valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,336 Commits 20 Branches 25 Tags 21 MiB
1764714e26
Commit Graph

4580 Commits

Author SHA1 Message Date
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec 
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
 2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth
9239690ef3
Merge pull request #1488 from dacelbot/master 
Contribute AWS snapshot exfiltration rule
 2021-05-27 12:52:46 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1 
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
 2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
e397a2974e
Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation 
Fix missing eventid when converting windows obfuscation rules
 2021-05-27 12:51:22 +02:00
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
frack113
2a68700991 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:43:08 +02:00
frack113
30cc64a349 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:41:19 +02:00
frack113
e4c32c353a use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:39:16 +02:00
frack113
a878f3b0a5 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:36:47 +02:00
frack113
cbce61bc8c use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:34:46 +02:00
frack113
8d8df10687 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:31:57 +02:00
frack113
ce53a5a67b use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:30:00 +02:00
frack113
417da3ac95 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:28:06 +02:00
frack113
f0d1c9aa7d use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:26:08 +02:00
frack113
788ebbafdc use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:20:29 +02:00
Florian Roth
a5fe7af25f Cobalt Strike Service Installation 2021-05-26 18:05:38 +02:00
Florian Roth
c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00
Florian Roth
ba12057919
Merge pull request #1505 from WojciechLesicki/master 
Update rule regarding other named pipe
 2021-05-26 14:35:22 +02:00
Florian Roth
8aabb58eca
Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
WojciechLesicki
8b707bc948 Added also \status_ pipe. 2021-05-25 21:58:22 +02:00
WojciechLesicki
f1a0308e73 Add one more pipe, references etc. 2021-05-25 21:07:23 +02:00
Bhabesh Rai
cc9ac2ddcf Added rule for PowerView's malicious cmdlets 2021-05-25 21:04:32 +05:45
WojciechLesicki
38552e98cf Adding some pipes 2021-05-25 15:47:34 +02:00
frack113
3717c68bb7 fix typo of level 2021-05-24 10:45:58 +02:00
frack113
104a004b3d fix typo of tags 2021-05-24 10:41:17 +02:00
frack113
afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113
1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
frack113
a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Florian Roth
211bf35640 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-05-22 15:45:40 +02:00
Florian Roth
02323043d7 Create web_cve_2021_26814_wzuh_rce.yml 2021-05-22 15:45:38 +02:00
Florian Roth
576e047e76
Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00
Florian Roth
4c281d117c fix: bug in rule syntax 2021-05-22 15:31:23 +02:00
Florian Roth
9b7fb0c0f3 Update win_susp_shell_spawn_from_winrm.yml 2021-05-22 15:28:50 +02:00
Florian Roth
7e1ac347ef Merge branch 'master' into rule-devel 2021-05-22 15:27:32 +02:00
Florian Roth
c0d58cb7f9 PAExec and PSexec rules 2021-05-22 10:52:01 +02:00
Jonhnathan
687f2d67fc
Update Threat Hunter Playbook Reference 2021-05-22 01:09:30 -03:00
Jonhnathan
7f335cbb4a
Update Threat Hunter Playbook Reference 2021-05-22 01:08:23 -03:00
Jonhnathan
34e2a81371
Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00
Jonhnathan
89cfef9d49
Update Threat Hunter Playbook Reference 2021-05-22 01:04:20 -03:00
Jonhnathan
26ecbea0ba
Update Threat Hunter Playbook Reference 2021-05-22 01:03:49 -03:00
Jonhnathan
4ebdcf2f1d
Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00
Jonhnathan
c7f7eb6698
Update Threat Hunter Playbook Reference 2021-05-22 01:02:43 -03:00
Jonhnathan
5f6c19f203
Update Threat Hunter Playbook Reference 2021-05-22 01:02:19 -03:00
Jonhnathan
627a83914a
Update Threat Hunter Playbook Reference 2021-05-22 01:01:33 -03:00
Jonhnathan
3853d71c56
Update Threat Hunter Playbook Reference 2021-05-22 01:01:07 -03:00
Jonhnathan
e218c32a4c
Update Threat Hunter Playbook Reference 2021-05-22 01:00:39 -03:00
Jonhnathan
1b32a5c0f3
Update Threat Hunter Playbook Reference 2021-05-22 00:59:54 -03:00
Jonhnathan
93087d2130
Update Threat Hunter Playbook Reference 2021-05-22 00:59:35 -03:00
Jonhnathan
d3afed53ac
Update Threat Hunter Playbook Reference 2021-05-22 00:59:04 -03:00
Jonhnathan
7007287832
Update Threat Hunter Playbook Reference 2021-05-22 00:58:23 -03:00
Jonhnathan
2e139b4264
Update win_protected_storage_service_access.yml 2021-05-22 00:57:25 -03:00
Jonhnathan
085218b25a
Update Threat Hunter Playbook Reference 2021-05-22 00:57:01 -03:00
Jonhnathan
3fb5f1c47e
Update Threat Hunter Playbook Reference 2021-05-22 00:56:32 -03:00
Jonhnathan
943e2c8c88
Update Threat Hunter Playbook Reference 2021-05-22 00:56:03 -03:00
Jonhnathan
9765fcbd0c
Update Threat Hunter Playbook Reference 2021-05-22 00:55:29 -03:00
Jonhnathan
e23147111b
Update Threat Hunter Playbook Reference 2021-05-22 00:54:57 -03:00
frack113
dec9e68876 Fix falsepositives list 2021-05-21 12:38:44 +02:00
frack113
1e2f7c7abf Fix falsepositives list 2021-05-21 12:35:37 +02:00
frack113
0a588a1ecc Fix falsepositives list 2021-05-21 12:33:50 +02:00
frack113
168d5c9dff Fix falsepositives list 2021-05-21 12:32:24 +02:00
frack113
1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113
a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113
ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113
2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113
48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00
frack113
6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
frack113
a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113
f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113
f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113
6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
frack113
cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113
45190c3874 Fix falsepositives list 2021-05-21 11:13:27 +02:00
frack113
dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
Florian Roth
a0efd7a4dc
Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler
e58c59dcfd
Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Andreas Hunkeler
d8ec5fa6af
Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Florian Roth
a30391f3b4
Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler
226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Jonhnathan
1cf7bb5735
Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Darin Smith
e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
SomeOne
e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne
a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne
53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne
a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth
3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth
30bee7204c
Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth
83068416fa
Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40
8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113
0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113
fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Bhabesh Rai
48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth
3564cf81f9
Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss
4b520de373
new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth
9e662b9159
Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45