valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,439 Commits 20 Branches 25 Tags 21 MiB
3382d5da09
Commit Graph

4663 Commits

Author SHA1 Message Date
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss
4b520de373
new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth
9e662b9159
Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai
1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
partyh4rd
5a98e36905
Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth
451f25910d
Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth
de8386d553
Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth
4ad3316d74
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth
8973b573bd
Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth
c877a9a68d
Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth
ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth
c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth
8af86fa97e
docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth
3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Florian Roth
161180c357 refactor: extended shellshock rule 2021-04-28 11:47:24 +02:00
Florian Roth
47504fbd56 fix: shellshock expression 2021-04-28 11:46:49 +02:00
BlueTeamOps
59d23535ce
Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps
793504dd6b
Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps
f75ad98903
Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Ian Thieves
65294d97c4
Update win_scm_database_handle_failure.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:28:16 -07:00
Ian Thieves
8efa10465e
Update win_scm_database_privileged_operation.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:25:16 -07:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth
f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Scoubi
23791664eb
Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml 
Gave the wrong name to the file, this is the correct one.
 2021-04-21 08:45:15 -04:00
Scoubi
0b7ed7e690
Add a space 
There was a missing space in `-attack` changed for `- attack`
 2021-04-20 20:50:20 -04:00
Scoubi
fadb889116
Create win_Outlook_C2_Macro_Creation.yml 
BEC is for Business Email Compromise (this can be changed)
 2021-04-20 20:38:20 -04:00
Scoubi
678ce5d528
Create win_Outlook_C2_Macro_Creation.yml 
Not 100% if this is the best place to put it.
 2021-04-20 20:34:19 -04:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Florian Roth
68c59850af
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery 
Fix invalid logsource on lnx_system_info_discovery rule
 2021-04-20 09:06:54 +02:00
Florian Roth
20c5356c9e
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet 
Fix typo on CommandLine
 2021-04-20 09:06:38 +02:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel 
refactor: tightened filter
 2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Cedric Hien
1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Cedric Hien
bbdbab700d Fix invalid logsource on lnx_system_info_discovery rule 2021-04-17 12:57:30 +02:00
Florian Roth
941d47bc28
Merge pull request #1416 from sycophantic/master 
Remove extra spaces
 2021-04-15 13:20:49 +02:00
Steven
a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00
Steven
8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven
9f5e8a02a4 Fix parse errors 2021-04-15 02:46:41 +02:00
Steven
8301b9c221 Fix selection vs selection_1 in rule files 2021-04-15 02:41:04 +02:00
Steven
cce8d945a0 Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category 2021-04-15 02:30:41 +02:00
Steven
a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven
f57e1a2231 Delete .keep file 2021-04-15 02:17:36 +02:00
Steven
70b106ef52 Fix syntax error 2021-04-15 02:11:13 +02:00
Steven
ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven
d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Roberto Rodriguez
db0e969121 HybridConnectionMgr Service Activity 2021-04-12 16:26:15 -04:00
Florian Roth
ce0111aa6a fix: FP with Proxy Execution via Wuauclt 2021-04-12 08:47:29 +02:00
Florian Roth
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth
897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke
08ca62cc88 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-08 23:27:45 +02:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
sycophantic
86b9652086 Remove extra spaces 2021-04-08 13:57:21 -04:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Florian Roth
00f01ea57f Merge branch 'master' into rule-devel 2021-04-07 21:17:51 +02:00
Vasiliy Burov
e73e27e44f
Update win_hack_rubeus.yml 
