valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,195 Commits 20 Branches 25 Tags 21 MiB
206adbb2b6
Commit Graph

39 Commits

Author SHA1 Message Date
Bhabesh Rai
206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1 
Adding 2 rules - Conhost & office test registry persistence
 2020-12-21 18:28:59 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
OG
70fb078a56
Update sysmon_office_test_regadd.yml 2020-11-29 18:02:37 +05:30
mat
b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
omkar72
86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
omkargudhate22
df07d53fea
formatting values 2020-10-25 18:23:29 +05:30
omkar72
021842eaa3 office test reg 2020-10-25 12:36:08 +05:30
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Yugoslavskiy Daniil
1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Alexey Lednyov
7834fdd750 att&ck tags review: windows/registry_event 2020-09-06 22:10:44 +03:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
Aidan Bracher
2d227a08c5 Updated suspicious service with sub-techniques 2020-07-18 02:40:22 +01:00
Aidan Bracher
97452a9df3 Update to include sub-technique mapping 2020-07-18 02:38:47 +01:00
Florian Roth
992bf676f9
Update sysmon_apt_pandemic.yml 2020-07-16 08:48:32 +02:00
Daniel Masse
0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth
3ab5eb97d8
Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth
5de82628fa
Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Aidan Bracher
90983dcc4b add level field to rule 2020-07-07 14:28:18 +01:00
Aidan Bracher
f549a14d9a rule: Leviathan registry key 2020-07-07 13:27:57 +01:00
Brad Kish
c758ca0eb9 Re-fix sysmon rules that are lost changes with category refactoring. 
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.

Re-add the fixes.

38afd8b5de

422b2bffd7

dfae2a6df6
 2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd Proposed fix for sysmon_uac_bypass_eventvwr 
Issue: https://github.com/Neo23x0/sigma/issues/888

The rules were not merged correctly with the transition to sysmon categories.

Split the rule into separate documents: one for the registry_event and one for
the process_creation
 2020-07-06 09:20:34 -04:00
Brad Kish
4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Steven Goossens
e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00