valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,290 Commits 20 Branches 25 Tags 21 MiB
539756c884
Commit Graph

6178 Commits

Author SHA1 Message Date
frack113
deb0ad5f58 split win_hktl_createminidump.yml 2021-09-19 10:19:34 +02:00
frack113
18e7e16005 split win_mal_adwind.yml 2021-09-19 10:12:03 +02:00
frack113
416b0556b1 split win_silenttrinity_stage_use.yml 2021-09-19 10:02:05 +02:00
frack113
7d000f2b1d split win_susp_winrm_AWL_bypass.yml 2021-09-19 09:41:17 +02:00
frack113
842e6481d8
Merge pull request #2046 from frack113/fix_Class 
Fix invalid registry _Class
 2021-09-19 09:28:46 +02:00
Roberto Rodriguez
407289d300 Rule to detect the execution of a script via SCX RunAsprovider ExecuteScript 2021-09-18 03:50:37 -04:00
frack113
81bf864d94 fix detection 2021-09-17 19:56:26 +02:00
frack113
509a4c2822 fix detection 2021-09-17 19:54:50 +02:00
frack113
d22382d0b9 fix detection 2021-09-17 19:52:40 +02:00
frack113
a1222c7716 Update sysmon_apt_oceanlotus_registry 2021-09-17 19:50:30 +02:00
Florian Roth
31021b9c32
Merge pull request #2040 from frack113/fix_win_outlook_registry_webview 
cleanup condition win_outlook_registry_webview.yml
 2021-09-17 14:49:35 +02:00
Florian Roth
89b225e43b
Merge pull request #2041 from frack113/fix_sysmon_susp_mic_cam_access 
fix detection in sysmon_susp_mic_cam_access
 2021-09-17 14:49:07 +02:00
Florian Roth
260578dceb fix: wrong modified field 2021-09-17 14:29:19 +02:00
Roberto Rodriguez
c17104b2eb updated level to high 2021-09-17 04:30:17 -04:00
Roberto Rodriguez
7618cf4672 Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell 2021-09-17 04:23:11 -04:00
frack113
6e4edfdf20 fix detection 2021-09-17 09:11:53 +02:00
frack113
ebc5ebe7ba cleanup condition 2021-09-17 08:23:14 +02:00
frack113
158746a904
Merge pull request #2036 from frack113/sysmon_registry_persistence_search_order 
[Turla Mosquito] fix detection from references
 2021-09-17 06:36:46 +02:00
frack113
6dd4315f36
Merge pull request #2035 from frack113/fix_bad_category 
Fix bad category in possible_privilege_escalation_via_service_registry_permissions
 2021-09-17 06:35:29 +02:00
frack113
377c5a80f5
Merge pull request #2031 from frack113/lnx_global 
Split global linux rule
 2021-09-17 06:34:59 +02:00
frack113
05f4f50fc2
Merge pull request #2037 from frack113/clean_win_outlook_registry_todaypage 
Clean win outlook registry todaypage
 2021-09-17 06:34:38 +02:00
Sittikorn S
13553ef917
Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml 2021-09-17 09:53:12 +07:00
frack113
7a22fc6dba clean string 2021-09-16 16:26:53 +02:00
frack113
c36cf428ac clean list 1 elem 2021-09-16 16:18:30 +02:00
Florian Roth
a926439b39
fix: default to (Default) 2021-09-16 11:39:45 +02:00
frack113
6e981f56df fix detection from references 2021-09-16 09:20:41 +02:00
frack113
8a847e0538
Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml 2021-09-15 19:05:31 +02:00
frack113
973e0666ac
Merge pull request #2020 from frack113/pc_global 
Split some global process_creation rules
 2021-09-15 19:03:30 +02:00
frack113
3b8282c221 fix detection 2021-09-15 16:21:30 +02:00
frack113
33a51df46a
Update lnx_system_info_discovery.yml 2021-09-14 21:03:46 +02:00
frack113
a6da209507
Update lnx_auditd_system_info_discovery2.yml 2021-09-14 21:02:51 +02:00
frack113
a3477893de
Update lnx_auditd_network_service_scanning.yml 2021-09-14 21:02:13 +02:00
frack113