Added commandline parameters for constrained delegation abuse and for hashes calculation
 2021-04-06 20:18:54 +03:00
Thomas Patzke
42cf81478b
Merge pull request #1412 from defensivedepth/patch-1 
Clean up: Webshell ReGeorg Detection
 2021-04-06 00:35:35 +02:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Josh Brower
af09dd8e3c
Clean up: Webshell ReGeorg Detection 2021-04-05 13:01:10 -04:00
Thomas Patzke
b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke
90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
phantinuss
4934f80601
fix: FP tuning for IIS Express and making use of value modifiers 2021-04-01 14:37:20 +02:00
phantinuss
8b4234de3b
refactor: make use of value modifiers 2021-04-01 14:37:17 +02:00
phantinuss
794865c79d
fix: adding filter to condition and reintroducing the users folder constraint 2021-04-01 14:37:17 +02:00
phantinuss
43be8c8cba
refactor: make use of value modifiers 2021-04-01 14:37:16 +02:00
phantinuss
bd5ba2ae01
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 14:37:15 +02:00
phantinuss
65bc62d401
fix: adding filter out for CamMute.exe 2021-04-01 14:37:14 +02:00
phantinuss
2cab121c71
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-04-01 14:37:13 +02:00
phantinuss
109b7890db
fix: taking windows security 4688 events into account for filter out 2021-04-01 14:36:57 +02:00
Florian Roth
428db0c74a
Merge pull request #1382 from d4rk-d4nph3/master 
Added rule for CVE-2021-21978 in VMware View Planner
 2021-03-29 11:22:56 +02:00
Florian Roth
b296c643de
Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
BlueTeamOps
6ef5f0a0a2
Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
BlueTeamOps
8916459bab
Added additional CS signatures 2021-03-25 22:44:24 +11:00
Florian Roth
6b0f66e876 refactor: change level 2021-03-24 12:38:00 +01:00
Florian Roth
6d9fc65585 fix: FPs with www6 2021-03-24 12:37:35 +01:00
Florian Roth
a465f2722f refactor: CobaltStrike beacon rule 2021-03-24 11:29:05 +01:00
Florian Roth
48265ad71a
Merge pull request #1398 from SigmaHQ/rule-devel 
MSExchange Management log mapping, some fixes
 2021-03-20 17:21:31 +01:00
Florian Roth
525f4b6a6b
Merge pull request #1388 from Cyb3rPandaH/master 
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
 2021-03-20 08:53:04 +01:00
Florian Roth
e47ee24889
Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth
334dd9a058
Update win_set_oabvirtualdirectory_externalurl.yml 2021-03-20 08:34:02 +01:00
Florian Roth
33af006479
Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt 
Fix ProcessCommandLine field
 2021-03-20 08:29:23 +01:00
Florian Roth
01fcfd4f76
Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent 
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
 2021-03-20 08:29:09 +01:00
Florian Roth
2472926c48
Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion 
Fix win_etw_trace_evasion rule
 2021-03-20 08:28:51 +01:00
Florian Roth
dd4a1ac393 fix: prone to FPs - use is unclear 
https://regex101.com/r/tss5TZ/1
 2021-03-18 16:44:49 +01:00
Florian Roth
6b2bcd3d87
Merge pull request #1395 from SigmaHQ/rule-devel 
Rule devel
 2021-03-18 10:52:02 +01:00
Florian Roth
d30e87d543 fix: lsass access - FPs with AV / EDR software 2021-03-18 09:04:03 +01:00
Florian Roth
92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth
943f8513e2
Merge pull request #1393 from SigmaHQ/rule-devel 
Rule devel
 2021-03-16 16:35:55 +01:00
Florian Roth
bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00
Florian Roth
32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
zikyhd
e91822e070 Fix win_etw_trace_evasion rule 2021-03-15 15:02:18 +01:00
Cedric HIEN
864973888e Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8) 2021-03-15 12:07:05 +01:00
Cedric HIEN
e4f24f4e1f Fix ProcessCommandLine field 2021-03-15 11:56:19 +01:00
Florian Roth
310888bae7
Merge pull request #1386 from SigmaHQ/rule-devel 
Rule devel
 2021-03-15 10:52:57 +01:00
Florian Roth
70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Cyb3rPandaH
f138a27426 CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property 
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
 2021-03-15 00:33:47 -04:00
Florian Roth
a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth
145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth
69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
Florian Roth
48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth
9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth
27fef60ace
Merge pull request #1383 from SigmaHQ/rule-devel 
fix: FPs with LSASS Access from Non System Account
 2021-03-10 18:59:29 +01:00
Florian Roth
