valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,106 Commits 20 Branches 25 Tags 21 MiB
2bad4bb60d
Commit Graph

2119 Commits

Author SHA1 Message Date
Bartlomiej Czyz
94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov
64b07ff51a
Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Bartlomiej Czyz
8ae42bca7c fix description & ParentImage -> Image modification to comply with reg events constraints 2020-10-11 17:02:39 +02:00
Vasiliy Burov
c868ef655c
Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov
7aaf4654cd
Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov
00f5d1ec92
Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov
51f00c153c
Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov
dd9c29377b
Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov
8f2ddc632e
Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz
2370730952 create sysmon_modify_screensaver_binary_path.yml 2020-10-11 14:31:06 +02:00
Bartlomiej Czyz
a5dea8c596 [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00
Bartlomiej Czyz
6dcd4a6c6d [OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00
Anton Kutepov
b4ae5cb747
Fix ATTACK technique. 
Also made a couple of minor cosmetic changes.
 2020-10-10 20:27:00 +03:00
aw350m3
8693bd024f Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary 2020-10-10 17:07:22 +00:00
Jonhnathan
09e6b05033
Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Thomas Patzke
93616af1cb
Merge pull request #1036 from svch0stz/oscd4 
[OSCD] Create win_net_use_admin_share.yml
 2020-10-10 00:05:41 +02:00
Thomas Patzke
fe554a88cb
Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Nikita P. Nazarov
79eb7b8bd7 Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:42:27 +03:00
Nikita P. Nazarov
414c98e7ba Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:37:07 +03:00
Nikita Nazarov
d07e0524d5
Update win_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:27:56 +03:00
Nikita Nazarov
31095033ab
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:25:59 +03:00
Furkan ÇALIŞKAN
a6112dc268
Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Furkan ÇALIŞKAN
abcc4a59c2
Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN
789a0c174f
Fixed OSCD wording 2020-10-09 09:25:38 +03:00
svch0stz
5d475ce16d
Update win_root_certificate_installed.yml 2020-10-09 13:00:17 +11:00
svch0stz
8d7152d489
Update win_root_certificate_installed.yml 2020-10-09 12:55:37 +11:00
svch0stz
ff8547efc5
Update win_root_certificate_installed.yml 2020-10-09 12:48:39 +11:00
svch0stz
a68d50a5d9
Create win_root_certificate_installed.yml 2020-10-09 12:29:53 +11:00
Kirill Kiryanov
04d56bade4 Removed redundant tag 2020-10-08 23:26:51 +03:00
Kirill Kiryanov
d00e1073ee Revert "Created rule win_susp_presentationhost_execution.yml" 
This reverts commit a38c021876.
 2020-10-08 22:49:52 +03:00
Jonhnathan
1695bc56dc
Remove commas 2020-10-08 15:31:17 -03:00
Nikita P. Nazarov
47c22d0443 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-08 18:06:41 +03:00
Nikita Nazarov
80a3a6c048
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:52:01 +03:00
Nikita Nazarov
b4377ed632
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:45:07 +03:00
Nikita Nazarov
3ba4eeac7b
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:36:20 +03:00
Nikita P. Nazarov
2db2ab30c4 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-08 17:08:43 +03:00
Sander
e6ad52c102 Corrected falsepositives 2020-10-08 15:11:57 +02:00
Sander
0e07ea3e70 Corrected author 2020-10-08 15:04:09 +02:00
Sander
539400c384 Creation of win_regini 2020-10-08 14:47:22 +02:00
Kirill Kiryanov
7e28bf4df8 Fixed title format 2020-10-08 14:38:47 +03:00
Kirill Kiryanov
55ea538841 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:29:21 +03:00
Kirill Kiryanov
a09488a90f revert changes for making new pull request 2020-10-08 14:20:32 +03:00
Kirill Kiryanov
1581be1ec2 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:00:43 +03:00
