SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
toffeebr33k	596d1b6e4c	Update aws_update_login_profile.yml	2020-11-21 23:29:49 +08:00
toffeebr33k	a786ebd04b	Update aws_enum_listing.yml	2020-11-21 23:28:57 +08:00
toffeebr33k	1ca903b168	Update aws_enum_listing.yml	2020-11-21 23:22:07 +08:00
toffeebr33k	7f61591865	Add files via upload	2020-11-21 23:12:50 +08:00
bczyz1	193021eff8	Update win_apt_slingshot.yml fix condition	2020-11-20 09:19:03 +01:00
Florian Roth	af4d546408	Merge pull request #1282 from Neo23x0/rule-devel fix: FPs with notepad++ GUP rule	2020-11-10 13:39:28 +01:00
Florian Roth	2e9d7951a6	Merge pull request #1272 from bczyz1/patch-2 Fix typo in win_apt_lazarus_session_hijack.yml	2020-11-10 13:35:08 +01:00
Florian Roth	f6c0fb2d33	fix: FPs with notepad++ GUP rule	2020-11-09 16:34:12 +01:00
Florian Roth	c3785d6dc7	rule: FPs with WmiPrvSE rule	2020-11-05 16:44:33 +01:00
bczyz1	c554aaea8f	update win_apt_slingshot.yml - optimized rule - added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)	2020-11-05 15:51:22 +01:00
Florian Roth	908023fa66	rule: added second expression	2020-11-04 16:43:35 +01:00
bczyz1	4a5b2d642e	Fix typo in win_apt_lazarus_session_hijack.yml	2020-11-03 14:46:29 +01:00
Florian Roth	f848bb912c	rule: reworked weblogic CVE-2020-14882 rule	2020-11-03 10:39:40 +01:00
Florian Roth	dd0d1d053c	rule: WebLogic exploit CVE-2020-14882	2020-11-02 11:11:37 +01:00
omkargudhate22	f1bb9726ca	updated mitre tag	2020-10-30 13:35:40 +05:30
omkar72	86a849728d	ryuk changes	2020-10-30 13:15:11 +05:30
omkargudhate22	df07d53fea	formatting values	2020-10-25 18:23:29 +05:30
omkargudhate22	06890ba28b	update title	2020-10-25 15:10:12 +05:30
omkar72	021842eaa3	office test reg	2020-10-25 12:36:08 +05:30
omkar72	42de51cadc	conhost executions	2020-10-25 12:33:59 +05:30
Florian Roth	75637324e0	feat: cover newest emotet campaigns	2020-10-23 23:44:48 +02:00
Florian Roth	ee789a309c	fix: FP with expression	2020-10-20 13:11:10 +02:00
Florian Roth	198b292c26	rule: emotet encoded commands	2020-10-20 12:51:58 +02:00
Florian Roth	48f1be04d4	fix: ping hex ip rule	2020-10-16 10:06:24 +02:00
Florian Roth	3affdd12e0	fix: rule title casing	2020-10-12 09:51:35 +02:00
Florian Roth	0d0cda0f86	docs: improved false positive notes	2020-10-12 09:18:42 +02:00
Florian Roth	e7c6794ecd	rule: suspicious wmic process call create + rundll32	2020-10-12 09:18:30 +02:00
Florian Roth	2e732eb01f	Merge branch 'master' into rule-devel	2020-10-12 09:13:24 +02:00
Florian Roth	c56cd2dfff	Merge pull request #1024 from omkar72/master Com hijack shell folder	2020-10-02 09:24:16 +02:00
omkargudhate22	4487d9cc7e	added event type & changed technique	2020-10-02 09:22:14 +05:30
Florian Roth	d3ee1aba66	docs: MITRE ATT&CK(R) trademark references removed or adjusted https://github.com/Neo23x0/sigma/issues/1028	2020-09-30 08:53:52 +02:00
Florian Roth	c17ca6d5fe	Merge pull request #1018 from savvyspoon/wcry-dns WannaCry Killswitch domain DNS query	2020-09-29 09:27:21 +02:00
omkargudhate22	68a992d903	updated name	2020-09-27 21:57:19 +05:30
omkargudhate22	e7c8197e34	Updated fields & renamed	2020-09-27 21:52:59 +05:30
omkargudhate22	ebe3dce1d7	Update sysmon_comhijack_uac_bypass.yml	2020-09-27 21:44:41 +05:30