83531bb2ff split global lnx_system_info_discovery.yml 2021-09-14 20:13:57 +02:00
frack113
38c0f83eaf split global lnx_sudo_cve_2019_14287.yml 2021-09-14 20:07:13 +02:00
frack113
87e5fc48fa split global lnx_security_tools_disabling.yml 2021-09-14 19:32:58 +02:00
frack113
ecefc6e913 add missing product 2021-09-14 19:29:49 +02:00
frack113
bc69900335 split global lnx_network_service_scanning.yml 2021-09-14 19:27:28 +02:00
frack113
30955c4884 split global lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml 2021-09-14 19:24:11 +02:00
frack113
1e4484bffb split lnx_auditd_cve_2021_3156_sudo_buffer_overflow 2021-09-14 19:22:56 +02:00
frack113
b08b3e2b0d
Merge pull request #2021 from frack113/global_registry 
Split registry Global rules
 2021-09-14 19:18:34 +02:00
frack113
d13af3e258
Merge pull request #2019 from frack113/normalise_name 
Split 2 global rules and normalyze name
 2021-09-14 19:17:55 +02:00
frack113
7298225cbe
Merge pull request #2028 from zakibro/master 
New Rule - Linux - Auditd - Screen Capture with xwd
 2021-09-14 09:58:11 +02:00
zakibro
e47a7d9826
Update lnx_auditd_screencaputre_xwd.yml 2021-09-13 19:08:23 +02:00
Pawel Mazur
a8f9617ccd New Rule - Linux - Auditd - Screen Capture with xwd 2021-09-13 18:56:33 +02:00
Florian Roth
4118402127
Merge pull request #2027 from frack113/fix_reg_key 
Fix registry TargetObject
 2021-09-13 15:59:47 +02:00
Florian Roth
680cad2a52
Merge pull request #2025 from BlackB0lt/patch-18 
Update win_file_winword_cve_2021_40444.yml
 2021-09-13 15:58:45 +02:00
Sittikorn S
dd9921b360
Update win_file_winword_cve_2021_40444.yml 
Add modified date
 2021-09-13 19:41:01 +07:00
frack113
34111b3aaf
Merge pull request #2023 from austinsonger/okta 
Okta Rules
 2021-09-13 14:34:52 +02:00
frack113
ab5d3a9da4
Merge pull request #2024 from austinsonger/azure_new_cloudshell_created.yml 
azure_new_cloudshell_created.yml
 2021-09-13 14:34:11 +02:00
frack113
047ebab36b fix HKCU 2021-09-13 14:01:39 +02:00
frack113
7b6ae81b8b fix TargetObject HK 2021-09-13 13:16:16 +02:00
frack113
bd3b1323b4
fix TargetObject HKCU 2021-09-13 12:45:10 +02:00
Sittikorn S
edd5c2745e
Update win_file_winword_cve_2021_40444.yml 
change TargetFilename|contains|all
 2021-09-13 16:05:56 +07:00
Sittikorn S
5977596e65
Update win_file_winword_cve_2021_40444.yml 2021-09-13 16:05:22 +07:00
Sittikorn S
7386904e42
Update win_file_winword_cve_2021_40444.yml 
Add new condition
 2021-09-13 15:33:14 +07:00
Sittikorn S
9576663789
Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml 
Edit My Teammate
 2021-09-13 15:23:38 +07:00
pbssubhash
4ae1d41983 Corrected Rules - Logsource 2021-09-13 10:16:02 +05:30
Austin Songer
8e1f36ec39
Update okta_api_token_created.yml 2021-09-12 23:34:08 -05:00
frack113
e4d3d313c7
Update okta_policy_rule_modified_or_deleted.yml 2021-09-13 06:33:49 +02:00
frack113
18223a37cd
Update okta_application_sign-on_policy_modified_or_deleted.yml 2021-09-13 06:26:01 +02:00
Austin Songer
e1ef3857fb
Update and rename okta_user_account_lockout.yml to okta_user_account_locked_out.yml 2021-09-12 20:49:44 -05:00
Austin Songer
01c985b99a
Update and rename okta_user_account_mfa_bypass_attempt.yml to okta_mfa_reset_or_deactivated.yml 2021-09-12 20:40:33 -05:00
Austin Songer
1f5e2577cb
Delete okta_user_account_mfa_reset.yml 2021-09-12 20:34:37 -05:00
Austin Songer
bec7b5d3e7
Create okta_security_threat_detected.yml 2021-09-12 20:33:27 -05:00
