valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,179 Commits 20 Branches 25 Tags 21 MiB
515c4dd9cd
Commit Graph

4179 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
eb21860ab9
Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
sn0w0tter
c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke
e2e3177e46
Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke
80e3c4b587
Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke
5664f72a2a
Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke
4a74a56ba3
Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke
8bee7272ab
Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke
768e500627
Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke
14fcdc9899
Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
Nikita P. Nazarov
ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
Nikita P. Nazarov
c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
nsaddler
e94a47b9d3
Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-12 18:33:43 +03:00
nsaddler
df8cd24a5d
Update sysmon_long_powershell_commandline.yml 2020-10-12 18:28:28 +03:00
Ryan Plas
a67c19c08b Split up powershell detection 2020-10-12 09:00:08 -04:00
omkargudhate22
e2911a025e
added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov
175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth
b8dc8d3f7e
reduced to avoid FPs 2020-10-12 10:46:34 +02:00
Sander
8c1bd4e466 Remove redundant space 2020-10-12 10:01:44 +02:00
omkar72
0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
Sander
3ab244c70f regini.exe ADS rule 2020-10-12 09:55:34 +02:00
omkar72
99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72
cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72
d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Bartlomiej Czyz
e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz
ae41190291 remove redundant reference 2020-10-11 23:39:08 +02:00
Bartlomiej Czyz
b6876e5123 remove redundant reference 2020-10-11 23:35:17 +02:00
svch0stz
2edd79a37f
Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Vasiliy Burov
1320e0b733
Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Furkan ÇALIŞKAN
edb5b7718e
Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
yugoslavskiy
0966d24031
Merge pull request #1033 from JPMinty/oscd 
Create rules-unsupported/win_remote_schtask.yml
 2020-10-11 19:39:33 +02:00
yugoslavskiy
4548da7fb9
Merge pull request #1034 from JPMinty/Remote_Service 
unsupported-rules/win_remote_service.yml
 2020-10-11 19:38:00 +02:00
Bartlomiej Czyz
94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov
64b07ff51a
Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Bartlomiej Czyz
8ae42bca7c fix description & ParentImage -> Image modification to comply with reg events constraints 2020-10-11 17:02:39 +02:00
Vasiliy Burov
c868ef655c
Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov
7aaf4654cd
Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov
00f5d1ec92
Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov
51f00c153c
Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov
dd9c29377b
Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov
8f2ddc632e
Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz
2370730952 create sysmon_modify_screensaver_binary_path.yml 2020-10-11 14:31:06 +02:00
JPMinty
21284c2c92 Added selection criteria + moved to Unsupported rule 2020-10-11 12:48:48 +10:30
JPMinty
10f5c38b20 Added conditional description + moved to unsupported-rules 2020-10-11 12:40:24 +10:30
Bartlomiej Czyz
a5dea8c596 [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00
Bartlomiej Czyz
6dcd4a6c6d [OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00
Anton Kutepov
b4ae5cb747
Fix ATTACK technique. 
Also made a couple of minor cosmetic changes.
 2020-10-10 20:27:00 +03:00
aw350m3
8693bd024f Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary 2020-10-10 17:07:22 +00:00
Jonhnathan
09e6b05033
Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Thomas Patzke
93616af1cb
Merge pull request #1036 from svch0stz/oscd4 
[OSCD] Create win_net_use_admin_share.yml
 2020-10-10 00:05:41 +02:00
Thomas Patzke
fe554a88cb
Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00