valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,421 Commits 20 Branches 25 Tags 21 MiB
216b2d65d9
Commit Graph

6275 Commits

Author SHA1 Message Date
Austin Songer
9faca2f3dc
Update onelogin_assumed_another_user.yml 2021-10-11 22:54:05 -05:00
Austin Songer
0978ca92d8
Update onelogin_assumed_another_user.yml 2021-10-11 21:18:31 -05:00
austinsonger
0bf9f1cfd6 Onelogin Rules 2021-10-11 21:03:48 -05:00
frack113
b9fc29bc05
Merge pull request #2131 from frack113/Powershell 
Powershell order
 2021-10-11 15:43:32 +01:00
hieuttmmo
be314ae8bb
Merge branch 'SigmaHQ:master' into master 2021-10-10 16:06:54 +04:00
Tran Trung Hieu
5fdaefc77d Azure Security Operations for Priveleged Accounts 2021-10-10 16:06:28 +04:00
frack113
d081d20a13
Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml 
passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml
 2021-10-10 11:01:36 +02:00
frack113
7497fdb484
Merge pull request #2129 from d4rk-d4nph3/master 
Added rule for possible persistence via VMTools
 2021-10-10 10:55:06 +02:00
frack113
1337116d84 Cleanup selection name 2021-10-10 10:17:24 +02:00
Bhabesh Rai
a241f526ef Added more strict path 2021-10-10 07:54:40 +05:45
Austin Songer
1987897a76
Update aws_pass_role_to_lambda_function.yml 2021-10-09 15:26:38 -05:00
Austin Songer
de52890a62
Update passed_role_to_glue_development_endpoint.yml 2021-10-09 15:24:49 -05:00
Florian Roth
30213dba87
Merge pull request #2132 from SigmaHQ/rule-devel 
New Rules
 2021-10-09 19:19:45 +02:00
Florian Roth
195db4cffc refactor: made Apache RCE rule more robust 2021-10-09 18:48:02 +02:00
Florian Roth
4ab3ebf6b2
Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe 
Detect suspicious named pipe connections to an AD FS WID
 2021-10-09 16:47:25 +02:00
Florian Roth
2379907f26
docs: extended the description by a word 2021-10-09 16:42:42 +02:00
Florian Roth
f475b90ee3
fix: typo in description 2021-10-09 16:41:48 +02:00
frack113
5c68c42058 order powershell_script 2021-10-09 10:30:36 +02:00
Florian Roth
6c4e24d0de
rule: coin miner param --cpu-priority 2021-10-09 10:28:16 +02:00
frack113
77749510b7 fix yml 2021-10-09 10:01:40 +02:00
frack113
41d098b253 fix yml error 2021-10-09 09:59:21 +02:00
frack113
9b0f744f75 order powershell_script 2021-10-09 09:57:45 +02:00
frack113
fe7fbfd5fc order powershell_module 2021-10-09 09:50:49 +02:00
Florian Roth
5b49b5ee17
Merge pull request #2130 from phantinuss/master 
fix: prevent FP triggering of other sources utilising ID 1102
 2021-10-08 20:14:08 +02:00
phantinuss
04c37d977b
fix: prevent FP triggering of other sources utilising ID 1102 2021-10-08 16:43:14 +02:00
frack113
98b24d30ae
Merge pull request #2125 from frack113/nuclei_iis_fuzzing 
Nuclei iis fuzzing
 2021-10-08 16:40:01 +02:00
Bhabesh Rai
a45e516f99 Added rule for possible persistence via VMTools 2021-10-08 13:28:35 +05:45
Roberto Rodriguez
7f17eaeb87 added rule to detect suspicious named pipe connections to an AD FS server 2021-10-08 01:57:22 -04:00
Mika Luhta
e70d17745e
Update modified field 2021-10-07 18:42:22 +02:00
Mika Luhta
0ee777e3b4
Fix rule detection logic 
Changed ParentImage to Image
 2021-10-07 14:25:18 +03:00
frack113
0d04b469f7 order powershell_classic 2021-10-07 07:40:53 +02:00
frack113
930d2d4223 fix id 2021-10-06 17:53:16 +02:00
frack113
dfd316c0ce Add web_iis_tilt_shortname_scan.yml 2021-10-06 17:46:15 +02:00
frack113
6d56e400d2
Merge pull request #2121 from frack113/update_test 
Update test  adding  logsource to duplicate logic test
 2021-10-06 14:46:48 +02:00
Florian Roth
7cf01c2f0c
extended CVE-2021-41773 rule 2021-10-06 12:43:10 +02:00
Florian Roth
539756c884
Merge pull request #2124 from SigmaHQ/rule-devel 
