valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
465 Commits 20 Branches 25 Tags 21 MiB
27227855b5
Commit Graph

103 Commits

Author SHA1 Message Date
Thomas Patzke
27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Florian Roth
b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Thomas Patzke
d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth
deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
Florian Roth
00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
Florian Roth
20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
Florian Roth
bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl
9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth
f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Florian Roth
55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Hans-Martin Münch
09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth
59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth
8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Thomas Patzke
4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke
03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth
edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke
5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Florian Roth
cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth
0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth
6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00