valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,956 Commits 20 Branches 25 Tags 21 MiB
47c22d0443
Commit Graph

1985 Commits

Author SHA1 Message Date
Ryan Plas
e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Florian Roth
8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Florian Roth
951c6fee8b
Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
Daniel Masse
13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth
769a9212a5
Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley
023bf76363
Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Poming huang
2b2bf34a64
add wmi persistence script event consumer false positive 2020-07-20 12:27:16 +08:00
Aidan Bracher
ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher
1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher
4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Aidan Bracher
4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher
3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher
dcf20e580d Updated tags to include sub-techniques 2020-07-18 02:50:57 +01:00
Aidan Bracher
1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher
2d227a08c5 Updated suspicious service with sub-techniques 2020-07-18 02:40:22 +01:00
Aidan Bracher
97452a9df3 Update to include sub-technique mapping 2020-07-18 02:38:47 +01:00
Aidan Bracher
30bd591c96 Update win_apt_ke3chang to include sub-techniques 2020-07-18 02:37:56 +01:00
Aidan Bracher
ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher
ea1b2ae59f Updated invoke_phantom with sub-technique mapping 2020-07-18 02:32:42 +01:00
Aidan Bracher
23dd2e3cac Updated to include sub-technique mapping 2020-07-18 02:29:58 +01:00
Aidan Bracher
2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Marko Okuka
1d39b40fd1 Fixing typo in rule: Username to User 2020-07-16 10:09:29 -04:00
Florian Roth
3025d6850c
Merge pull request #932 from rtkdmasse/rule-selection-typos 
Change the selection from Command to CommandLine in a couple of rules
 2020-07-16 09:10:15 +02:00
Florian Roth
992bf676f9
Update sysmon_apt_pandemic.yml 2020-07-16 08:48:32 +02:00
Florian Roth
b1de627e94
Update win_apt_zxshell.yml 2020-07-16 08:47:24 +02:00
Daniel Masse
0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth
f8e10273ef
Merge pull request #929 from Neo23x0/pr/919 
Pr/919
 2020-07-15 21:30:57 +02:00
Florian Roth
d0c09f10a9 changed newline character to LF 2020-07-15 16:46:44 +02:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
duzvik
a9b860d749
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:24:49 +03:00
duzvik
d24e15cc27
Update sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:12:58 +03:00
duzvik
c5dfffdac0
Create sysmon_abusing_azure_browser_sso.yml 2020-07-15 14:02:34 +03:00
Florian Roth
8f66803ddf
Merge pull request #927 from Neo23x0/rule-devel 
improved CVE-2020-1350 rule
 2020-07-15 12:06:31 +02:00
Florian Roth
1c103a749f fix: more FPs based on feedback 
https://twitter.com/GossiTheDog/status/1283341486680166400
 2020-07-15 12:05:50 +02:00
Florian Roth
c2eb110fca fix: more exact patterns 2020-07-15 11:56:11 +02:00
Florian Roth
ae7fbb9245 fix: false positive filters based on SOC Prime's rule 2020-07-15 11:49:20 +02:00
Florian Roth
e5a34a965c
Merge pull request #926 from Neo23x0/rule-devel 
rule: CVE-2020-1350
 2020-07-15 11:19:07 +02:00
Florian Roth
80639afd43 rule: CVE-2020-1350 2020-07-15 11:03:31 +02:00
Bhabesh Rai
e0c1d84951 Added new Lateral Movement Attack ID 2020-07-14 22:32:29 +05:45
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth
38c29977ff
Merge pull request #925 from Neo23x0/rule-devel 
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923
 2020-07-14 18:14:51 +02:00
Florian Roth
741d42ce88 fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 17:59:59 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Bhabesh Rai
6fb045aa4b Conforming to Rule Creation Guide. 2020-07-14 14:20:07 +05:45
Bhabesh Rai
66ad325fde Added support for Defender's PSExec and WMI ASR rules. 2020-07-14 14:01:43 +05:45
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Pushkarev Dmitry
efe720d44e Added new rule. AppLocker 2020-07-13 20:51:48 +00:00
Bart
308420bf7f
Update sysmon_dllhost_net_connections.yml 
Fix @
 2020-07-13 21:20:55 +02:00
Bart
007f62ba01
Add Dllhost WAN access 2020-07-13 21:12:37 +02:00
Florian Roth
f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth
557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
Florian Roth
7e8aa7b12b
Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth
7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Ryan Plas
25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Florian Roth
3ab5eb97d8
Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth
49aa0b4621
Merge pull request #909 from EccoTheFlintstone/fp2 
add WMI module load false positive
 2020-07-10 15:45:53 +02:00
Florian Roth
5de82628fa
Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Florian Roth
168952840b
Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth
268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
ecco
e30eaa0202 be more specific about file location 2020-07-09 13:33:59 -04:00
ecco
94e3bd9e6b add WMI module load false positive 2020-07-09 13:32:21 -04:00
ecco
905f1b3823 add WMI and powershell false positives 2020-07-09 10:26:54 -04:00
Florian Roth
7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke
205b584e80 Merge branch 'pr-829' 2020-07-07 23:42:57 +02:00
Thomas Patzke
3e17cc1900
Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Thomas Patzke
28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke
90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Thomas Patzke
4762a59b89
Merge pull request #891 from rtkbkish/image-load-fixes 
Fix typo for rule in image_load category
 2020-07-07 22:31:32 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Thomas Patzke
9e85731253
Merge pull request #899 from rtkbkish/refix-rules 
Re-fix sysmon rules that lost changes with category refactoring.
 2020-07-07 22:28:37 +02:00
Aidan Bracher
90983dcc4b add level field to rule 2020-07-07 14:28:18 +01:00
Aidan Bracher
f549a14d9a rule: Leviathan registry key 2020-07-07 13:27:57 +01:00
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Brad Kish
c758ca0eb9 Re-fix sysmon rules that are lost changes with category refactoring. 
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.