rule: Apache Path Traversal - CVE-2021-41773
 2021-10-06 10:55:26 +02:00
frack113
d0561d361b
Merge pull request #2123 from rachelrice/update_aws_rules 
Update AWS SAML and Lambda rules
 2021-10-05 19:49:54 +02:00
Rachel Rice
d9e5da6c86
Use startswith for eventName selection 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2021-10-05 17:52:52 +01:00
Florian Roth
5576f50470
fix: title, add my name 2021-10-05 17:35:09 +02:00
Florian Roth
0fde46b602
Merge branch 'master' into rule-devel 2021-10-05 17:33:48 +02:00
Florian Roth
482df0a0ad
rule: Apache Vuln CVE-2021-41773 2021-10-05 17:33:37 +02:00
frack113
651d453aeb
Merge pull request #2122 from frack113/move_file 
Move file to correct directory
 2021-10-05 16:58:26 +02:00
frack113
ba3356cdb0
Merge pull request #2120 from MetallicHack/master 
azure_ad_user_added_to_admin_role.yml
 2021-10-05 16:57:58 +02:00
Rachel Rice
4ae3ece314
Update AWS SAML and Lambda rules 
Use correct case for `AssumeRoleWithSAML` event name.
`UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.
 2021-10-05 14:08:40 +01:00
MetallicHack
030fc2a03e
change title and tags in order to match sigmarules 2021-10-05 09:40:25 +02:00
MetallicHack
a4100e76b9
change title and tags in order to match sigmarules 2021-10-05 09:39:03 +02:00
frack113
ad9362e043
Update passed_role_to_glue_development_endpoint.yml 2021-10-05 07:41:41 +02:00
frack113
3b01425936
Update aws_pass_role_to_lambda_function.yml 2021-10-05 07:40:42 +02:00
frack113
80d09483d9 move to builtin 2021-10-05 07:33:50 +02:00
frack113
4f86a245f8 Order file i correct directory 2021-10-05 07:30:43 +02:00
frack113
201708c097
Merge pull request #2103 from webboy2015/patch-1 
Create win_lolbas_execution_of_nltest.exe.yaml
 2021-10-05 07:24:05 +02:00
frack113
654b5b4bff
Update win_lolbas_execution_of_nltest.yml 2021-10-04 22:08:47 +02:00
frack113
fd329f4f9b Remove unneeded EventID 2021-10-04 21:25:57 +02:00
MetallicHack
fe439e1998
Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml 2021-10-04 15:26:58 +02:00
MetallicHack
96f05f7f19
Update azure_ad_user_added_to_sensitive_role.yml 2021-10-04 15:25:55 +02:00
Austin Songer
d694d6faa8
Create passed_role_to_glue_development_endpoint.yml 2021-10-03 23:03:39 -05:00
Austin Songer
60eccf711d
Rename pass_role_to_lambda_function.yml to aws_pass_role_to_lambda_function.yml 2021-10-03 22:54:19 -05:00
Austin Songer
92b1ce4cf4
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00
frack113
dc030e0128
Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
 2021-10-03 08:24:52 +02:00
Austin Songer
81d1bb0e2b
Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-10-02 13:32:20 -05:00
frack113
e666b7e1db
Merge pull request #2116 from zakibro/master 
New Rule - Linux - Auditd - Clipboard Collection of Image Data with X…
 2021-10-02 11:06:24 +02:00
zakibro
c2a26923c6
Update lnx_auditd_clipboard_image_collection.yml 2021-10-02 09:59:37 +02:00
frack113
f652745924
Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml 2021-10-02 07:53:19 +02:00
frack113
e6b32b90af
Update win_lolbas_execution_of_nltest.exe 2021-10-02 07:25:11 +02:00
frack113
d819d726eb
Merge pull request #2112 from austinsonger/macos_suspicious_macos_firmware_activity.yml 
macos_suspicious_macos_firmware_activity.yml
 2021-10-02 07:09:11 +02:00
webboy2015
87df79302d
Update win_lolbas_execution_of_nltest.exe 
Changed condition as follows:
   detection:
       selection:
          EventID: 4689
          ProcessName|endswith: nltest.exe
          Status: "0x0"
     condition: selection

Included  field - SubjectDomainName
 2021-10-01 12:55:37 -07:00
zakibro
d40b42fc2c
Update lnx_auditd_clipboard_image_collection.yml 
fixing a typo
 2021-10-01 18:54:12 +02:00
Pawel Mazur