78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth
29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
Bhabesh Rai
a58c5ed7cc Added rule for CVE-2021-21978 in VMware View Planner 2021-03-10 18:05:15 +05:45
concorde18
87059fe80b
Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe 2021-03-10 11:35:55 +03:00
concorde18
f694de74aa
Create win_susp_diskshadow.yml 2021-03-10 11:33:12 +03:00
concorde18
b73815e883
Update win_susp_Register_cimprovider.yml 2021-03-10 11:25:13 +03:00
Florian Roth
f0051ffcf6
Merge pull request #1378 from SigmaHQ/rule-devel 
HAFNIUM activity
 2021-03-09 15:42:32 +01:00
Florian Roth
dca5c870d7
Merge pull request #1374 from hieuttmmo/master 
Detect HAFNIUM operations
 2021-03-09 09:16:52 +01:00
Florian Roth
ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth
563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth
2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
BlueTeamOps
26a5300208
added spaces for oudmp and dclist 2021-03-09 08:22:36 +11:00
Anton Kutepov
e4a38a8b71 Merge branch 'master' into oscd 2021-03-07 23:41:11 +03:00
Anton Kutepov
626d7ebd61 Applied the fixes made by the participants during the second sprint. 2021-03-07 23:40:08 +03:00
Anton Kutepov
d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Anton Kutepov
ff6f10b484 Added the author of the duplicated rule (finger.exe) 2021-03-07 23:20:21 +03:00
Florian Roth
2b5f9f994f
Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth
a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth
3a0fc4835a
Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth
b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth
c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth
bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth
62b65a3578
Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth
bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00
Tran Trung Hieu
5f74a58081 Detect HAFNIUM operations 2021-03-04 00:01:54 +07:00
Florian Roth
9e921115bc
Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth
d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00
Florian Roth
e17986ebd3 rule: HAFNIUM Exchange exploitation 2021-03-03 09:58:43 +01:00
Florian Roth
73a3a1e5cd
Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Florian Roth
8c95f90075
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml 2021-03-03 09:08:24 +01:00
Bhabesh Rai
56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth
6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Anton Kutepov
f461becc58 Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 23:34:34 +03:00
Anton Kutepov
3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth
5c1dc30a13
Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Florian Roth
c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Florian Roth
b65dbee01f
Merge pull request #1366 from Neo23x0/rule-devel 
rule: SilentProcessExit monitors
 2021-02-26 18:09:44 +01:00
Florian Roth
ba7c7409a3 fix: typo in modified 2021-02-26 17:48:50 +01:00
Florian Roth
79acbbef9f rule: SilentProcessExit monitors 2021-02-26 17:35:42 +01:00
Florian Roth
40710fe89a
Merge pull request #1357 from Neo23x0/rule-devel 
Rule FP fixes
 2021-02-26 11:05:00 +01:00
Florian Roth
274b7b0f2e
fix: search for keywords within message 2021-02-26 09:42:12 +01:00
Florian Roth
9d937705c0 fix: null values in separate filter expression 
> null value in lists cause problems in some backends
 2021-02-25 15:19:26 +01:00
markus-nclose
67d3d5e220
Fixed CobaltStrike typo 2021-02-25 07:25:20 +02:00
Anton Kutepov
120fd413b8
fix author field 2021-02-25 02:17:28 +03:00
Anton Kutepov
98cc025208 Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00
Anton Kutepov
96afd5845a Merged identical rules. Added the author of the deleted rule to another rule. 2021-02-25 01:20:09 +03:00
Bhabesh Rai
e1dff01cea Added sigma rule for vSphere RCE CVE-2021-21972 2021-02-24 23:48:08 +05:45
Florian Roth
a8912da1a0 rule: finger.exe execution 2021-02-24 17:47:56 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth
f8b6b9d68e fix: FPs with Suspect Svchost Activity 2021-02-24 13:55:40 +01:00
Florian Roth
0489d4bfa4 fix: rule 2021-02-24 13:44:13 +01:00
Florian Roth
9eb55016bf fix: FPs with WMI Spawning Windows PowerShell 2021-02-24 13:32:30 +01:00
Florian Roth
b032bc3328 fix: FPs with Wmiprvse Spawning Process 2021-02-24 13:27:18 +01:00
Florian Roth
028ce2a548 fix: Sysmon NTLM downgrade attack - too many fps 2021-02-24 13:22:25 +01:00
Joshua Roys
025a17e44b fix: case in level 
Otherwise es-rule ends up with a null risk_score and invalid severity.
