valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,060 Commits 20 Branches 25 Tags 21 MiB
39bac712c3
Commit Graph

2074 Commits

Author SHA1 Message Date
Timur Zinniatullin
39bac712c3
Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 19:05:09 +03:00
Timur Zinniatullin
35a9a7d46c
Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:59 +03:00
Timur Zinniatullin
0c934ea455
Update win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:31 +03:00
Timur Zinniatullin
98febd2101
Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:54:06 +03:00
Timur Zinniatullin
683c4cfc0a
Add win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:53:17 +03:00
Timur Zinniatullin
1bde40a98d
Add win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:52:25 +03:00
Timur Zinniatullin
eee01f6a86
Add powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:51:51 +03:00
Thomas Patzke
a289eeaae6
Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke
d6ceba3719
Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke
d89ca07daa
Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke
cb86c509f1
Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke
eaa9f293e7
Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke
eb21860ab9
Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
Thomas Patzke
e2e3177e46
Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke
80e3c4b587
Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke
5664f72a2a
Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke
4a74a56ba3
Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke
8bee7272ab
Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke
768e500627
Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke
14fcdc9899
Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
omkargudhate22
e2911a025e
added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov
175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth
b8dc8d3f7e
reduced to avoid FPs 2020-10-12 10:46:34 +02:00
omkar72
0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
omkar72
99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72
cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72
d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Bartlomiej Czyz
e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz
ae41190291 remove redundant reference 2020-10-11 23:39:08 +02:00
svch0stz
2edd79a37f
Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Vasiliy Burov
1320e0b733
Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Furkan ÇALIŞKAN
edb5b7718e
Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
Bartlomiej Czyz
94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov
64b07ff51a
Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Bartlomiej Czyz
8ae42bca7c fix description & ParentImage -> Image modification to comply with reg events constraints 2020-10-11 17:02:39 +02:00
Vasiliy Burov
c868ef655c
Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov
7aaf4654cd
Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov
00f5d1ec92
Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov
51f00c153c
Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov
dd9c29377b
Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov
8f2ddc632e
Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz
2370730952 create sysmon_modify_screensaver_binary_path.yml 2020-10-11 14:31:06 +02:00
Thomas Patzke
93616af1cb
Merge pull request #1036 from svch0stz/oscd4 
[OSCD] Create win_net_use_admin_share.yml
 2020-10-10 00:05:41 +02:00
Thomas Patzke
fe554a88cb
Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Furkan ÇALIŞKAN
a6112dc268
Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Furkan ÇALIŞKAN
abcc4a59c2
Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN
789a0c174f
Fixed OSCD wording 2020-10-09 09:25:38 +03:00
svch0stz
5d475ce16d
Update win_root_certificate_installed.yml 2020-10-09 13:00:17 +11:00
svch0stz
8d7152d489
Update win_root_certificate_installed.yml 2020-10-09 12:55:37 +11:00
svch0stz
ff8547efc5
Update win_root_certificate_installed.yml 2020-10-09 12:48:39 +11:00