valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,017 Commits 20 Branches 25 Tags 21 MiB
2fb40acfe6
Commit Graph

393 Commits

Author SHA1 Message Date
Teimur Kheirkhabarov
2fb40acfe6 Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness 2019-10-28 09:30:26 +03:00
Teimur Kheirkhabarov
fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
Florian Roth
deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth
c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth
e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth
7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth
e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth
d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth
c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth
de3a843bea
Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3 
sysmon eventid 3: filter on outgoing connections (initiated: true) to…
 2019-09-28 10:16:02 +02:00
ecco
7a1d48cccd fix: PsExec false positives 2019-09-26 04:50:43 -04:00
ecco
4c54e8322a sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00
ecco
0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
Florian Roth
038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
Florian Roth
7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
ecco
01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Denys Iuzvyk
774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes 2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth
f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Thomas Patzke
dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
Florian Roth
7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Patryk
c163dcbe05
Update sysmon_mimikatz_trough_winrm.yml 
Deleted tab character (\t)
 2019-05-20 13:22:36 +02:00
Patryk
a9faa3dc33
Create sysmon_mimikatz_trough_winrm.yml 
Detects usage of mimikatz through WinRM protocol
 2019-05-20 12:25:58 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Florian Roth
f78413deab
Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00