 2021-02-22 21:34:06 -05:00
Florian Roth
96803a5a27
Merge pull request #1355 from Neo23x0/rule-devel 
Rule devel
 2021-02-22 17:46:21 +01:00
Florian Roth
94035e1e11 fix: error in condition 2021-02-22 17:30:11 +01:00
Florian Roth
749789c17d fix: condition in eventlog rule 2021-02-22 17:24:19 +01:00
Florian Roth
aea03076c2 rule: simplified rule 2021-02-22 17:19:14 +01:00
Florian Roth
43b2ad580f rule: DEWMODE webshell 2021-02-22 17:15:32 +01:00
Florian Roth
f834862833
Merge pull request #1107 from vburov/patch-10 
Update win_susp_eventlog_cleared.yml
 2021-02-18 11:19:53 +01:00
Florian Roth
a6684c66d6
Merge pull request #1110 from vburov/patch-11 
Update win_disable_event_logging.yml
 2021-02-18 11:18:32 +01:00
Florian Roth
f62fc2e889
Merge pull request #1341 from d4rk-d4nph3/master 
Added rule for TerraMaster TOS CVE-2020-28188
 2021-02-18 11:17:48 +01:00
Florian Roth
786a799c3f
Merge pull request #1345 from blueteam0ps/patch-2 
Created win_sus_auditpol_usage.yml
 2021-02-18 11:17:04 +01:00
Florian Roth
76e6f38215
Merge pull request #1348 from bartlomiej-czyz/patch-1 
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
 2021-02-18 11:14:40 +01:00
Florian Roth
089a931007 rule: ScreenConnect remote access 2021-02-11 13:04:16 +01:00
Florian Roth
4c2691d3c3 rule: disable windows eventlog 2021-02-11 12:28:52 +01:00
Florian Roth
18f2e32774 Domestic Kitten Furball malware pattern 2021-02-08 17:52:55 +01:00
bartlomiej-czyz
b771fb0c55
Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level 2021-02-08 12:45:59 +01:00
Florian Roth
8ae8c213a9
Merge pull request #1337 from architect00/master 
rule: scheduled task deletion
 2021-02-07 15:26:13 +01:00
GlebSukhodolskiy
daaba7022b
Merge branch 'oscd' into oscd_wmi 2021-02-06 00:34:53 +03:00
yugoslavskiy
fb1f04ec8a
Merge pull request #1249 from oscd-initiative/oscd_art_linux_task_18_T1083 
[OSCD] ART sync, test T1083: File and Directory Discovery (Linux)
 2021-02-04 22:34:47 +01:00
bartlomiej-czyz
ae15cef5e7
Rename .yaml to .yml 2021-02-03 22:20:48 +01:00
bartlomiej-czyz
e79168ee56
Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
bartlomiej-czyz
3e9c177c65
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml 2021-02-03 22:16:21 +01:00
BlueTeamOps
1a124f9193
Added win_ad_find_discovery.yml 
Rule to detect the most commons switches used in AdFind tool
 2021-02-02 23:34:10 +11:00
BlueTeamOps
c3c706503e
Update win_sus_auditpol_usage.yml 2021-02-02 22:24:54 +11:00
BlueTeamOps
b0d0bb95b0
Created win_sus_auditpol_usage.yml 
This adds detection for suspicious behaviour of the auditpol binary
 2021-02-02 19:12:13 +11:00
Bhabesh Rai
a8d33171d7 Fixed c-uri 2021-02-02 10:23:47 +05:45
Florian Roth
309e15dc5c rule: add call by ordinal 2021-02-01 20:16:31 +01:00
Florian Roth
597633c938 rule: ShimCache Flush 2021-02-01 20:05:28 +01:00
Florian Roth
2c48d2b0bb
fix: missing global action and sections 2021-02-01 20:00:06 +01:00
Bhabesh Rai
63e2f4bbce Added rule for Sudo CVE-2021-3156 Exploitation Attempt 2021-02-01 23:08:45 +05:45
Florian Roth
179db920ec
Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth
aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth
33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth
e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth
cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Florian Roth
6b9eef58da
Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth
7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth
a4bec724a6 rule: SonicWall exploitation 2021-01-25 11:54:23 +01:00
Bhabesh Rai