Austin Songer
249d3198d3
Create okta_application_sign-on_policy_modified_or_deleted.yml 2021-09-12 20:27:45 -05:00
Austin Songer
f759fff453
Update okta_policy_rule_modified_or_deleted.yml 2021-09-12 20:24:12 -05:00
Austin Songer
e60fbbf4b8
Update okta_network_zone_deactivated_or_deleted.yml 2021-09-12 20:22:16 -05:00
Austin Songer
45b6ac72ee
Update okta_application_modified_or_deleted.yml 2021-09-12 20:19:57 -05:00
Austin Songer
9f70336879
Update okta_api_token_revoked.yml 2021-09-12 20:16:37 -05:00
Austin Songer
aa8978e9da
Update okta_api_token_created.yml 2021-09-12 20:14:27 -05:00
Austin Songer
715b6ecdda
Create azure_new_cloudshell_created.yml 2021-09-12 20:00:08 -05:00
Austin Songer
f227437920
Create okta_api_token_revoked.yml 2021-09-12 19:47:59 -05:00
Austin Songer
329c5e96fc
Create okta_api_token_created.yml 2021-09-12 19:47:21 -05:00
Austin Songer
5f7e657319
Create okta_admin_role_assigned_to_user_or_group.yml 2021-09-12 19:45:57 -05:00
Austin Songer
7b37162107
Update okta_user_account_mfa_reset.yml 2021-09-12 19:41:50 -05:00
Austin Songer
4d58194dab
Update okta_user_account_mfa_bypass_attempt.yml 2021-09-12 19:41:38 -05:00
Austin Songer
30823b72b2
Update okta_policy_rule_modified_or_deleted.yml 2021-09-12 19:41:14 -05:00
Austin Songer
31ccf89dcc
Update okta_network_zone_deactivated_or_deleted.yml 2021-09-12 19:41:00 -05:00
Austin Songer
08e79bb22e
Update okta_application_modified_or_deleted.yml 2021-09-12 19:40:49 -05:00
Austin Songer
8b0756bd32
Create okta_unauthorized_access_to_app.yml 2021-09-12 19:39:24 -05:00
Austin Songer
8607af29e0
Create okta_user_account_lockout.yml 2021-09-12 19:35:19 -05:00
Austin Songer
12e5eeac9e
Update okta_policy_modified_or_deleted.yml 2021-09-12 19:30:03 -05:00
Austin Songer
1af9120f37
Rename okta_account_mfa_reset.yml to okta_user_account_mfa_reset.yml 2021-09-12 19:25:11 -05:00
Austin Songer
d5653cbfd0
Create okta_user_account_mfa_bypass_attempt.yml 2021-09-12 19:24:57 -05:00
Austin Songer
c51e1db228
Create okta_network_zone_deactivated_or_deleted.yml 2021-09-12 19:22:15 -05:00
Austin Songer
fefb856471
Create okta_account_mfa_reset.yml 2021-09-12 19:20:54 -05:00
Austin Songer
76d78c274a
Create okta_policy_rule_modified_or_deleted.yml 2021-09-12 19:17:25 -05:00
Austin Songer
ebd120a165
Create okta_application_modified_or_deleted.yml 2021-09-12 19:17:00 -05:00
Austin Songer
0d51178174
Create okta_policy_modified_or_deleted.yml 2021-09-12 19:13:15 -05:00
pbssubhash
0c092cd106 Final changes 2021-09-12 23:11:46 +05:30
pbssubhash
3c0c1706dc Changed 2021-09-12 23:06:01 +05:30
pbssubhash
276cb59756 yaml to yml ext 2021-09-12 18:41:56 +05:30
pbssubhash
5d654c4518 Changing title to camelcase 2021-09-12 18:36:20 +05:30
pbssubhash
1f7d239bf9 Name change 2021-09-12 18:24:35 +05:30
pbssubhash
014ac2d24e Modifying Rules 2021-09-12 18:09:14 +05:30
pbssubhash
2b228e5f33
Merge branch 'SigmaHQ:master' into master 2021-09-12 18:08:42 +05:30
frack113
437ea3408b split sysmon_stickykey_like_backdoor.yml 2021-09-12 09:58:43 +02:00
frack113
81c2b2731c split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00
frack113
f3ad5953d5 split sysmon_apt_pandemic 2021-09-12 09:42:11 +02:00
frack113
3db427873a split sysinternals eula and uac bypass 2021-09-12 09:38:05 +02:00
frack113
830c0c9f22
Update process_creation_advanced_ip_scanner.yml 2021-09-12 08:53:10 +02:00
frack113
dc5c26ad2d
