SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00

Author	SHA1	Message	Date
Florian Roth	33be089ea2	fix: filename to lowercase	2021-09-07 09:16:35 +02:00
Florian Roth	b0c2d7b75a	fix: tags for WMI / execution / persistence	2021-09-01 16:34:50 +02:00
Florian Roth	2f7f050ad8	fix: removed tags	2021-09-01 16:32:27 +02:00
Florian Roth	1aac21ba79	fix: single list item issue	2021-09-01 14:03:42 +02:00
Florian Roth	505140d273	rule: extended WMI suspicious scripts rule	2021-09-01 13:57:48 +02:00
Florian Roth	e787420be1	rule: WMI filter content encoded executable	2021-09-01 13:57:36 +02:00
Florian Roth	8761927e8c	rule: susp scrcons.exe creating named pipe	2021-09-01 13:57:17 +02:00
Florian Roth	affc929c3b	LiquidSnake named pipe	2021-09-01 13:54:47 +02:00
Florian Roth	f102b2d9a1	docs: note to improved sysmon config	2021-09-01 13:07:18 +02:00
Florian Roth	9b20060275	SideWalk UA	2021-08-31 17:14:19 +02:00
Florian Roth	af9392ba0f	refactor: add 500 status code in selection2 to avoid FPs with exploitation attempts	2021-08-30 16:12:42 +02:00
Florian Roth	4a4966af77	rule: ProxyToken CVE-2021-33766 Exchange	2021-08-30 15:47:53 +02:00
Florian Roth	98de92ceaf	refactor: global rule match on system and security	2021-08-30 15:17:53 +02:00
Florian Roth	1ded4eb913	rules: cobalt strike rules refactored	2021-08-30 15:10:30 +02:00
Florian Roth	f78225c394	rule: UAC bypass by mocking dirs	2021-08-27 18:12:21 +02:00
Florian Roth	24d8701f15	fix: null cannot be used in a list with other values	2021-08-26 13:54:18 +02:00
Florian Roth	a231aa73b3	fix: FPs with whoami rule and 4688 event IDs without parent info	2021-08-26 13:33:25 +02:00
Florian Roth	8b318b9273	refactor: Mimikatz keyword rule refactoring	2021-08-26 12:51:45 +02:00
Florian Roth	46e312ff0d	fix: error in modifier	2021-08-24 15:03:23 +02:00
Florian Roth	cc519552aa	refactor: RazorInstaller integrity level system	2021-08-24 14:54:07 +02:00
Florian Roth	6ca30619ac	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-08-24 12:30:42 +02:00
Florian Roth	3cdb88ad55	refactor: level of suspicious parent for powershell rule	2021-08-24 12:30:40 +02:00
Florian Roth	272625a005	Update win_susp_splwow64.yml	2021-08-24 08:34:08 +02:00
Florian Roth	998ebbe1f3	fix: typo in name	2021-08-23 18:46:05 +02:00
Florian Roth	6b86dacc9e	rule: razor installer	2021-08-23 18:44:15 +02:00
Florian Roth	91b42f9077	fix: indentation	2021-08-23 15:03:59 +02:00
Florian Roth	a0f72e5f6f	rule: suspicious splwow64 process starts	2021-08-23 10:41:42 +02:00
Florian Roth	dc3ed771b5	rule: EfsPotato Named Pipe	2021-08-23 08:32:50 +02:00
$frack113$ frack113	768855e6d6	update modified after FP fix	2021-08-18 18:17:53 +02:00
Florian Roth	44013e25c8	fix: FPs with WMIADAP.exe	2021-08-18 17:26:57 +02:00
Florian Roth	5fa5a412d5	fix: FPs with [reflection.assembly]::Load	2021-08-18 09:49:34 +02:00
$frack113$ frack113	136c53190a	Merge pull request #1860 from frack113/duplicate_uuid Update test_missing_id message	2021-08-17 17:13:00 +02:00
Florian Roth	f36b1cbd2a	Merge pull request #1854 from SigmaHQ/rule-devel rule: Antivirus hacktool events, Procdump rules refactoring	2021-08-17 13:45:07 +02:00
Florian Roth	a0625ad074	Merge branch 'master' into rule-devel	2021-08-17 12:29:55 +02:00
Florian Roth	9684c4e55f	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-08-17 12:03:54 +02:00
Florian Roth	80b3acfce9	fix: false positive with Xen / Oracle scripts	2021-08-17 12:03:49 +02:00
$frack113$ frack113	63733a623e	Merge pull request #1861 from austinsonger/aws_eks_cluster_modified_or_deleted.yml aws_eks_cluster_created_or_deleted.yml	2021-08-17 06:25:18 +02:00
$frack113$ frack113	2521ae2ed1	Merge pull request #1859 from austinsonger/gcp_vpn_tunnel_modified_or_deleted.yml gcp_vpn_tunnel_modified_or_deleted.yml	2021-08-17 06:24:49 +02:00
$frack113$ frack113	accb675ed5	fix error space	2021-08-16 20:36:55 +02:00
Austin Songer	80062ff5cd	Update aws_eks_cluster_created_or_deleted.yml	2021-08-16 12:42:14 -05:00
Austin Songer	cfb863a98e	Update aws_eks_cluster_created_or_deleted.yml	2021-08-16 11:52:22 -05:00
$frack113$ frack113	76d956e110	update test_missing_id	2021-08-16 18:12:17 +02:00
$frack113$ frack113	dfd9e6d8f0	Merge pull request #1857 from frack113/fix_HostApplication Update definition for powershell-classic rule	2021-08-16 17:18:24 +02:00
$frack113$ frack113	eb406ba36f	Merge pull request #1844 from frack113/cleanup Add more compliance test	2021-08-16 17:17:25 +02:00
Austin Songer	ed507b82f4	Update and rename aws_eks_cluster_modified_or_deleted.yml to aws_eks_cluster_created_or_deleted.yml	2021-08-16 09:58:48 -05:00
Austin Songer	c7831a3d70	Update gcp_vpn_tunnel_modified_or_deleted.yml	2021-08-16 09:45:31 -05:00
Florian Roth	d2790f2450	fix: missing "\|all" modifier	2021-08-16 16:14:48 +02:00
$frack113$ frack113	e1b99db149	fix duplicate uuid	2021-08-16 15:50:14 +02:00
Florian Roth	669308a37a	Merge pull request #1855 from frack113/coti_sqlcmd Rule to detect Coti sqlcmd	2021-08-16 14:27:24 +02:00
Florian Roth	141ca03c9b	Merge pull request #1853 from secDre4mer/contileak feat: Add some rules to detect Conti behaviour	2021-08-16 14:18:43 +02:00

1 2 3 4 5 ...

7292 Commits