SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00

Author	SHA1	Message	Date
Florian Roth	323a7313fd	FP adjustments We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.	2019-05-27 08:54:18 +02:00
Lionel PRAT	f65f693a88	Add rule for CVE-2019-0708	2019-05-24 10:01:19 +02:00
Florian Roth	7b63c92fc0	Rule: applying recommendation https://twitter.com/SwiftOnSecurity/status/1131464234901094400	2019-05-23 09:44:25 +02:00
Olaf Hartong	b60cfbe244	Added password flag	2019-05-22 13:20:26 +02:00
Florian Roth	346022cfe8	Transformed to process creation rule	2019-05-22 12:50:49 +02:00
Olaf Hartong	4a775650a2	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:36:03 +02:00
Olaf Hartong	e675cdf9c4	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:32:07 +02:00
Olaf Hartong	544dfe3704	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:28:42 +02:00
Florian Roth	c937fe3c1b	Rule: Terminal Service Process Spawn	2019-05-22 10:38:27 +02:00
Florian Roth	74ca0eeb88	Rule: Renamed PsExec	2019-05-21 09:49:40 +02:00
Thomas Patzke	2d0c08cc8b	Added wildcards to rule values These values appear somewhere in a log message, therefore wildcards are required.	2019-05-21 01:03:20 +02:00
Florian Roth	694fa567b6	Reformatted	2019-05-15 20:22:53 +02:00
Florian Roth	1c36bfde79	Bugfix - Swisscom in Newline	2019-05-15 15:03:55 +02:00
Florian Roth	d5f49c5777	Fixed syntax	2019-05-15 14:50:57 +02:00
Florian Roth	508d1cdae0	Removed double back slashes	2019-05-15 14:46:45 +02:00
Unknown	13522b97a7	Adjusting Newline	2019-05-15 12:15:41 +02:00
Unknown	275896dbe6	Suspicious Outbound RDP Rule likely identifying CVE-2019-0708	2019-05-15 11:47:12 +02:00
Codehardt	1ca57719b0	fix: fixed reference list, otherwise it's not valid string list	2019-05-10 10:37:12 +02:00
Codehardt	6585c83077	fix: fixed reference list, otherwise it's not valid string list	2019-05-10 10:13:35 +02:00
Thomas Patzke	25c0330dca	Added filter	2019-05-10 00:20:56 +02:00
Thomas Patzke	995c03eef9	Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1	2019-05-10 00:15:51 +02:00
Thomas Patzke	15a4c7e477	Fixed rule	2019-05-10 00:02:20 +02:00
Thomas Patzke	666e859d14	Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3	2019-05-10 00:00:14 +02:00
Thomas Patzke	f01fbd6b79	Merge branch	2019-05-09 23:51:15 +02:00
Thomas Patzke	e60fe1f46d	Changed rule * Adapted false positive notice to observation * Decreased level	2019-05-09 23:49:39 +02:00
Florian Roth	3dd76a9c5e	Converted to generic process creation rule Previous rule was prone to FPs; more generic form	2019-05-09 23:48:42 +02:00
Vasiliy Burov	792095734d	Update win_proc_wrong_parent.yml changes accordingly this documents: https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf	2019-05-09 23:48:36 +02:00
Florian Roth	378ba5b38f	Transformed rule I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs Fixed Typo Changes to title and description	2019-05-09 23:48:36 +02:00
Vasiliy Burov	8e6295e402	Windows processes with wrong parent Detect scenarios when malicious program is disguised as legitimate process	2019-05-09 23:48:36 +02:00
Thomas Patzke	121e21960e	Rule changes * Replaced variables with usual path names * Removed Temp directories due to many false positives * Matching on Image field, CommandLines often contain these paths	2019-05-09 23:09:22 +02:00
Thomas Patzke	9b67705799	Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2	2019-05-09 22:55:07 +02:00
Thomas Patzke	f0b0f54500	Merge improved pull request #322	2019-04-21 23:56:36 +02:00
Thomas Patzke	765fe9dcd9	Further improved Windows user creation rule * Decreased level * Fixed field names * Added false positive possibility	2019-04-21 23:54:18 +02:00
Karneades	b47900fbee	Add default path to filter for explorer in exe anomaly rule	2019-04-21 17:42:47 +02:00
Florian Roth	dd9648b31e	Revert "New Sigma rule detecting local user creation"	2019-04-21 09:09:25 +02:00
Thomas Patzke	49beb5d1a8	Integrated PR from @P4T12ICK in existing rule PR #321	2019-04-21 00:28:40 +02:00
Thomas Patzke	bdd184a24c	Merge pull request #322 from P4T12ICK/feature/win_user_creation New Sigma rule detecting local user creation	2019-04-21 00:20:15 +02:00
Thomas Patzke	80f45349ed	Modified rule * Adjusted ATT&CK tagging * Set status	2019-04-21 00:14:57 +02:00
Florian Roth	aab3dbee4f	Rule: Detect Empire PowerShell Default Cmdline Params	2019-04-20 09:38:41 +02:00
Florian Roth	03d8184990	Rule: Extended PowerShell Susp Cmdline Enc Commands	2019-04-20 09:38:41 +02:00
Florian Roth	d5fa51eab9	Merge pull request #305 from Karneades/patch-3 Remove too loose filter in notepad++ updater rule	2019-04-19 12:40:24 +02:00
Florian Roth	e32708154f	Merge pull request #304 from Karneades/patch-2 Remove too loose filter in mshta rule	2019-04-19 09:51:45 +02:00
Florian Roth	74dd008b10	FP note for HP software	2019-04-19 09:51:32 +02:00
Karneades	d75ea35295	Restrict whitelist filter in system exe anomaly rule	2019-04-18 22:06:12 +02:00
patrick	8609fc7ece	New Sigma rule detecting local user creation	2019-04-18 19:59:43 +02:00
Florian Roth	f78413deab	Merge pull request #309 from jmlynch/master added rules for renamed wscript, cscript and paexec. Added two direct…	2019-04-17 23:59:27 +02:00
Florian Roth	4808f49e0d	More exact path	2019-04-17 23:45:15 +02:00
Florian Roth	1a4a74b64b	fix: dot mustn't be escaped	2019-04-17 23:44:36 +02:00
Florian Roth	76780ccce2	Too many different trusted cscript imphashes	2019-04-17 23:33:56 +02:00
Florian Roth	7c5f985f6f	Modifications	2019-04-17 23:30:49 +02:00

1 2 3 4 5 ...

749 Commits