Merge pull request #2018 from zakibro/master 
New Linux Auditd Rules - Steghide Steganography
 2021-09-12 08:29:56 +02:00
frack113
e355367c03 Clean SyncAppvPublishingServer rules 2021-09-12 07:46:35 +02:00
frack113
2223afb6fe split global rules 2021-09-11 20:30:32 +02:00
frack113
92999468ee
Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113
a73d37cd72 fix related 2021-09-11 14:22:01 +02:00
frack113
338c9f5ae7 Split global rule 2021-09-11 13:45:41 +02:00
frack113
2a76c469e0 normalise name 2021-09-11 13:34:19 +02:00
zakibro
6412ddaaee
Update lnx_auditd_steghide_extract_steganography.yml 2021-09-11 11:19:21 +02:00
zakibro
d0741f9f3a
Update lnx_auditd_steghide_embed_steganography.yml 
Formatting and detection changes
 2021-09-11 11:18:08 +02:00
Pawel Mazur
89f15c01f9 New Linux Auditd Rules - Steghide Steganography 2021-09-11 10:56:17 +02:00
frack113
747fedb6c6
Merge pull request #2015 from neonprimetime/patch-1 
Propose making rule more generic than just ipify
 2021-09-11 09:06:01 +02:00
frack113
8d3a77d1f5
Update net_susp_ipify.yml 2021-09-11 08:31:24 +02:00
frack113
d2e622f149
Merge pull request #2011 from d4rk-d4nph3/master 
Added rule for Atlassian Confluence CVE-2021-26084
 2021-09-11 07:24:58 +02:00
neonprimetime security (Justin C Miller)
033494c8f7
Propose making rule more generic than just ipify 
Propose making this detection more generic, cover more lookup services than just ipify
https://twitter.com/neonprimetime/status/1436376497980428318
 2021-09-10 12:14:43 -05:00
Florian Roth
7d6baaa79a
Merge pull request #2014 from SigmaHQ/rule-devel 
CVE-2021-40444 file creation - winword.exe + .cab
 2021-09-10 18:50:59 +02:00
Florian Roth
a4e2c0feba
Revert "refactor: exclude case in which upper ticks are used" 
This reverts commit f00aaf8461.
 2021-09-10 18:13:36 +02:00
Florian Roth
9e7ede66cc
CVE-2021-40444 file creation - winword.exe + .cab 2021-09-10 18:13:09 +02:00
Austin Songer
1ea9aab455
Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer
57d349bfe5
Update process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:22 -05:00
Austin Songer
9d9a5088bb
Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
Austin Songer
5aa5586c54
Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:11 -05:00
frack113
0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113
d30bb693c5
Merge pull request #2010 from BlackB0lt/patch-16 
Create web_cve_2021_40539_manageengine_adselfservice_exploit.yml
 2021-09-10 10:47:57 +02:00
frack113
ac9ea531ae
Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
frack113
fe035388f0
Rename Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml to process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 10:02:19 +02:00
Florian Roth
3824a12323
style: fixed indentation level, order of fields 2021-09-10 09:33:52 +02:00
Florian Roth
59b9902502
style: fixed indentation level 2021-09-10 09:33:09 +02:00
frack113
3d147f528f
Rename Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml to process_creation_command_execution_by_office_applications.yml 2021-09-10 09:23:00 +02:00
frack113
ced1aa3dc0
Merge pull request #2008 from frack113/master 
Split global sysmon rules
 2021-09-10 09:18:54 +02:00
frack113
4a03ef6e0b
Merge pull request #2007 from zakibro/master 
New Rule - Linux Auditd Hidden Files - Steganography
 2021-09-10 09:18:28 +02:00
zakibro
a4dffc14d4
Update lnx_auditd_unzip_hidden_zip_files_steganography.yml 
