valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,797 Commits 20 Branches 25 Tags 21 MiB
4168f1e430
Commit Graph

686 Commits

Author SHA1 Message Date
Bar Haim
4168f1e430
Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Thomas Patzke
f827a557f2
Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Florian Roth
4529e4cd52
Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth
052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777
a52583dc68
.002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth
df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth
5abf101c0b
Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
IPv777
77a8ac59ef
remove duplicate 2020-07-24 16:38:08 +02:00
Florian Roth
8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Daniel Masse
13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth
769a9212a5
Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley
023bf76363
Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Aidan Bracher
ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher
4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher
3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher
1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher
30bd591c96 Update win_apt_ke3chang to include sub-techniques 2020-07-18 02:37:56 +01:00
Marko Okuka
1d39b40fd1 Fixing typo in rule: Username to User 2020-07-16 10:09:29 -04:00
Florian Roth
3025d6850c
Merge pull request #932 from rtkdmasse/rule-selection-typos 
Change the selection from Command to CommandLine in a couple of rules
 2020-07-16 09:10:15 +02:00
Florian Roth
b1de627e94
Update win_apt_zxshell.yml 2020-07-16 08:47:24 +02:00
Daniel Masse
0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth
8f66803ddf
Merge pull request #927 from Neo23x0/rule-devel 
improved CVE-2020-1350 rule
 2020-07-15 12:06:31 +02:00
Florian Roth
1c103a749f fix: more FPs based on feedback 
https://twitter.com/GossiTheDog/status/1283341486680166400
 2020-07-15 12:05:50 +02:00
Florian Roth
c2eb110fca fix: more exact patterns 2020-07-15 11:56:11 +02:00
Florian Roth
ae7fbb9245 fix: false positive filters based on SOC Prime's rule 2020-07-15 11:49:20 +02:00
Florian Roth
e5a34a965c
Merge pull request #926 from Neo23x0/rule-devel 
rule: CVE-2020-1350
 2020-07-15 11:19:07 +02:00
Florian Roth
80639afd43 rule: CVE-2020-1350 2020-07-15 11:03:31 +02:00
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth
38c29977ff
Merge pull request #925 from Neo23x0/rule-devel 
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923
 2020-07-14 18:14:51 +02:00
Florian Roth
741d42ce88 fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 17:59:59 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth
557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
Florian Roth
7e8aa7b12b
Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth
7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Florian Roth
168952840b
Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth
268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
Florian Roth
7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Thomas Patzke
3e17cc1900
Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Furkan CALISKAN
8ef82e48eb ditsnap 2020-07-04 23:21:52 +03:00
Florian Roth
11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth
4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Florian Roth
4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth
abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00