valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,901 Commits 20 Branches 25 Tags 21 MiB
0e94eb9e86
Commit Graph

2901 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Harish SEGAR
a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR
b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR
30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR
1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR
293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR
74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR
b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Florian Roth
cbf0f43934
Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth
6845fa21b3
fix: fixed several issues 2020-03-09 17:43:16 +01:00
Florian Roth
8a2033aaf9
Merge pull request #657 from EccoTheFlintstone/fix_registry 
sysmon registry events fix
 2020-03-09 17:38:58 +01:00
ecco
2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
msec1203
f833407265
Initial upload 2020-03-08 19:06:10 +09:00
Florian Roth
3c3917c1d5
Merge pull request #654 from Neo23x0/devel 
Minor changes
 2020-03-07 11:20:45 +01:00
Florian Roth
ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth
54d3706a7f docs: removed outdated section from info graphic 2020-03-07 11:05:53 +01:00
Florian Roth
07914c2783
Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth
2e184382f5
fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth
60279c7501
Merge pull request #610 from axi0m/patch-1 
Update proxy_raw_paste_service_access.yml
 2020-03-07 10:39:56 +01:00
Florian Roth
7e8b59abe6
Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
Florian Roth
c609de4f27
Merge pull request #648 from NVISO-BE/patch-azure-ad-replication 
Exclude Azure AD sync accounts from AD Replication rule
 2020-03-07 10:39:04 +01:00
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
Florian Roth
02d256b3b6
Merge pull request #651 from EccoTheFlintstone/fix_sysmon_registry 
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
 2020-03-04 20:25:11 +01:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Remco Hofman
d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
01bd5cf0e0 Merge branch 'issue-645' 2020-03-01 22:41:13 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Thomas Patzke
a0f7da8c03 Splunk XML backend rule title 
Fixes #645
 2020-03-01 22:23:35 +01:00
Florian Roth
a557c727dd
Merge pull request #644 from Neo23x0/devel 
Devel
 2020-02-29 16:17:12 +01:00
Florian Roth
19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth
15a400ac51 fix: fixing bug in rule 2020-02-29 15:51:00 +01:00
Florian Roth
fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth
fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35
0d932810b5
Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth
9e86170d79
Merge pull request #641 from NVISO-BE/web_exchange_cve_2020_0688_exploit 
CVE 2020-0688 Exploit attempt rule
 2020-02-27 13:34:05 +01:00
Remco Hofman
4f45e14a56 Match on c-uri instead of c-uri-path 2020-02-27 13:23:25 +01:00
Remco Hofman
ff35eb0052 Title capitalization 2020-02-27 12:56:56 +01:00
Remco Hofman
72e34d2aa5 CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00
Florian Roth
f88225dd2a
Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth
6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule 
New Koadic detection rule
 2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00