465ab713b0 Added rule for TerraMaster TOS CVE-2020-28188 2021-01-25 13:01:27 +05:45
Florian Roth
b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv
e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger
6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth
efa39eb18d
Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth
4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth
492d931138
Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth
c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth
a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth
8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth
cd4fbca66b
Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth
c00d3a8fe0
Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai
dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth
eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth
fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth
7162528a1a
docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth
3d2c6a118d
Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth
d58cdeab3a
Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp
b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth
cf37abee4d
docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp
5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth
a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth
c571285fd8
Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth
63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth
19171f5bed
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy
3f519ffa20
Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth
30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
GlebSukhodolskiy
da5ec4e952
Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy
05c91cd12f
Merge pull request #1238 from alx1m1k/oscd-3 
[OSCD] T1030: Split A File Into Pieces - Lin/macOS
 2021-01-06 00:33:12 +03:00
yugoslavskiy
057c33354a
Merge pull request #1237 from alx1m1k/oscd-2 
[OSCD] T1027.001: Binary Padding - Lin/macOS
 2021-01-06 00:33:05 +03:00
yugoslavskiy
befcad2df7
Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy
6ebcb10abd
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy
3bf1663503
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
yugoslavskiy
2985836e36
Merge pull request #1140 from omkar72/oscd-5 
[OSCD] adding shortened commands for Netsh in the existing rule
 2021-01-06 00:24:43 +03:00
yugoslavskiy
d25ca9b280
Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy
7889df6644
Merge pull request #1227 from stvetro/oscd-runscripthelper 
[OSCD] - Runscripthelper.exe runs script (LoLBin)
 2021-01-06 00:24:00 +03:00
yugoslavskiy
0ed153237e
Merge pull request #1226 from stvetro/oscd-winword 
[OSCD] - Force winword.exe to load DLL (LoLBin)
 2021-01-06 00:23:52 +03:00
yugoslavskiy
1d2f027035
Merge pull request #1224 from stvetro/oscd 
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
 2021-01-06 00:23:45 +03:00
yugoslavskiy
f4578b0698
Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy
23519e47cd
Merge pull request #1222 from feedb/oscd 
[OSCD] zer0w
 2021-01-06 00:23:25 +03:00
yugoslavskiy
93718975fb
Merge pull request #1221 from grikos/OSCD_117_128 
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
 2021-01-06 00:23:13 +03:00
yugoslavskiy
cd62929bb0
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream 
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
 2021-01-06 00:23:06 +03:00
yugoslavskiy
70eff4b1fc
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy
a5bbccf16c
