
ca6a4beb65 Small fix 
Added "\" at file path end
 2020-10-23 12:50:27 +04:00
stvetro
d7709d2236 Small fix 
Add "\" to file path end
 2020-10-23 12:44:46 +04:00
stvetro
f7a110e107 Small fix 
Removed extra line;
Added "\" to file path end
 2020-10-23 12:41:39 +04:00
stvetro
9d286b4d47
Deleted not my rule 
Was added by mistake =)
 2020-10-23 12:38:13 +04:00
Alejandro Ortuno
11df6c2566 Sigma rule 2020-10-23 10:16:59 +02:00
Vasiliy Burov
093941778b
Update and rename win_susp_multiple_files_renamed.yml to win_susp_multiple_files_renamed_or_deleted.yml 2020-10-22 15:57:29 +03:00
Alejandro Ortuno
638fd7eeab Remote system discovery sigma rules for macos and linux 2020-10-22 10:37:29 +02:00
Alejandro Ortuno
5d37c0ee1e Added some modifications to firewall disabling 2020-10-22 10:22:00 +02:00
Ömer Günal
afe97c000c
Update lnx_system_info_discovery.yml 2020-10-21 21:48:43 +03:00
Ömer Günal
9f7244f019
Update lnx_system_info_discovery.yml 2020-10-21 21:45:23 +03:00