valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,727 Commits 20 Branches 25 Tags 21 MiB
3f45269296
Commit Graph

18 Commits

Author SHA1 Message Date
Anton Kutepov
3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth
0489d4bfa4 fix: rule 2021-02-24 13:44:13 +01:00
Florian Roth
028ce2a548 fix: Sysmon NTLM downgrade attack - too many fps 2021-02-24 13:22:25 +01:00
Jonhnathan
7fe2c00ac1
Update win_net_ntlm_downgrade.yml 2020-11-19 22:14:37 -03:00
Jonhnathan
3eea825898
Update win_net_ntlm_downgrade.yml 2020-10-27 21:59:49 -03:00
Jonhnathan
6961ee4986
Update win_net_ntlm_downgrade.yml 2020-10-15 15:44:24 -03:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
Thomas Patzke
2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00