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative 
[OSCD] Always Install Elevated Alternative
 2021-01-06 00:22:37 +03:00
yugoslavskiy
a217a3cfc7
Merge pull request #1213 from alx1m1k/oscd 
[OSCD] T1552.003: Suspicious history file operations - Linux/macOS
 2021-01-06 00:21:19 +03:00
yugoslavskiy
066be03c19
Merge pull request #1212 from aleqs4ndr/oscd-2020 
[OSCD] Added a rule to detect possible Zerologon exploitation
 2021-01-06 00:21:12 +03:00
yugoslavskiy
29fe6e46d8
Merge pull request #1211 from zipa-original/win_persistence_telemetry 
[OSCD] Added a rule to detect abusing windows telemetry for persistence
 2021-01-06 00:20:51 +03:00
yugoslavskiy
c71e0ae0ea
Merge pull request #1209 from vburov/patch-15 
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
 2021-01-06 00:19:41 +03:00
yugoslavskiy
38661bbc10
Merge pull request #1208 from NikitaStormwind/RTT(17) 
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
 2021-01-06 00:19:20 +03:00
yugoslavskiy
2cf1994763
Merge pull request #1206 from w0rk3r/oscd5 
[OSCD] Windows - Suspicious Service DACL Modification
 2021-01-06 00:18:53 +03:00
yugoslavskiy
aad2838f58
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2 
[OSCD] Always Install Elevated - Slide 50 - Rule 2
 2021-01-06 00:18:44 +03:00
yugoslavskiy
e0286abb62
Merge pull request #1197 from w0rk3r/oscd_rules_improvement2 
[OSCD] Small improvements on others rules
 2021-01-06 00:18:36 +03:00
yugoslavskiy
0b7babaa84
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1 
[OSCD] Always Install Elevated - Slide 50 - Rule 1
 2021-01-06 00:18:26 +03:00
yugoslavskiy
fc1fa23440
Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy
8e50eeb4a9
Merge pull request #1187 from nsaddler/lolbas108 
[OSCD] LOLBAS Manage-bde.yml
 2021-01-06 00:18:02 +03:00
yugoslavskiy
cfbd10ab8b
Merge pull request #1186 from nsaddler/lolbas107_2 
[OSCD] LOLBAS CL_Mutexverifiers - powershell
 2021-01-06 00:17:54 +03:00
yugoslavskiy
e91d48cc93
Merge pull request #1185 from nsaddler/lolbas107_1 
[OSCD] LOLBAS CL_Mutexverifiers - process_creation
 2021-01-06 00:17:46 +03:00
yugoslavskiy
9d1c695204
Merge pull request #1184 from nsaddler/lolbas106_1 
[OSCD] LOLBAS CL_Invocation - powershell
 2021-01-06 00:17:10 +03:00
yugoslavskiy
def4a7dbb9
Merge pull request #1183 from nsaddler/lolbas106 
[OSCD] LOLBAS CL_Invocation - process_creation
 2021-01-06 00:17:01 +03:00
yugoslavskiy
6f2e8c56b2
Merge pull request #1182 from nsaddler/lolbas80 
[OSCD] LOLBAS wab.yml
 2021-01-06 00:16:53 +03:00
yugoslavskiy
e1fd69f548
Merge pull request #1179 from SanWieb/OSCD_regedit_3 
[OSCD] regedit.exe LOLbas 72 [3]
 2021-01-06 00:16:45 +03:00
yugoslavskiy
8e6b77fc4f
Merge pull request #1177 from OpalSec/oscd 
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
 2021-01-06 00:16:34 +03:00
yugoslavskiy
95d8a9daf0
Merge pull request #1174 from uncleAntik/update 
[OSCD] LOLBin vsjitdebugger.exe #136
 2021-01-06 00:16:20 +03:00
yugoslavskiy
252345ca00
Merge pull request #1173 from uncleAntik/fix 
[OSCD] LOLBin te.exe #133
 2021-01-06 00:16:12 +03:00
yugoslavskiy
aeb448cd4d
Merge pull request #1171 from alejandroortuno/network-sniffing 
[OSCD] MacOS Network Sniffing
 2021-01-06 00:15:52 +03:00
yugoslavskiy
ebc6451b86
Merge pull request #1170 from alejandroortuno/startup-items 
[OSCD] MacOS Startup Items
 2021-01-06 00:15:45 +03:00
yugoslavskiy
ad739f7f29
Merge pull request #1169 from remotephone/oscd_t1113 
[OSCD] - T1113 - macOS Screencapture via builtin screencapture utility
 2021-01-06 00:15:37 +03:00
yugoslavskiy
d50c081f3f
