valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,171 Commits 20 Branches 25 Tags 21 MiB
34591f9f64
Commit Graph

4171 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ensar Şamil
4f49171b55
Update win_visual_basic_compiler.yml 
author and selection fields edited
 2020-10-09 09:35:33 +03:00
Ensar Şamil
d6aa0c31b9
Update sysmon_tttracer_mod_load.yml 2020-10-09 09:34:05 +03:00
Furkan ÇALIŞKAN
abcc4a59c2
Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN
789a0c174f
Fixed OSCD wording 2020-10-09 09:25:38 +03:00
svch0stz
5d475ce16d
Update win_root_certificate_installed.yml 2020-10-09 13:00:17 +11:00
svch0stz
8d7152d489
Update win_root_certificate_installed.yml 2020-10-09 12:55:37 +11:00
svch0stz
ff8547efc5
Update win_root_certificate_installed.yml 2020-10-09 12:48:39 +11:00
svch0stz
a68d50a5d9
Create win_root_certificate_installed.yml 2020-10-09 12:29:53 +11:00
svch0stz
0856170073
Update win_susp_mounted_share_deletion.yml 2020-10-09 11:42:06 +11:00
svch0stz
1088a2865b
Update win_susp_mounted_share_deletion.yml 2020-10-09 11:40:57 +11:00
Kirill Kiryanov
04d56bade4 Removed redundant tag 2020-10-08 23:26:51 +03:00
Kirill Kiryanov
d00e1073ee Revert "Created rule win_susp_presentationhost_execution.yml" 
This reverts commit a38c021876.
 2020-10-08 22:49:52 +03:00
Ryan Plas
5e1075b656 Update Powershell section 2020-10-08 15:19:42 -04:00
Jonhnathan
1695bc56dc
Remove commas 2020-10-08 15:31:17 -03:00
Nikita P. Nazarov
47c22d0443 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-08 18:06:41 +03:00
Nikita Nazarov
80a3a6c048
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:52:01 +03:00
Nikita Nazarov
b4377ed632
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:45:07 +03:00
Nikita Nazarov
3ba4eeac7b
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:36:20 +03:00
Nikita P. Nazarov
2db2ab30c4 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-08 17:08:43 +03:00
Sander
e6ad52c102 Corrected falsepositives 2020-10-08 15:11:57 +02:00
Sander
0e07ea3e70 Corrected author 2020-10-08 15:04:09 +02:00
Sander
539400c384 Creation of win_regini 2020-10-08 14:47:22 +02:00
Kirill Kiryanov
7e28bf4df8 Fixed title format 2020-10-08 14:38:47 +03:00
Kirill Kiryanov
55ea538841 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:29:21 +03:00
Kirill Kiryanov
a09488a90f revert changes for making new pull request 2020-10-08 14:20:32 +03:00
Kirill Kiryanov
1581be1ec2 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:00:43 +03:00
Kirill Kiryanov
a38c021876 Created rule win_susp_presentationhost_execution.yml 2020-10-08 13:24:59 +03:00
Jonhnathan
8d94e993ab
Update win_susp_rundll32_activity.yml 2020-10-07 18:27:25 -03:00
Jonhnathan
109b1ea9cf Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-07 18:26:11 -03:00
Jonhnathan
15bd7dcd3b Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-07 18:26:04 -03:00
esebese
127bc075b0 [OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Furkan CALISKAN
1c413bcf6d Fixed status 2020-10-07 20:45:34 +03:00
Ryan Plas
7b64ab552f Capitalize Title 2020-10-07 10:51:55 -04:00
Ryan Plas
2d30379ab2 Move to process_creation category 2020-10-07 10:47:40 -04:00
Yuliya Fomina
df51044c90 Rule collection implemented 2020-10-07 17:35:14 +03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
esebese
18da272de4 [OSCD] win_visual_basic_compiler.yml added 2020-10-07 15:04:12 +03:00
grikos
9df6608239
Remove asterisk from condition 
Change 
        ParentCommandLine:
            - 'setupapi.dll*InstallHinfSection'
to
        ParentCommandLine|contains|all:
            - 'setupapi.dll'
            - 'InstallHinfSection'

because some LM/SIEM systems don't process '*' as Splunk or Elasticsearch
 2020-10-07 14:54:13 +03:00
Nikita Nazarov
d3f0ddd2b1
Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00
Nikita Nazarov
bfa3635cd2
Update powershell_accessing_win_api.yml 2020-10-07 14:47:29 +03:00
Nikita Nazarov
7c9c21cda0
Update sysmon_psexec_pipes_artifacts.yml 2020-10-07 14:43:25 +03:00
Ryan Plas
dc856f24e0 Move rule to sysmon folder and update selection names 2020-10-07 07:18:12 -04:00
nsaddler
59610517a0
Update sysmon_long_powershell_commandline.yml 2020-10-07 14:10:26 +03:00
nsaddler
df21dab585
Update sysmon_long_powershell_commandline.yml 2020-10-07 14:00:41 +03:00
nsaddler
e01e26be1c
Update sysmon_long_powershell_commandline.yml 2020-10-07 13:55:17 +03:00
Наталья Шорникова
7d8445fe12 [OSCD] Too Long Powershell CommandLine Rule added 2020-10-07 13:42:05 +03:00
Vasilisa-L
da578a8bb0
Update win_susp_winrm_execution.yml 2020-10-07 12:30:57 +03:00
nsaddler
911bc514af
Rename sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml to sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-07 12:26:30 +03:00
Yuliya Fomina
729e1f6f7f Сreate win_susp_winrm_execution 2020-10-07 12:20:37 +03:00