SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Florian Roth	a257b7d9d7	Rule: Stickykey improved	2018-03-16 09:10:07 +01:00
Florian Roth	8b31767d31	Rule: PsExec usage	2018-03-15 19:54:22 +01:00
Florian Roth	0460e7f18a	Rule: Suspicious process started from taskmgr	2018-03-15 19:54:03 +01:00
Florian Roth	f5494c6f5f	Rule: StickyKey-ike backdoor usage	2018-03-15 19:53:34 +01:00
Florian Roth	d9d27fec74	Improved EquationGroup dll load rule	2018-03-11 01:22:04 +01:00
Florian Roth	74c2f91a7d	Extended the Slingshot APT rule	2018-03-10 16:44:18 +01:00
Florian Roth	66d52cfeef	Rule: Defrag deactivation	2018-03-10 15:49:50 +01:00
Florian Roth	ef75f2a248	Minor adjustment in: EquationGroup dll_u load	2018-03-10 12:24:49 +01:00
Florian Roth	e9d16bfae1	Bugfix in: EquationGroup dll_u load	2018-03-10 12:22:53 +01:00
Florian Roth	5ae5c9de19	Rule: Outlook spawning shells to detect Turla like C&C via Outlook	2018-03-10 09:04:11 +01:00
Florian Roth	6a65a7a1bf	EquationGroup dll_u load	2018-03-10 09:04:11 +01:00
jmallette	aff46be8a3	Create cmdkey recon rule	2018-03-08 13:25:05 -05:00
Thomas Patzke	ada1ca94ea	JPCERT rules * Addition of ntdsutil.exe rule * Added new link to existing rules	2018-03-08 00:10:19 +01:00
Thomas Patzke	8ee24bf150	WMI persistence rules derived from blog article https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize	2018-03-07 23:05:10 +01:00
Thomas Patzke	3b8b04fe09	Merge branch 'devel-sigmac'	2018-03-06 23:19:45 +01:00
Thomas Patzke	8041f77abd	Merged similar rules	2018-03-06 23:19:11 +01:00
Thomas Patzke	84645f4e59	Simplified rule conditions with new condition constructs	2018-03-06 23:14:43 +01:00
Florian Roth	1ecfd83a6a	Missing separator	2018-03-05 11:30:01 +01:00
Thomas Patzke	59eff939f2	Merge branch 'devel-sigmac'	2018-03-04 22:59:41 +01:00
Thomas Patzke	4792700726	Fixed rule	2018-03-04 22:07:01 +01:00
Thomas Patzke	01f38adbdb	Fixed condition	2018-03-04 20:07:02 +01:00
Florian Roth	6e0cc193c7	Rule: Pony / Fareit UA	2018-03-01 09:28:04 +01:00
Florian Roth	69274d7782	Rule: Sofacy Trojan Loader	2018-03-01 09:27:46 +01:00
Florian Roth	6c6dac4cbb	Changed Elise backdoor rule	2018-02-25 17:25:04 +01:00
Florian Roth	f2057f0c77	Hurricane Panda activity https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/	2018-02-25 17:24:00 +01:00
Florian Roth	1001afb038	Rule: CVE-2015-1641	2018-02-22 16:59:40 +01:00
Florian Roth	25dc3e78be	Lowered severity of rule - prone to false positives	2018-02-22 16:59:11 +01:00
Florian Roth	9020a9aa32	Fixed file names "vuln" > "exploit"	2018-02-22 13:29:19 +01:00
Florian Roth	5d763581fa	Adding status "experimental" to that rule	2018-02-22 13:28:01 +01:00
Florian Roth	0be687d245	Rule: Detect CVE-2017-0261 exploitation	2018-02-22 13:27:20 +01:00
Florian Roth	b88a81a9e1	Rule: Linux > named > suspicious activity	2018-02-20 14:56:28 +01:00
Florian Roth	ef0cd4c110	Rules: Extended and fixed (*) sshd rules	2018-02-20 13:44:06 +01:00
Dominik Schaudel	cea48d9010	Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module	2018-02-12 21:57:22 +01:00
Florian Roth	d6d031fc23	Rule update: Olympic destroyer detection http://blog.talosintelligence.com/2018/02/olympic-destroyer.html	2018-02-12 15:35:47 +01:00
Florian Roth	058d719e2b	Rule update: Proxy UA > Loki Bot	2018-02-12 10:08:32 +01:00
