valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,399 Commits 20 Branches 25 Tags 21 MiB
11607a8621
Commit Graph

1137 Commits

Author SHA1 Message Date
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
Thomas Patzke
b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth
48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00
Florian Roth
fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Florian Roth
5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth
86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth
fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth
fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth
511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth
1fd4c26005
Merge pull request #569 from Neo23x0/devel 
rule: improved bloodhound rule
 2019-12-20 17:32:21 +01:00
Florian Roth
0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth
cbebaf637f
Merge pull request #568 from Neo23x0/devel 
Devel
 2019-12-20 16:22:29 +01:00
Florian Roth
0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth
0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth
3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth
68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth
825b1edb0f
Merge pull request #567 from Neo23x0/devel 
Devel
 2019-12-20 15:32:56 +01:00
Florian Roth
708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth
ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Florian Roth
0a26184286
Merge pull request #563 from Neo23x0/devel 
Devel
 2019-12-17 14:48:07 +01:00
Florian Roth
c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth
7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth
e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth
da06e5bc1c
Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth
bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth
f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth
bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Florian Roth
7acfecbe66
Merge pull request #530 from bartblaze/master 
Add scriptlets
 2019-12-14 11:24:51 +01:00
Thomas Patzke
1369b3a2dc
Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Thomas Patzke
7a280ae092
Merge pull request #557 from robrankin/fix_dupe_rule_name 
Elastalert error, duplicate rule titles
 2019-12-13 21:46:58 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Rob Rankin
e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Rob Rankin
b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Florian Roth
e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth
c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00