Kirill Kiryanov
a38c021876 Created rule win_susp_presentationhost_execution.yml 2020-10-08 13:24:59 +03:00
Jonhnathan
8d94e993ab
Update win_susp_rundll32_activity.yml 2020-10-07 18:27:25 -03:00
Jonhnathan
109b1ea9cf Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-07 18:26:11 -03:00
Jonhnathan
15bd7dcd3b Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-07 18:26:04 -03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Furkan CALISKAN
1c413bcf6d Fixed status 2020-10-07 20:45:34 +03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
Nikita Nazarov
d3f0ddd2b1
Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00
Nikita Nazarov
bfa3635cd2
Update powershell_accessing_win_api.yml 2020-10-07 14:47:29 +03:00
Nikita Nazarov
7c9c21cda0
Update sysmon_psexec_pipes_artifacts.yml 2020-10-07 14:43:25 +03:00
svch0stz
ca0f2146ab
Update win_net_use_admin_share.yml 2020-10-07 08:23:31 +11:00
svch0stz
3d048ceba0
Update win_susp_copy_lateral_movement.yml 2020-10-07 08:18:09 +11:00
svch0stz
ee2c79745f
Update win_susp_wsl_lolbin.yml 2020-10-07 08:12:51 +11:00
Nikita P. Nazarov
0ad9fc61de Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00
Ensar Şamil
944a110749
Delete sysmon_tttracer_mod_load.yml 2020-10-06 20:42:32 +03:00
ensar-pcs
4c5d692328 [OSCD] sysmon_tttracer_mod_load.yml added 2020-10-06 20:30:56 +03:00
Nikita P. Nazarov
c90d99c0f9 Accessing WinAPI in PowerShell 2020-10-06 19:57:57 +03:00
Furkan CALISKAN
bbb9fed3e6 Fixed for FP issues 2020-10-06 19:51:55 +03:00
ensar-pcs
60b3450fa8 [OSCD] win_syncappvpublishingserver_exe.yml added 2020-10-06 19:22:16 +03:00
Furkan CALISKAN
0023a22ead Added FP conditions and fileshare part for cmdline 2020-10-06 19:20:19 +03:00
Furkan CALISKAN
a5ceba93a9 Fixed conditions 2020-10-06 19:15:30 +03:00
Furkan CALISKAN
52edc13d15 Fixed dates 2020-10-06 19:10:33 +03:00
Furkan CALISKAN
ea6d60c58f Added print lolbin 2020-10-05 23:26:57 +03:00
Furkan CALISKAN
db4804d6bf Merge branch 'master' of https://github.com/caliskanfurkan/sigma 2020-10-05 23:03:21 +03:00
Furkan CALISKAN
4d655138b2 Added findstr lolbin 2020-10-05 23:03:05 +03:00
Nikita P. Nazarov
f455146a29 Detecting use PsExec via Pipe Creation/Access to pipes RULE (#29 #30) 2020-10-05 18:08:20 +03:00
Furkan ÇALIŞKAN
b147fc3296
Update win_susp_explorer.yml 
Added known-fp
 2020-10-05 13:22:43 +03:00
Furkan ÇALIŞKAN
85962665fd
Update win_susp_explorer.yml 2020-10-05 10:49:54 +03:00
svch0stz
c82d5ac08e
Create win_net_use_admin_share.yml 2020-10-05 14:43:45 +11:00
svch0stz
60bd6a3692
Update win_susp_copy_lateral_movement.yml 2020-10-05 14:35:20 +11:00
svch0stz
dd2ab4082d
Update win_susp_copy_lateral_movement.yml 2020-10-05 14:33:00 +11:00
svch0stz
641f3031bd
Update win_susp_copy_lateral_movement.yml 2020-10-05 14:27:39 +11:00
svch0stz
3516819bf8
Delete win_net_use_admin_share.yml 2020-10-05 14:00:36 +11:00
svch0stz
c675be41e2
Create win_net_use_admin_share.yml 2020-10-05 13:57:50 +11:00
svch0stz
bc947fefc1
Create win_susp_wsl_lolbin.yml 2020-10-05 13:36:40 +11:00
Furkan CALISKAN
00cf61cc5b Added explorer.exe LOLbin, OSCD 2020-10-04 23:47:16 +03:00
Florian Roth
c56cd2dfff
Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth
8020fe3c40
false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth
60795f7050
Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth
dbdd758365
Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu
d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu
c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade
7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade
6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00
Florian Roth
2cd9b794e6
Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Remco Hofman
6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Mike Wade
da9b32bdd6 we 2020-09-15 06:24:44 -06:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Thomas Patzke
378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00