Fixing formatting
 2021-09-10 07:54:56 +02:00
zakibro
0b5e8cb980
Update lnx_auditd_hidden_zip_files_steganography.yml 
Formatting changes
 2021-09-10 07:52:35 +02:00
Cyb3rEng
f4155010ff
Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng
4af244b135
Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Sittikorn S
0806e4ccd2
Update web_cve_2021_40539_manageengine_adselfservice_exploit.yml 2021-09-10 11:30:51 +07:00
Bhabesh Rai
91081a7fbc Added rule for Atlassian Confluence CVE-2021-26084 2021-09-10 10:04:16 +05:45
Cyb3rEng
361121c402
changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng
a3a12375b5
changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng
bcd043dd01
Merge branch 'SigmaHQ:master' into master 2021-09-09 21:48:33 -06:00
Cyb3rEng
44e39ec3ac
Changed title 
changed title to stay within rule guideline
 2021-09-09 21:43:35 -06:00
Cyb3rEng
5547d274a0
Changed Title 
title: New LOLBin Process by Office Applications
 2021-09-09 21:41:56 -06:00
Cyb3rEng
6cae20b9b8
Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng
ca19f43a06
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng
d14c26f5f1
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng
ba995ef442
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00
Cyb3rEng
f7b8fd571d
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:31:57 -06:00
Cyb3rEng
6a7ac098ed
changed id uuid to v4 
b45e1519-5de5-4dfe-bef6-73bc48c2b983
 2021-09-09 21:31:20 -06:00
Sittikorn S
a6a3f6b392
Create web_cve_2021_40539_manageengine_adselfservice_exploit.yml 2021-09-10 10:31:11 +07:00
Cyb3rEng
9a42b690bd
changed id uuid to v4 
8c6fd6fc-28fc-4597-a86a-fc1de20b039d
 2021-09-09 21:30:02 -06:00
Cyb3rEng
8b9cf80be2
changed id uuid to v4 
3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
 2021-09-09 21:29:31 -06:00
Cyb3rEng
d65881b752
changed id uuid to v4 
04f5363a-6bca-42ff-be70-0d28bf629ead
 2021-09-09 21:28:58 -06:00
Cyb3rEng
a334ea167c
changed id uuid to v4 
c0e1c3d5-4381-4f18-8145-2583f06a1fe5
 2021-09-09 21:28:17 -06:00
Cyb3rEng
2bc38a0ed4
changed id uuid to v4 
8a582fe2-0882-4b89-a82a-da6b2dc32937
 2021-09-09 21:27:48 -06:00
Cyb3rEng
b0ad49d950
changed id to v4 uuid 
23daeb52-e6eb-493c-8607-c4f0246cb7d8
 2021-09-09 21:27:16 -06:00
Cyb3rEng
7c9be6da32
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:24:05 -06:00
Cyb3rEng
e64bb1783e
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:20:16 -06:00
Cyb3rEng
3f71f7466d
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:19:17 -06:00
Cyb3rEng
250a307414
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:17:38 -06:00
Cyb3rEng
2be4c699fc
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:16:38 -06:00
Cyb3rEng
1102def1bf
Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:14:08 -06:00
Cyb3rEng
cfe11cdf17
Resolved more issues from last commit as per commetns 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:13:02 -06:00
Cyb3rEng
d3b4a6aa7a
Changed title based on comments 
title: File Creation by Office Applications
 2021-09-09 21:09:24 -06:00
Cyb3rEng
918bcfbf8a
Completed requested changes 
selection2:
    Image|endswith:
 2021-09-09 21:04:09 -06:00
Cyb3rEng
ff08de6d20
Completed Changes based on review 
selection2:
     ParentPrcessName|endswith:
 2021-09-09 21:02:11 -06:00
Cyb3rEng
5470c40ca6
Resolving Comment 
selection2:
   ParentImage:

removed - since there is only one attribute.
