valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,691 Commits 20 Branches 25 Tags 21 MiB
2055da991f
Commit Graph

782 Commits

Author SHA1 Message Date
S.kiran kumar
7db0351d6d
Update silenttrinity_stager_msbuild_activity.yml 2020-10-21 20:11:55 +05:30
S.kiran kumar
e474c26c90
Update silenttrinity_stager_msbuild_activity.yml 2020-10-21 20:07:31 +05:30
S.kiran kumar
e8611ca0a7
Update silenttrinity_stager_msbuild_activity.yml 2020-10-21 20:00:19 +05:30
S.kiran kumar
7ba3d7a9c8
Update silenttrinity_stager_msbuild_activity.yml 2020-10-21 19:58:13 +05:30
S.kiran kumar
7fbaacabb0
Mitre attck tags chages 2020-10-20 23:20:34 +05:30
S.kiran kumar
31ad3fcd6b
Mitre tags changed 2020-10-18 08:08:25 +05:30
Jonhnathan
d7eda3fe7e
Update sysmon_wmi_susp_scripting.yml 2020-10-15 20:15:22 -03:00
Jonhnathan
92aaeca075
Update sysmon_susp_powershell_rundll32.yml 2020-10-15 20:14:23 -03:00
Jonhnathan
26b36086c7
Update sysmon_cmstp_execution.yml 2020-10-15 20:13:39 -03:00
Jonhnathan
df81f5180d
Update sysmon_cactustorch.yml 2020-10-15 20:12:54 -03:00
S.kiran kumar
26af11985a
Update silenttrinity_stager_msbuild_activity.yml 2020-10-15 21:50:34 +05:30
S.kiran kumar
61ded7e0d7
Update silenttrinity_stager_msbuild_activity.yml 2020-10-15 19:22:41 +05:30
S.kiran kumar
0cb340a718
Update silenttrinity_stager_msbuild_activity.yml 2020-10-15 19:00:24 +05:30
Sander
a8b31dfa5e Fixed field typo 2020-10-15 15:27:11 +02:00
S.kiran kumar
b1b77c15ad
Update silenttrinity_stager_msbuild_activity.yml 2020-10-15 18:50:24 +05:30
Sander
02d49c091a Created rule regedit export to ads 2020-10-15 14:20:15 +02:00
S.kiran kumar
20a54d86b1
Update silenttrinity_stager_msbuild_activity.yml 2020-10-14 19:49:39 +05:30
S.kiran kumar
0d25660624
Update silenttrinity_stager_msbuild_activity.yml 2020-10-14 14:13:20 +05:30
S.kiran kumar
2fa7ae2c1c
Update silenttrinity_stager_msbuild_activity.yml 2020-10-14 13:04:49 +05:30
S.kiran kumar
6b25378a61
Removed * operator 2020-10-14 10:07:16 +05:30
S.kiran kumar
4fa6ca01ef
Changed category. 2020-10-14 10:05:41 +05:30
Thomas Patzke
f7c440b097
Merge pull request #1065 from nsaddler/oscd1 
[OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added
 2020-10-13 22:33:14 +02:00
Thomas Patzke
0914c03acb
Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-13 22:32:55 +02:00
Roberto Rodriguez
2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
cyb3rward0g
354b6a9822 update - GitHub Action / Test Sigma 2020-10-12 23:07:02 -04:00
cyb3rward0g
72f35377b3 update - GitHub Action / Test Sigma 2020-10-12 22:11:01 -04:00
cyb3rward0g
644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g
491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
cyb3rward0g
21f41eaad9 16 rules from DH APT29 day 1 - contributing soon 2020-10-12 18:13:13 -04:00
cyb3rward0g
104b40ce8f 10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00
S.kiran kumar
bd5e7fda14
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 21:26:44 +05:30
nsaddler
e94a47b9d3
Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-12 18:33:43 +03:00
S.kiran kumar
27823763cb
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:14:43 +05:30
S.kiran kumar
a640c1e151
Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:11:24 +05:30
S.kiran kumar
f1c9286a25
Updated minor changes 
Change tags.
Change author (add "oscd.community").
Change date format.
Change logsource.
Change detection (use endswith as a modifier).
