valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,512 Commits 20 Branches 25 Tags 21 MiB
32c6b34746
Commit Graph

335 Commits

Author SHA1 Message Date
Florian Roth
b7eb79f8da Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
Tareq AlKhatib
8b94860ee6 Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
Tareq AlKhatib
925ffae9b8 Removed Outlook detection which is a subset of the Office one 2019-01-02 07:47:44 +03:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Florian Roth
99f773dcf6 Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth
b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Roberto Rodriguez
8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Roberto Rodriguez
87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
 2018-12-05 07:58:13 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
Florian Roth
2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Kyle Polley
60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke
732de3458f
Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke
fdd0823e07
Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Florian Roth
fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296
fdd264d946
Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
megan201296
7997cb3001
Remove duplicate value 2018-10-08 13:00:59 -05:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Ensar Şamil
dec7568d4c
Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth
49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00
Florian Roth
7a3890ad76 Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
Florian Roth
d83f124f5f Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
Florian Roth
e70395744b Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
Thomas Patzke
d17cc5c07d
Merge pull request #157 from yt0ng/development 
Added Detection of Sysinternals Tools via eulaaccepted registry key
 2018-08-28 22:37:00 +02:00
Unknown
75d72344ca Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 17:36:22 +02:00
Thomas Patzke
6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Thomas Patzke
87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
yt0ng
df9f6688eb
Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00
yt0ng
eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
yt0ng
c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Thomas Patzke
49af499353
Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke
9235175e26
Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke
73535e58a5
Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke
d647a7de07
Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth
040ba0338d
fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
megan201296
3f5c32c6da
Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296
76aabe7e05
Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman
e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng
ca7e8d6468
removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng
5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng
8ecf167e85
Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
Thomas Patzke
2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke
2c0e76be3d
Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli
7cdc13ef11
Update 2018-08-08 17:05:51 +02:00
Lurkkeli
392351af25
Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli
4d721f1803
Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli
b9f433414d
hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke
92c0e0321a
Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli
a245820519
added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli
294677a2cc
added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli
a57e87b345
added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli
99253763af
added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli
0bff27ec21
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli
198cb63182
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke
518e21fcd2
Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke
b9fdf07926
Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli
b50c13dd1f
Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke
5d5d42eb9b
Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke
80eaedab8b
Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke
3509fbd201
Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke
b049210641
Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli
3456f9a74d
Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke
64fa3b162d
Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli
6472be5e19
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli
21bee17ffd
Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng
fc091fe3d7
Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng
b65cb5eaca
Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Nik Seetharaman
b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson
5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth
a9fcecab88
Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth
089498b0b3
Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth
dd857c4470
Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
yt0ng
b415fc8d42
Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli
0e9c5bb14a
Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Thomas Patzke
01e7675e24
Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke
30d255ab6f
Fixed tag 2018-07-24 07:58:25 +02:00
Lurkkeli
1898157df5
ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng
16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Suleyman Ozarslan
e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan
8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Suleyman Ozarslan
080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan
76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan
7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Florian Roth
1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth
83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00
Thomas Patzke
f98158f5ad Further ATT&CK tagging 2018-07-19 23:36:13 +02:00