e67770d7ea New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool 2021-10-01 18:43:03 +02:00
frack113
19a834e317
Merge pull request #2111 from TareqAlKhatib/master 
Corrected Technique
 2021-10-01 15:17:01 +02:00
Tareq Alkhatib
0d22601112 Added Compromise Infrastructure: Web Services technique 2021-10-01 08:40:59 -04:00
Austin Songer
04acba9c77
Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-09-30 19:58:21 -05:00
Austin Songer
d55ffe721e
Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:19:18 -05:00
Austin Songer
e274df1b13
Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:18:38 -05:00
Austin Songer
b14d9e3826
Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:16:02 -05:00
Austin Songer
7f0ad710fd
Delete process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:40 -05:00
Austin Songer
18d65387b5
Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:03 -05:00
Austin Songer
3d7f96ddd7
Create process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:14:34 -05:00
Austin Songer
00513ff2c5
Create macos_suspicious_macos_firmware_activity.yml 2021-09-30 18:47:15 -05:00
Tareq Alkhatib
b0b95ce32b Corrected Technique 2021-09-30 16:34:14 -04:00
frack113
e900945761
Update win_trust_discovery.yml 2021-09-30 19:26:14 +02:00
zaicurity
76224b0fb2
Added alternative nltest command parameter 
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2c)
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-30 18:12:19 +02:00
frack113
1c842037cf
Merge pull request #2109 from Karneades/patch-1 
Add fp note to powershell winapi rule
 2021-09-30 17:45:03 +02:00
frack113
6eea77ae38
Merge pull request #2105 from frack113/powershell 
powershell_susp_zip_compress add 4104
 2021-09-30 17:40:13 +02:00
Andreas Hunkeler
82ba266a53
Add fp note to powershell winapi rule 2021-09-30 16:38:39 +02:00
frack113
29d66a965c add 4104 2021-09-30 10:03:11 +02:00
webboy2015
056067086c
Create win_lolbas_execution_of_nltest.exe.yaml 
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
 2021-09-29 14:33:36 -07:00
frack113
84ec2f582a
Merge pull request #2100 from kidrek/sysmon_delete_prefetch 
Add new rule - sysmon_delete_prefetch - AntiForensic
 2021-09-29 17:53:33 +02:00
frack113
ed1a1caa2e
Merge pull request #2098 from frack113/fix_tags 
fix tags in win_susp_mpcmdrun_download.yml
 2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller)
2ae2c35a7f
mispelled 'mshta.exe' in selection_base 
it said 'mhsta.exe' and it should say 'mshta.exe'
 2021-09-29 07:47:12 -05:00
frack113
17ad95cd12
Update sysmon_delete_prefetch.yml 2021-09-29 10:58:00 +02:00
kidrek
da4a8a0ffd Fix title field error 2021-09-29 09:49:58 +02:00
kidrek
d3fc6b118d Add new rule - sysmon_delete_prefetch - AntiForensic 2021-09-29 09:42:17 +02:00
frack113
4a66ea04bd fix tags 2021-09-29 08:26:05 +02:00
zaicurity
a2418e4d2c
Added alternative command parameter 
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-28 17:39:21 +02:00
frack113
c27084dd0c
Merge pull request #2094 from frack113/backend_sysmon 
Fix logsource  not a string
 2021-09-28 16:22:58 +02:00
frack113
c3222945ef
Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml 
win_sysmon_driver_unload.yml
 2021-09-28 16:22:43 +02:00
frack113
f8ec71c00c
Merge pull request #2072 from austinsonger/aws_attached_malicious_lambda_layer.yml 
aws_attached_malicious_lambda_layer.yml
 2021-09-28 13:08:01 +02:00
Austin Songer
0d07a78a2d
Update aws_attached_malicious_lambda_layer.yml 2021-09-27 23:41:19 -05:00
Austin Songer
3e7b3073cf
Update win_sysmon_driver_unload.yml 2021-09-27 23:30:30 -05:00
Florian Roth
1da59d9175
Merge pull request #2092 from SigmaHQ/rule-devel 
docs: changed description
 2021-09-27 23:13:09 +02:00