valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,439 Commits 20 Branches 25 Tags 21 MiB
3382d5da09
Commit Graph

4663 Commits

Author SHA1 Message Date
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
Florian Roth
b191efaab1
Merge pull request #1522 from SigmaHQ/rule-devel 
rule: nginx core dump
 2021-05-31 16:56:16 +02:00
Florian Roth
ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
frack113
0b2037ccad fix **firewall** is a category like in all other rules 2021-05-30 09:43:29 +02:00
frack113
7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113
f91abf8929 Fix auditd is a service 2021-05-30 08:58:25 +02:00
frack113
a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
frack113
58436c2a02 product is lowercase 2021-05-30 08:37:48 +02:00
frack113
33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
Hasan
fdeb8a8e7f Added rule to detect ISO mounts 2021-05-29 22:48:29 +05:00
frack113
9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d 
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
 2021-05-27 21:06:07 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth
7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth
5cf7078fb3
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec 
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
 2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth
9239690ef3
Merge pull request #1488 from dacelbot/master 
Contribute AWS snapshot exfiltration rule
 2021-05-27 12:52:46 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1 
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
 2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
e397a2974e
Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation 
Fix missing eventid when converting windows obfuscation rules
 2021-05-27 12:51:22 +02:00
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
frack113
2a68700991 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:43:08 +02:00
frack113
30cc64a349 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:41:19 +02:00
frack113
e4c32c353a use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:39:16 +02:00
frack113
a878f3b0a5 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:36:47 +02:00
frack113
cbce61bc8c use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:34:46 +02:00
frack113
8d8df10687 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:31:57 +02:00
frack113
ce53a5a67b use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:30:00 +02:00
frack113
417da3ac95 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:28:06 +02:00
frack113
f0d1c9aa7d use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:26:08 +02:00
frack113
788ebbafdc use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:20:29 +02:00
Florian Roth
a5fe7af25f Cobalt Strike Service Installation 2021-05-26 18:05:38 +02:00
Florian Roth
c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00
Florian Roth
ba12057919
Merge pull request #1505 from WojciechLesicki/master 
Update rule regarding other named pipe
 2021-05-26 14:35:22 +02:00
Florian Roth
8aabb58eca
Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
WojciechLesicki
8b707bc948 Added also \status_ pipe. 2021-05-25 21:58:22 +02:00
WojciechLesicki
f1a0308e73 Add one more pipe, references etc. 2021-05-25 21:07:23 +02:00
Bhabesh Rai
cc9ac2ddcf Added rule for PowerView's malicious cmdlets 2021-05-25 21:04:32 +05:45
WojciechLesicki
38552e98cf Adding some pipes 2021-05-25 15:47:34 +02:00
frack113
3717c68bb7 fix typo of level 2021-05-24 10:45:58 +02:00
frack113
104a004b3d fix typo of tags 2021-05-24 10:41:17 +02:00
frack113
afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113
1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
frack113
a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Florian Roth
211bf35640 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-05-22 15:45:40 +02:00
Florian Roth
02323043d7 Create web_cve_2021_26814_wzuh_rce.yml 2021-05-22 15:45:38 +02:00
Florian Roth
576e047e76
Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00
Florian Roth
4c281d117c fix: bug in rule syntax 2021-05-22 15:31:23 +02:00
Florian Roth
9b7fb0c0f3 Update win_susp_shell_spawn_from_winrm.yml 2021-05-22 15:28:50 +02:00
Florian Roth
7e1ac347ef Merge branch 'master' into rule-devel 2021-05-22 15:27:32 +02:00
Florian Roth
c0d58cb7f9 PAExec and PSexec rules 2021-05-22 10:52:01 +02:00
Jonhnathan
687f2d67fc
Update Threat Hunter Playbook Reference 2021-05-22 01:09:30 -03:00
Jonhnathan
7f335cbb4a
Update Threat Hunter Playbook Reference 2021-05-22 01:08:23 -03:00
Jonhnathan
34e2a81371
Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00
Jonhnathan
89cfef9d49
Update Threat Hunter Playbook Reference 2021-05-22 01:04:20 -03:00
Jonhnathan
26ecbea0ba
Update Threat Hunter Playbook Reference 2021-05-22 01:03:49 -03:00
Jonhnathan
4ebdcf2f1d
Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00
Jonhnathan
c7f7eb6698
Update Threat Hunter Playbook Reference 2021-05-22 01:02:43 -03:00
Jonhnathan
5f6c19f203
Update Threat Hunter Playbook Reference 2021-05-22 01:02:19 -03:00
Jonhnathan
627a83914a
Update Threat Hunter Playbook Reference 2021-05-22 01:01:33 -03:00
Jonhnathan
3853d71c56
Update Threat Hunter Playbook Reference 2021-05-22 01:01:07 -03:00
Jonhnathan
e218c32a4c
Update Threat Hunter Playbook Reference 2021-05-22 01:00:39 -03:00
Jonhnathan
1b32a5c0f3
Update Threat Hunter Playbook Reference 2021-05-22 00:59:54 -03:00
Jonhnathan
93087d2130
Update Threat Hunter Playbook Reference 2021-05-22 00:59:35 -03:00
Jonhnathan
d3afed53ac
Update Threat Hunter Playbook Reference 2021-05-22 00:59:04 -03:00
Jonhnathan
7007287832
Update Threat Hunter Playbook Reference 2021-05-22 00:58:23 -03:00
Jonhnathan
2e139b4264
Update win_protected_storage_service_access.yml 2021-05-22 00:57:25 -03:00
Jonhnathan
085218b25a
Update Threat Hunter Playbook Reference 2021-05-22 00:57:01 -03:00
Jonhnathan
3fb5f1c47e
Update Threat Hunter Playbook Reference 2021-05-22 00:56:32 -03:00
Jonhnathan
943e2c8c88
Update Threat Hunter Playbook Reference 2021-05-22 00:56:03 -03:00
Jonhnathan
9765fcbd0c
Update Threat Hunter Playbook Reference 2021-05-22 00:55:29 -03:00
Jonhnathan
e23147111b
Update Threat Hunter Playbook Reference 2021-05-22 00:54:57 -03:00
frack113
dec9e68876 Fix falsepositives list 2021-05-21 12:38:44 +02:00
frack113
1e2f7c7abf Fix falsepositives list 2021-05-21 12:35:37 +02:00
frack113
0a588a1ecc Fix falsepositives list 2021-05-21 12:33:50 +02:00
frack113
168d5c9dff Fix falsepositives list 2021-05-21 12:32:24 +02:00
frack113
1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113
a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113
ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113
2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113
48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00
frack113
6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
frack113
a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113
f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113
f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113
6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
frack113
cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113
45190c3874 Fix falsepositives list 2021-05-21 11:13:27 +02:00
frack113
dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
Florian Roth
a0efd7a4dc
Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler
e58c59dcfd
Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Andreas Hunkeler
d8ec5fa6af
Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Florian Roth
a30391f3b4
Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler
226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Jonhnathan
1cf7bb5735
Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Darin Smith
e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
SomeOne
e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne
a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne
53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne
a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth
3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth
30bee7204c
Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth
83068416fa
Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40
8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113
0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113
fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Bhabesh Rai
48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth
3564cf81f9
Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss
4b520de373
new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth
9e662b9159
Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai
1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
partyh4rd
5a98e36905
Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth
451f25910d
Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth
de8386d553
Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth
4ad3316d74
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth
8973b573bd
Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth
c877a9a68d
Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth
ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth
c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00