valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,916 Commits 20 Branches 25 Tags 21 MiB
20c5356c9e
Commit Graph

5916 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Bhabesh Rai
dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth
eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth
fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth
7162528a1a
docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth
3d2c6a118d
Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth
d58cdeab3a
Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp
b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth
cf37abee4d
docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp
5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth
a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth
c571285fd8
Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth
63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth
19171f5bed
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy
3f519ffa20
Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth
30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
Florian Roth
11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
GlebSukhodolskiy
da5ec4e952
Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy
05c91cd12f
Merge pull request #1238 from alx1m1k/oscd-3 
[OSCD] T1030: Split A File Into Pieces - Lin/macOS
 2021-01-06 00:33:12 +03:00
yugoslavskiy
057c33354a
Merge pull request #1237 from alx1m1k/oscd-2 
[OSCD] T1027.001: Binary Padding - Lin/macOS
 2021-01-06 00:33:05 +03:00
yugoslavskiy
befcad2df7
Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy
6ebcb10abd
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy
3bf1663503
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
yugoslavskiy
2985836e36
Merge pull request #1140 from omkar72/oscd-5 
[OSCD] adding shortened commands for Netsh in the existing rule
 2021-01-06 00:24:43 +03:00
yugoslavskiy
d25ca9b280
Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy
7889df6644
Merge pull request #1227 from stvetro/oscd-runscripthelper 
[OSCD] - Runscripthelper.exe runs script (LoLBin)
 2021-01-06 00:24:00 +03:00
yugoslavskiy
0ed153237e
Merge pull request #1226 from stvetro/oscd-winword 
[OSCD] - Force winword.exe to load DLL (LoLBin)
 2021-01-06 00:23:52 +03:00
yugoslavskiy
1d2f027035
Merge pull request #1224 from stvetro/oscd 
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
 2021-01-06 00:23:45 +03:00
yugoslavskiy
f4578b0698
Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy
23519e47cd
Merge pull request #1222 from feedb/oscd 
[OSCD] zer0w
 2021-01-06 00:23:25 +03:00
yugoslavskiy
93718975fb
Merge pull request #1221 from grikos/OSCD_117_128 
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
 2021-01-06 00:23:13 +03:00
yugoslavskiy
cd62929bb0
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream 
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
 2021-01-06 00:23:06 +03:00
yugoslavskiy
70eff4b1fc
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy
a5bbccf16c
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative 
[OSCD] Always Install Elevated Alternative
 2021-01-06 00:22:37 +03:00
yugoslavskiy
a217a3cfc7
Merge pull request #1213 from alx1m1k/oscd 
[OSCD] T1552.003: Suspicious history file operations - Linux/macOS
 2021-01-06 00:21:19 +03:00
yugoslavskiy
066be03c19
Merge pull request #1212 from aleqs4ndr/oscd-2020 
[OSCD] Added a rule to detect possible Zerologon exploitation
 2021-01-06 00:21:12 +03:00
yugoslavskiy
29fe6e46d8
Merge pull request #1211 from zipa-original/win_persistence_telemetry 
[OSCD] Added a rule to detect abusing windows telemetry for persistence
 2021-01-06 00:20:51 +03:00
yugoslavskiy
c71e0ae0ea
Merge pull request #1209 from vburov/patch-15 
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
 2021-01-06 00:19:41 +03:00
yugoslavskiy
38661bbc10
Merge pull request #1208 from NikitaStormwind/RTT(17) 
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
 2021-01-06 00:19:20 +03:00
yugoslavskiy
2cf1994763
Merge pull request #1206 from w0rk3r/oscd5 
[OSCD] Windows - Suspicious Service DACL Modification
 2021-01-06 00:18:53 +03:00
yugoslavskiy
aad2838f58
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2 
[OSCD] Always Install Elevated - Slide 50 - Rule 2
 2021-01-06 00:18:44 +03:00
yugoslavskiy
e0286abb62
Merge pull request #1197 from w0rk3r/oscd_rules_improvement2 
[OSCD] Small improvements on others rules
 2021-01-06 00:18:36 +03:00
yugoslavskiy
0b7babaa84
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1 
[OSCD] Always Install Elevated - Slide 50 - Rule 1
 2021-01-06 00:18:26 +03:00
yugoslavskiy
fc1fa23440
Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy
8e50eeb4a9
Merge pull request #1187 from nsaddler/lolbas108 
[OSCD] LOLBAS Manage-bde.yml
 2021-01-06 00:18:02 +03:00