valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,336 Commits 20 Branches 25 Tags 21 MiB
1764714e26
Commit Graph

4580 Commits

Author SHA1 Message Date
Hasan
1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan
1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan
82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth
1650d4638d
Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth
0377a30893
fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth
59df5119c2
Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
luffynextgen
6fd7979659
Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
Florian Roth
3f46d0ea28
Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113
fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113
4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113
a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113
7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski
b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen
e170a4a12a
Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski
bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski
4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth
45c3d4702b
Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth
9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth
04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth
f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth
28abdf3a81
Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen
c75d92410d
Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth
b2d0fbba2c
Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth
8a04bea6aa
Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Andreas Hunkeler
2d44803bf5
Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth
242b56031f
Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113
5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113
e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
mvelazco
178df3f056 fixing title lengths 2021-06-04 10:57:52 -04:00
frack113
169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
mvelazco
d8aa0ae124 adding references 2021-06-03 23:38:10 -04:00
mvelazco
d4f66f2af6 rolling back unwanted changes 2021-06-03 18:29:06 -04:00
mvelazco
7ebab6f872 Merge branch 'master' of github.com:mvelazc0/sigma 2021-06-03 18:26:09 -04:00