valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,078 Commits 20 Branches 25 Tags 21 MiB
514bd8657b
Commit Graph

1530 Commits

Author SHA1 Message Date
Florian Roth
514bd8657b
Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth
2e0e170058
Merge pull request #708 from teddy-ROxPin/patch-4 
Create powershell_create_local_user.yml
 2020-04-14 14:11:15 +02:00
Florian Roth
3175a48bdc
Casing 2020-04-14 13:40:34 +02:00
Florian Roth
ecdec93800
Casing 2020-04-14 13:39:58 +02:00
Florian Roth
5cbe008350
Casing 2020-04-14 13:39:22 +02:00
Florian Roth
5ee0808619
Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence 
Update win_susp_netsh_dll_persistence.yml
 2020-04-14 13:37:53 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth
8f40c0a1c8
Merge pull request #710 from vesche/update_win_GPO_scheduledtasks 
Update win_GPO_scheduledtasks.yml
 2020-04-14 13:36:17 +02:00
Maxime Thiebaut
86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche
1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche
9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
teddy-ROxPin
1501331f77
Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
vesche
3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche
82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche
72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Iveco
61b9234d7f
Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco
c5211eb94a
Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco
fc1febdebe
Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco
5e724a0a54
Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco
e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Florian Roth
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Clément Notin
18cdddb09e
Small typo 2020-03-31 15:22:00 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman
b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Florian Roth
8ea6b12eed
Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth
fe5b5a7782
Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth
e2b90220a2
Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth
bbb10a51f4
Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth
0e94eb9e86
Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Florian Roth
2426b39d83
Merge pull request #678 from justintime/title_collision 
Eliminate title collision
 2020-03-28 12:57:55 +01:00
Remco Hofman
f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Iveco
55258e1799
Title capitalized 2020-03-26 17:04:08 +01:00