Florian Roth	fa4dbc0f2e	Rule: QuarksPwDump temp dump file	2018-02-10 15:25:36 +01:00
Florian Roth	0a1c600d7d	Rule: Changed msiexec web install rule	2018-02-10 15:25:08 +01:00
Florian Roth	a4e6b3003f	Rule: Msiexec web install	2018-02-09 10:13:39 +01:00
Florian Roth	1382edb5e3	Cosmetics	2018-02-09 10:13:39 +01:00
Florian Roth	34e0352a21	Rule: Proxy UAs - malware - Ghost419 https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/	2018-02-03 14:47:04 +01:00
Florian Roth	635d052fcc	Renamed rule - not APT32 related	2018-01-31 23:52:24 +01:00
Florian Roth	4152442bfa	Changed reference to references in Elise rule	2018-01-31 23:13:00 +01:00
Florian Roth	f1b339504e	Rule: APT32 Elise	2018-01-31 23:12:00 +01:00
SherifEldeeb	348728bdd9	Cleaning up empty list items	2018-01-28 02:36:39 +03:00
SherifEldeeb	48441962cc	Change All "str" references to be "list"to mach schema update	2018-01-28 02:24:16 +03:00
SherifEldeeb	112a0939d7	Change "reference" to "references" to match new schema	2018-01-28 02:12:19 +03:00
Florian Roth	0f2e1c5934	Bugfix: Missing wildcard in IIS module install rule	2018-01-27 16:15:25 +01:00
Florian Roth	d93d7d8e7b	Rule: IIS nativ-code module command line installation	2018-01-27 11:13:13 +01:00
Florian Roth	aca70e57ec	Massive Title Cleanup	2018-01-27 10:57:30 +01:00
Florian Roth	f31ed7177e	Added status 'experimental' to newly created auditd rules	2018-01-23 11:15:02 +01:00
Florian Roth	fe80ae7885	Rule: Linux auditd 'program execution in suspicious folders'	2018-01-23 11:13:23 +01:00
Florian Roth	228ca1b765	Rule: Linux auditd 'suspicious commands'	2018-01-23 11:13:23 +01:00
Florian Roth	379b2dd207	New recon activity rule	2017-12-11 09:31:54 +01:00
Florian Roth	8e2aef035c	Removed commands - false positive reduction	2017-12-11 09:31:54 +01:00
Florian Roth	1464ab4ab8	Renamed rule: recon activity > net recon activity - to be more specific	2017-12-11 09:31:54 +01:00
Florian Roth	285f5bab4f	Removed duplicate string	2017-12-11 09:31:54 +01:00
Thomas Patzke	9adaf4c411	Cleanup	2017-12-07 16:21:02 +01:00
Björn Kimminich	8a8387c43e	SQL Injection error message patterns Rule file that detects error messages from different DB providers that would occur during SQL Injection probing	2017-11-27 22:52:17 +01:00
Florian Roth	78854b79c4	Rule: System File Execution Location Anomaly	2017-11-27 14:09:22 +01:00
Florian Roth	93fbc63691	Rule to detect droppers exploiting CVE-2017-11882	2017-11-23 00:58:31 +01:00
Thomas Patzke	2ec5919b9e	Fixed win_disable_event_logging by multiline description	2017-11-19 22:49:40 +01:00
Nate Guagenti	a796ff329e	Create win_disable_event_logging	2017-11-15 21:56:30 -05:00
Florian Roth	3a378f08ea	Bugfix in Adwind rule - typo in typo	2017-11-10 12:51:54 +01:00
Florian Roth	6e4e857456	Improved Adwind Sigma rule	2017-11-10 12:39:08 +01:00
Florian Roth	57d56dddb7	Improved Adwind RAT rule	2017-11-09 18:53:46 +01:00
Florian Roth	b558f5914e	Added reference to Tom Ueltschie's slides	2017-11-09 18:30:50 +01:00
Florian Roth	781db7404e	Updated Adwind RAT rule	2017-11-09 18:28:27 +01:00
Florian Roth	970f01f9f2	Renamed file for consistency	2017-11-09 15:43:32 +01:00
Florian Roth	a042105aa1	Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder	2017-11-09 15:43:32 +01:00