Change fields.
 2020-10-12 20:06:36 +05:30
S.kiran kumar
c76eede1b8
Update silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:11:09 +05:30
S.kiran kumar
fbf5d2fdc4
Update silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:07:41 +05:30
S.kiran kumar
bddbe68235
Create silenttrinity_stager_communicating_to_c2.yml 2020-10-11 23:02:03 +05:30
S.kiran kumar
6b0b779480
Delete sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 23:00:52 +05:30
S.kiran kumar
6b10b998c9
Update sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 22:38:30 +05:30
S.kiran kumar
476ed7ec2d
Rename silenttrinity _stager _communication _c2.yml to sysmon_silenttrinity _stager _communication _c2.yml 2020-10-11 22:03:24 +05:30
S.kiran kumar
545a8c06ed
Rename Silenttrinity _Stager _Communication _C2.yml to silenttrinity _stager _communication _c2.yml 2020-10-11 21:53:45 +05:30
S.kiran kumar
9825b42de0
Rename Silenttrinity Stager Communication C2.yml to Silenttrinity _Stager _Communication _C2.yml 2020-10-11 21:38:19 +05:30
S.kiran kumar
a5bf538ad1
Rename Silenttrinity _Stager _Communication _To _C2.yml to Silenttrinity Stager Communication C2.yml 2020-10-11 21:34:55 +05:30
S.kiran kumar
7a4c2c5db5
Rename Silenttrinity Stager Communication To C2 to Silenttrinity _Stager _Communication _To _C2.yml 2020-10-11 21:16:45 +05:30
S.kiran kumar
28ccbe9034
Rename Silenttrinity stager communication to c2 to Silenttrinity Stager Communication To C2 2020-10-11 21:00:00 +05:30
S.kiran kumar
f82d163ded
Update Silenttrinity stager communication to c2 2020-10-11 20:33:08 +05:30
S.kiran kumar
f8c229bbf8
Update Silenttrinity stager communication to c2 2020-10-11 20:29:30 +05:30
S.kiran kumar
e5fd37aea6
Update Silenttrinity stager communication to c2 2020-10-11 20:25:49 +05:30
S.kiran kumar
672bf99c6b
Silenttrinity stager communication to c2 2020-10-11 19:45:58 +05:30
Nikita Nazarov
7c9c21cda0
Update sysmon_psexec_pipes_artifacts.yml 2020-10-07 14:43:25 +03:00
nsaddler
911bc514af
Rename sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml to sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-07 12:26:30 +03:00
Наталья Шорникова
b6451fcc38 [OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added 2020-10-07 12:17:29 +03:00
Nikita P. Nazarov
f455146a29 Detecting use PsExec via Pipe Creation/Access to pipes RULE (#29 #30) 2020-10-05 18:08:20 +03:00
Steven
77cb49d057 Keep empty sysmon directory so tests will still run 2020-10-02 11:25:30 +02:00
Steven
8b74abe0bc - Created new categories for sysmon events 
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
 2020-09-30 20:44:14 +02:00
e6e6e
7ae76b8d99 Revert "att&ck tags review: windows/process_creation part 5" 
This reverts commit e94c47e74e.
 2020-09-07 01:28:08 +04:00
e6e6e
e94c47e74e att&ck tags review: windows/process_creation part 5 
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
 2020-09-07 01:19:41 +04:00
Yugoslavskiy Daniil
5b70cfd3f7 review windows/sysmon 2020-08-29 02:03:28 +02:00
Florian Roth
2e29c07e83
Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth
61a05ee054
reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Florian Roth
951c6fee8b
Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
duzvik
a9b860d749
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:24:49 +03:00
duzvik
d24e15cc27
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:12:58 +03:00
duzvik
c5dfffdac0
Create sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:02:34 +03:00
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Florian Roth
0022705373 fix: filter not functional 
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
 2020-06-17 16:09:44 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
869162a5da
Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth
3482e048fb
Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Brad Kish
dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish
a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Florian Roth
97c45f9d46
Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Florian Roth
f553fb2e33
Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth
48e4e31713
Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth
1a9da23611
Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Remco Hofman
8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman
83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman
cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth
6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth
3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00