omkar72	3f148e6c7c	COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.	2020-09-27 21:19:04 +05:30
Florian Roth	d7d9c0e772	Merge pull request #1021 from hieuttmmo/master Sigma rule to detect AdFind.exe execution	2020-09-27 09:50:41 +02:00
Florian Roth	8020fe3c40	false positive condition	2020-09-26 17:03:29 +02:00
Florian Roth	60795f7050	Update win_susp_adfind.yml Fear that a simple adfind.exe causes too many false positives	2020-09-26 17:02:39 +02:00
Florian Roth	dbdd758365	Duplicate Rule we already have a rule for that	2020-09-26 17:01:32 +02:00
Tran Trung Hieu	d4dd0600ad	Fix logsource service to process_creation	2020-09-26 21:45:23 +07:00
Tran Trung Hieu	c756fc8576	Detect Suspicious AdFind Execution	2020-09-26 21:34:06 +07:00
Mike Wade	f76f80db80	Killswitch domain	2020-09-16 20:32:31 -06:00
Mike Wade	7b1ef9ea64	fixing test runner issues	2020-09-15 15:45:33 -06:00
Mike Wade	6ed36b0e41	fixed issues with tabs and duplicate tags	2020-09-15 08:52:00 -06:00
Florian Roth	2cd9b794e6	Merge pull request #1007 from d4rk-d4nph3/master Windows Defender AMSI Trigger Detected	2020-09-15 15:45:00 +02:00
Remco Hofman	6cadfa5b2b	Added win_vul_cve_2020_1472 rule	2020-09-15 15:13:53 +02:00
Mike Wade	1ddba05eb2	Second round	2020-09-15 07:02:30 -06:00
Mike Wade	da9b32bdd6	we	2020-09-15 06:24:44 -06:00
Mike Wade	8ce73bd8df	Fixed issues with tags and missing files	2020-09-15 06:10:57 -06:00
Thomas Patzke	378d9c94cf	Merge branch 'master' of https://github.com/socprime/sigma into pr-981	2020-09-15 12:14:49 +02:00
Florian Roth	50db6dcc69	Merge pull request #1002 from scottdermott/master + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)	2020-09-15 08:17:02 +02:00
Bhabesh Rai	03c7d751c0	Windows Defender AMSI Trigger Detected	2020-09-14 18:10:38 +05:45
Mike Wade	57cae0ded1	Fixed reference typo	2020-09-13 22:07:43 -06:00
Mike Wade	52ab677798	Fixed my git issue	2020-09-13 22:03:04 -06:00
Mike Wade	249c255435	No Idea why these files are deleted	2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil	1fc202fe5d	fix typos, update tags	2020-09-13 15:46:45 +02:00
Dermott, Scott J	c72ac8f73e	Merge branch 'master' of https://github.com/scottdermott/sigma	2020-09-11 16:19:54 +01:00
Scott Dermott	1f50e0af35	+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC). https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028	2020-09-11 16:06:51 +01:00
Tran Trung Hieu	49ba107dce	Fixed Title	2020-09-10 17:36:37 +07:00
Tran Trung Hieu	f7d5240d40	Added UID, fixed rule description	2020-09-10 17:20:16 +07:00
Tran Trung Hieu	1b6c6ec5bf	Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender	2020-09-10 17:16:06 +07:00
Florian Roth	7d6043bd0d	rule: reworked suspicious user agents	2020-09-10 10:33:11 +02:00
Bhabesh Rai	ed059a9831	Added Credential Dumping by LaZagne	2020-09-09 18:27:14 +05:45
Florian Roth	de5444a81e	Merge pull request #989 from oscd-initiative/master [OSCD Initiative][ATT&CK tags update]	2020-09-08 13:27:58 +02:00
Florian Roth	af3b93a522	Merge pull request #914 from omergunal/ogunal-2 New rules for Linux	2020-09-07 09:41:43 +02:00