Florian Roth	a0ac61229c	Rule: Detect plugged USB devices	2017-11-09 08:40:46 +01:00
Florian Roth	fd801a61a5	Bronze Butler Daserf malware User Agents in Proxy Logs	2017-11-08 12:52:11 +01:00
Florian Roth	e5383be163	Rule: Proxy suspicious downloads from Dyndns hosts	2017-11-08 11:32:30 +01:00
Florian Roth	4540088aa9	Rule: Extended proxy suspicious TLD white list rule	2017-11-08 00:38:26 +01:00
Florian Roth	ad53cc7cc2	Rule: Sysmon Turla Commands	2017-11-08 00:33:17 +01:00
Florian Roth	acc430c4b6	Rule: Proxy download from blacklisted TLDs	2017-11-07 14:03:16 +01:00
Florian Roth	58f20d3cfb	Rule: Proxy download whitelist bugfix and improvements	2017-11-07 14:02:56 +01:00
Florian Roth	59e5b3b999	Sysmon: Named Pipe detection for APT malware	2017-11-06 14:24:42 +01:00
Florian Roth	ea840632f3	Sysmon: Named Pipe detection for Turla malware by @markus_neis	2017-11-06 14:22:09 +01:00
Florian Roth	37cea85072	Rundll32.exe suspicious network connections	2017-11-04 14:44:30 +01:00
Thomas Patzke	5035c9c490	Converted Windows 4688-only rules into 4688 and Sysmon/1 collections	2017-11-01 22:12:14 +01:00
Thomas Patzke	f3a809eb00	Improved admin logon rules and removed duplicates	2017-11-01 21:33:01 +01:00
Thomas Patzke	0055eedb83	Merge pull request #54 from juju4/CAR-2016-04-005b Admin user remote login	2017-11-01 21:22:09 +01:00
Thomas Patzke	613f922976	Merge pull request #43 from juju4/master New rules	2017-11-01 21:21:30 +01:00
Thomas Patzke	118e8af738	Simplified rule collection	2017-11-01 10:00:35 +01:00
Thomas Patzke	732f01878f	Sigma rule collection YAML action documents	2017-11-01 00:17:55 +01:00
Thomas Patzke	d0b2bd9875	Multiple rules per file * New wrapper class SigmaCollectionParser parses all YAML documents contained in file and handles multiple SigmaParser instantiation. * Exemplary extended one security/4688 rule to security/4688 + sysmon/1	2017-10-31 23:06:18 +01:00
Thomas Patzke	9d96a998d7	Merge pull request #56 from juju4/CAR-2013-05-002b Detects Suspicious Run Locations - MITRE CAR-2013-05-002	2017-10-30 00:27:56 +01:00
Thomas Patzke	720c992573	Dropped within keyword Covered by timeframe attribute. Fixes issue #26.	2017-10-30 00:25:56 +01:00
Thomas Patzke	c865b0e9a8	Removed within keyword in rule	2017-10-30 00:15:01 +01:00
Thomas Patzke	0df60fe004	Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b	2017-10-30 00:13:21 +01:00
Thomas Patzke	27227855b5	Merge branch 'devel-sigmac'	2017-10-29 23:59:49 +01:00
Thomas Patzke	012cb6227f	Added proper handling of null/not null values Fixes issue #25	2017-10-29 23:57:39 +01:00
juju4	4b64fc1704	double quotes = escape	2017-10-29 14:42:40 -04:00
juju4	07185247cb	double quotes = escape	2017-10-29 14:32:52 -04:00
juju4	f5f20c3f75	Admin user remote login	2017-10-29 14:30:11 -04:00
juju4	19dd69140b	Detects Suspicious Run Locations - MITRE CAR-2013-05-002	2017-10-29 14:27:01 -04:00
juju4	ad27a0a117	Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002	2017-10-29 14:24:53 -04:00
juju4	9d968de337	Merge remote-tracking branch 'upstream/master'	2017-10-29 14:14:47 -04:00
Florian Roth	b7e8000ccb	Improved Office Shell rule > added 'schtasks.exe'	2017-10-25 23:53:45 +02:00
Florian Roth	e680da1b50	Suspicious flash player download location / BadRabbit	2017-10-25 08:40:30 +02:00

1 2 3 4 5 ...

409 Commits