valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,348 Commits 20 Branches 25 Tags 21 MiB
364cfe56c2
Commit Graph

4591 Commits

Author SHA1 Message Date
WojciechLesicki
364cfe56c2 Base to upstream version 2021-06-29 10:57:36 +02:00
WojciechLesicki
8b2881328f CobaltStrike Service Installations in Registry 2021-06-29 10:52:10 +02:00
WojciechLesicki
f816ed4f5e Update for "modified" date. 2021-06-20 00:11:55 +02:00
WojciechLesicki
2e7aed5262 Added space in "Service File Name" field as it was in the previous version. 2021-06-19 23:45:01 +02:00
Florian Roth
e5cd850640
Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Hasan
33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan
fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan
8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan
415ced0023
Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan
f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan
1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan
1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan
82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth
1650d4638d
Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth
0377a30893
fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth
59df5119c2
Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
luffynextgen
6fd7979659
Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
frack113
558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
Florian Roth
3f46d0ea28
Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113
fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113
4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113
a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113
7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski
b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen
e170a4a12a
Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski
bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski
4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth
45c3d4702b
Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth
9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth
04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth
f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth
28abdf3a81
Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen
c75d92410d
Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth
b2d0fbba2c
Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth
8a04bea6aa
Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Andreas Hunkeler
2d44803bf5
Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth
242b56031f
Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00