Merge pull request #1168 from remotephone/oscd_t1056_002 
[OSCD] macOS - T1056.002 - GUI Input capture
 2021-01-06 00:15:30 +03:00
yugoslavskiy
1fd0afc58e
Merge pull request #1167 from tas-kmanager/mt-oscd-sigma547-43 
[OSCD] Add Accesschk tool usage rule
 2021-01-06 00:14:08 +03:00
yugoslavskiy
5ade9208d5
Merge pull request #1166 from drdoc/oscd 
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
 2021-01-06 00:12:34 +03:00
yugoslavskiy
5ec4e42569
Merge pull request #1165 from w0rk3r/oscd3 
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
 2021-01-06 00:12:22 +03:00
yugoslavskiy
46eb01f3c5
Merge pull request #1164 from GlebSukhodolskiy/oscd_reg 
[OSCD] Modified Rule "Autorun Keys Modification"
 2021-01-06 00:11:58 +03:00
yugoslavskiy
4c8e0b201d
Merge pull request #1162 from uncleAntik/131 
[OSCD] LOLBin sqltoolsps.exe #131
 2021-01-06 00:11:33 +03:00
yugoslavskiy
b56a7181ce
Merge pull request #1157 from invrep-de/oscd 
[OSCD] Bad Opsec Powershell Artifacts
 2021-01-06 00:11:24 +03:00
yugoslavskiy
319ebd158c
Merge pull request #1155 from sn0w0tter/oscd2 
[OSCD] LOLBAS atbroker suspicious creation of ATs
 2021-01-06 00:11:13 +03:00
yugoslavskiy
d2087c276c
Merge pull request #1151 from zinint/1009-27-2 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (Services)
 2021-01-06 00:10:55 +03:00
yugoslavskiy
0bd955f097
Merge branch 'oscd' into oscd-5 2021-01-06 00:09:47 +03:00
yugoslavskiy
1f0d081c01
Merge pull request #1144 from NikitaStormwind/regular28(3) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (Services)
 2021-01-05 23:23:00 +03:00
yugoslavskiy
1cfc0d17ef
Merge pull request #1141 from omkar72/oscd-6 
[OSCD] suspicious clr logs creation
 2021-01-05 23:22:36 +03:00
yugoslavskiy
82e5d031b0
Merge pull request #1139 from omkar72/oscd-4 
[OSCD] script applications loading .net dll
 2021-01-05 23:17:25 +03:00
yugoslavskiy
635ac44949
Merge pull request #1132 from remotephone/oscd_t1070_002 
[OSCD] Adding t1070_002 - Clear mac system logs
 2021-01-05 23:16:57 +03:00
yugoslavskiy
793d271d37
Merge pull request #1131 from oscd-initiative/oscd_sigma_art_macos_task_63 
[OSCD] macOS hidden user creation
 2021-01-05 23:16:36 +03:00
yugoslavskiy
a82c559816
Merge pull request #1130 from vburov/patch-13 
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
 2021-01-05 23:16:24 +03:00
yugoslavskiy
dd7a95ac74
Merge pull request #1081 from cy1337/patch-1 
[OSCD] Added nltest LOLBIN
 2021-01-05 23:16:14 +03:00
yugoslavskiy
a4101a6808
Merge pull request #1128 from alejandroortuno/local-group 
[OSCD] Local System Groups Discovery
 2021-01-05 23:14:47 +03:00
yugoslavskiy
db66f8365e
Merge pull request #1127 from alejandroortuno/account-creation 
[OSCD]  MacOS local account creation
 2021-01-05 23:14:28 +03:00
yugoslavskiy
f2c6011c6b
Merge pull request #1126 from skirankumar/master 
[OSCD]Sysmon_silenttrinity_stager_msbuild_activity.yml
 2021-01-05 23:14:20 +03:00
yugoslavskiy
1c1c38e091
Merge pull request #1119 from uncleAntik/oscd 
[OSCD] sqlps.exe LOLbin
 2021-01-05 23:14:02 +03:00
yugoslavskiy
07ac09f9aa
Merge pull request #1114 from NikitaStormwind/regular29(3) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (Services)
 2021-01-05 23:13:48 +03:00
yugoslavskiy
220a4873c7
Merge pull request #1109 from NikitaStormwind/regular31(3) 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (Services)
 2021-01-05 23:13:38 +03:00
yugoslavskiy
9803dc8baa
Merge pull request #1108 from NikitaStormwind/regular30(3) 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)
 2021-01-05 23:13:27 +03:00