valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,106 Commits 20 Branches 25 Tags 21 MiB
2bad4bb60d
Commit Graph

2119 Commits

Author SHA1 Message Date
Thomas Patzke
2bad4bb60d
Merge pull request #1085 from w0rk3r/oscdq 
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
 2020-10-13 21:45:36 +02:00
Thomas Patzke
b68286a162
Merge pull request #1093 from SanWieb/OSCD_regini 
[OSCD] regini LOLBAS
 2020-10-13 21:44:32 +02:00
Thomas Patzke
08eec2b6e6
Merge pull request #1094 from NikitaStormwind/Regular30 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
 2020-10-13 21:43:16 +02:00
Thomas Patzke
8f4b3b7324
Merge pull request #1097 from NikitaStormwind/regular30(2) 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (process_creation)
 2020-10-13 21:42:38 +02:00
Thomas Patzke
5f4d60951d
Merge pull request #1112 from NikitaStormwind/regular29(1) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
 2020-10-13 21:34:38 +02:00
Thomas Patzke
79120cd24c
Merge pull request #1113 from NikitaStormwind/regular29(2) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
 2020-10-13 21:18:03 +02:00
Thomas Patzke
33c80b8428
Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity 
[OSCD] Sqldumper.exe LOLbin
 2020-10-13 11:51:41 +02:00
Thomas Patzke
bf0f2fcec8
Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost 
[OSCD] Using SettingSyncHost.exe as LOLBin
 2020-10-13 11:46:04 +02:00
Thomas Patzke
acb02d8d65
Merge pull request #1148 from sn0w0tter/oscd 
[OSCD] LOLBAS atbroker suspicious execution of ATs
 2020-10-13 11:45:07 +02:00
Thomas Patzke
1684db93d8
Merge pull request #1143 from NikitaStormwind/regular28(2) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
 2020-10-13 11:39:46 +02:00
Thomas Patzke
7e8930f15e
Merge pull request #1142 from NikitaStormwind/regular28(1) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
 2020-10-13 11:38:26 +02:00
Thomas Patzke
0c77edb859
Merge pull request #1120 from bczyz1/oscd 
[OSCD] Create powershell_icmp_exfiltration.yml
 2020-10-13 11:37:40 +02:00
Thomas Patzke
f457e7a398
Merge pull request #1150 from zinint/1009-27-1 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (4104, 4103)
 2020-10-13 11:36:19 +02:00
Thomas Patzke
2ac29e0fee
Merge pull request #1152 from zinint/1009-27-3 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
 2020-10-13 11:24:28 +02:00
invrep-de
55201a94c0 [OSCD] Powershell Disable Windows Defender AV 2020-10-13 02:05:00 +02:00
Timur Zinniatullin
d1ef56bddb
@aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin
5bd75521f2
Add win_invoke_obfuscation_via_var++.yml 2020-10-13 02:23:50 +03:00
Timur Zinniatullin
870574b635
Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
sn0w0tter
863b880845 Titile capitalization 2020-10-12 16:04:41 -07:00
Thomas Patzke
a289eeaae6
Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke
d6ceba3719
Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke
d89ca07daa
Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke
cb86c509f1
Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke
eaa9f293e7
Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke
eb21860ab9
Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
sn0w0tter
c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke
e2e3177e46
Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke
80e3c4b587
Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke
5664f72a2a
Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke
4a74a56ba3
Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke
8bee7272ab
Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke
768e500627
Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke
14fcdc9899
Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
Nikita P. Nazarov
ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
Nikita P. Nazarov
c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
omkargudhate22
e2911a025e
added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov
175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth
b8dc8d3f7e
reduced to avoid FPs 2020-10-12 10:46:34 +02:00
Sander
8c1bd4e466 Remove redundant space 2020-10-12 10:01:44 +02:00
omkar72
0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
Sander
3ab244c70f regini.exe ADS rule 2020-10-12 09:55:34 +02:00
omkar72
99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72
cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72
d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Bartlomiej Czyz
e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz
ae41190291 remove redundant reference 2020-10-11 23:39:08 +02:00
Bartlomiej Czyz
b6876e5123 remove redundant reference 2020-10-11 23:35:17 +02:00
svch0stz
2edd79a37f
Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Vasiliy Burov
1320e0b733
Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Furkan ÇALIŞKAN
edb5b7718e
Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00