Re-add the fixes.

38afd8b5de

422b2bffd7

dfae2a6df6
 2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd Proposed fix for sysmon_uac_bypass_eventvwr 
Issue: https://github.com/Neo23x0/sigma/issues/888

The rules were not merged correctly with the transition to sysmon categories.

Split the rule into separate documents: one for the registry_event and one for
the process_creation
 2020-07-06 09:20:34 -04:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Florian Roth
c51b4d0524
Merge pull request #890 from rtkbkish/file-event-fixes 
Fixes for rules in the sysmon file_event category
 2020-07-05 13:13:24 +02:00
Florian Roth
4a810dd136
Merge pull request #886 from Neo23x0/rule-devel 
Windows Curl Rules
 2020-07-05 13:12:41 +02:00
Furkan CALISKAN
8ef82e48eb ditsnap 2020-07-04 23:21:52 +03:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Brad Kish
7031d9e2b8 Fix typo for rule in image_load category 
image_load not image_loaded.
 2020-07-03 16:23:17 -04:00
Brad Kish
1e9d0e9653 Fixes for rules in the sysmon file_event category 
Fix a couple of typos

For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
 2020-07-03 16:22:29 -04:00
Brad Kish
4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth
11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth
80f15a1e50
Merge pull request #885 from Neo23x0/rule-devel 
fix: trailing whitespace
 2020-07-03 18:00:19 +02:00
Florian Roth
4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth
4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth
abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth
d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00
Florian Roth
34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth
53620a0d2f
Merge pull request #879 from Neo23x0/rule-devel 
fix: missing copy command
 2020-07-03 10:18:21 +02:00
Florian Roth
0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth
248506be93
Merge pull request #878 from Neo23x0/rule-devel 
DesktopImgDownLdr Rules and extra rule
 2020-07-03 10:14:58 +02:00
Florian Roth
1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Thomas Patzke
de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Florian Roth
4b0c80885f
Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth
32ecb81630
Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco
99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00