Florian Roth	39dfcd40ec	Merge pull request #921 from d4rk-d4nph3/master Added support for Defender's PSExec and WMI ASR rules.	2020-09-07 09:40:46 +02:00
Florian Roth	6f96bbbe65	Merge pull request #977 from barvhaim/patch-1 Update win_new_service_creation.yml typo	2020-09-07 09:39:28 +02:00
Florian Roth	37751fc3a1	Merge pull request #978 from barvhaim/patch-2 Update sysmon_apt_muddywater_dnstunnel.yml typo	2020-09-07 09:39:11 +02:00
e6e6e	98c412044a	att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes	2020-09-07 02:00:41 +04:00
e6e6e	7ae76b8d99	Revert "att&ck tags review: windows/process_creation part 5" This reverts commit `e94c47e74e`.	2020-09-07 01:28:08 +04:00
e6e6e	e94c47e74e	att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes	2020-09-07 01:19:41 +04:00
Alexey Lednyov	7834fdd750	att&ck tags review: windows/registry_event	2020-09-06 22:10:44 +03:00
ecco	ebc1d38027	fix in memory powershell false positive	2020-09-06 09:25:56 -04:00
ecco	b9f7d58dbc	fix ADSI rule false positive	2020-09-06 09:17:53 -04:00
grikos	961e4eef4c	att&ck tags review: windows/process_creation part 6	2020-09-05 20:35:21 +03:00
Florian Roth	e1529b445e	docs: added MITRE ATT&CK tags	2020-09-05 09:17:23 +02:00
Florian Roth	12a6ad224c	Merge branch 'master' into rule-devel	2020-09-05 09:13:34 +02:00
Florian Roth	22465037ac	Update win_susp_mpcmdrun_download.yml	2020-09-04 16:50:57 +02:00
Florian Roth	3283e33cbc	Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml	2020-09-04 16:49:44 +02:00
Matthew Matchen	df532be142	Added ID field using UUID generated value	2020-09-04 16:38:52 +02:00
Matthew Matchen	2c69815b7b	Removed empty ID field	2020-09-04 16:32:41 +02:00
Matthew Matchen	e0baa097a8	Initial creation	2020-09-04 16:00:23 +02:00
aw350m3	bd5026f6b9	fixed typos in tags	2020-09-03 14:29:05 +00:00
aw350m3	198e42d724	deleted extra spaces	2020-09-03 14:22:31 +00:00
aw350m3	b00047a4e8	att&ck tags review: application, apt, cloud, generic, proxy	2020-09-03 14:16:54 +00:00
Alexey Lednyov	cf011e4a00	Removed duplicate key 'modified'	2020-09-03 17:12:37 +03:00
Alexey Lednyov	1eb675f693	att&ck tags review: web, network/zeek	2020-09-03 17:06:37 +03:00
Florian Roth	22547e188b	some fixes and additions	2020-09-03 13:30:21 +02:00
Florian Roth	720ac0d998	fix: syntax bug in rule	2020-09-03 09:18:28 +02:00
Yugoslavskiy Daniil	71fec94417	review network/cisco/aaa	2020-09-03 00:34:41 +02:00
Florian Roth	198469bed3	Merge branch 'master' into rule-devel	2020-09-02 17:40:12 +02:00
Florian Roth	423f81c912	Update win_mouse_lock.yml	2020-09-02 14:49:37 +02:00
Florian Roth	73bc514f60	fix: 1 of them / one selection	2020-09-02 12:34:35 +02:00
Florian Roth	7ddb63ec1b	fix: FPs with McAfee and CyberReason	2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil	11e0f794d9	review windows/process_creation part 4	2020-09-02 02:34:34 +02:00
aw350m3	7c6c5263ab	fix duplication of key modified in win_malware_emotet.yml	2020-09-01 17:09:54 +00:00
aw350m3	8ed3eb1494	att&ck tags review: windows/process_creation part 3	2020-09-01 17:02:59 +00:00
grikos	65d201b1e4	att&ck tags review: windows/process_creation part 7	2020-08-30 19:17:38 +03:00
Yugoslavskiy Daniil	e04b896cbc	fix tags	2020-08-29 21:34:20 +02:00

1 2 3 4 5 ...

2628 Commits