 2021-09-09 20:56:11 -06:00
Pawel Mazur
5a5769cce6 New Rule - Linux - Steganography Unzip Hidden Information From Picture File 2021-09-09 20:38:25 +02:00
zakibro
3fbe5478c3
Update and rename lnx_auditd_hidden_files_steganography.yml to lnx_auditd_hidden_zip_files_steganography.yml 
Splitting the rule into separate rules
 2021-09-09 20:34:20 +02:00
frack113
ffbeec134d
Update image_load_wmiprvse_wbemcomn_dll_hijack.yml 2021-09-09 19:56:20 +02:00
pbssubhash
10dd702f94
Merge branch 'SigmaHQ:master' into master 2021-09-09 22:31:50 +05:30
zakibro
458973af81
Update lnx_auditd_hidden_files_steganography.yml 
Adding missing field: action
 2021-09-09 16:52:58 +02:00
zakibro
62db796fc2
Update lnx_auditd_hidden_files_steganography.yml 
Formatting changes
 2021-09-09 16:46:41 +02:00
zakibro
0971fe1d49
Update lnx_auditd_hidden_files_steganography.yml 
Fixing the listing issue
 2021-09-09 16:27:57 +02:00
Pawel Mazur
41458d8a5a New Rule - Linux Auditd Hidden Files - Steganography 2021-09-09 16:13:27 +02:00
frack113
d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113
217be6cd8a
Merge pull request #2005 from frack113/tags_end 
Add  missing tags to rule
 2021-09-09 15:04:26 +02:00
Florian Roth
f00aaf8461
refactor: exclude case in which upper ticks are used 2021-09-09 12:55:10 +02:00
Florian Roth
6d86c7df6c
Revert "refactor: 2nd condition in CVE-2021-40444 rule" 
This reverts commit 015573c450.
 2021-09-09 09:41:03 +02:00
Florian Roth
015573c450
refactor: 2nd condition in CVE-2021-40444 rule 2021-09-09 09:33:45 +02:00
Florian Roth
e8b633f54f
Merge pull request #2006 from SigmaHQ/rule-devel 
docs: changed level and reference in CVE-2021-40444 rule
 2021-09-09 09:29:08 +02:00
Florian Roth
2777187fd9
docs: changed level and reference in CVE-2021-40444 rule 2021-09-09 08:46:34 +02:00
Florian Roth
b1f5c22805
Merge pull request #2003 from SigmaHQ/rule-devel 
CVE-2021-40444 process pattern
 2021-09-09 08:44:52 +02:00
Florian Roth
36a5d7ec04
CVE-2021-40444 false positives 2021-09-09 08:12:36 +02:00
frack113
312ffe69e2
Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:28:48 +02:00
frack113
caa5c7af1a
Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:27:23 +02:00
Cyb3rEng
b2c44ebd6e
Changed selection1 
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
 2021-09-08 21:27:15 -06:00
Cyb3rEng
fe9b91c504
Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:26:01 -06:00
Cyb3rEng
851dfeee46
Changed selection2 condition 
changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines
 2021-09-08 21:24:18 -06:00
Cyb3rEng
77ee51dd76
Changed the category 
Changed category to file_event
 2021-09-08 21:22:26 -06:00
Cyb3rEng
5bbe3dec9b
Completed changes to selection1 and selection2 
changes were completed to remove ( * ) and stay within rule creation guide:
    - Image|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'

 WMIcommand|contains: 'Win32_Process\:\:Create'
 2021-09-08 21:14:58 -06:00
Cyb3rEng
49df2358de
Completed changes to selection1 
completed changes to selection1 to comply with rule creation guide with no ( * ) or ( \\ ) 

  - Image|endswith: '\wbem\WMIC.exe'
  - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:12:27 -06:00
Cyb3rEng
a3236e62a2
Changed selection2 conditions 
replaced *\wbem\WMIC.exe with Image|endswith: '\wbem\WMIC.exe' and ProcessCommandLine: *wmic * with ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:10:47 -06:00
Cyb3rEng
1f577174f9
Changed endswith condition 
removed double // from "\wbem\WmiPrvSE.exe"
 2021-09-08 21:06:41 -06:00
Cyb3rEng
6ddc83901b
Changed Category 
Category Changed from process_creation to file_event
 2021-09-08 20:38:07 -06:00
Cyb3rEng
5ac0fded26
Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
Sittikorn S
36ed5ee9d4
Update sysmon_dns_over_https_enabled.yml 2021-09-09 08:04:54 +07:00
frack113
8eb527d042 Update process_mailboxexport_share.yml 2021-09-08 20:21:02 +02:00
frack113
deb0ddfe09 fix duplicate tags 2021-09-08 20:16:53 +02:00
frack113
af8bf06b30 add missing tags 2021-09-08 20:14:49 +02:00
Florian Roth
b1540d65b9
refactor: simplified rule 2021-09-08 17:35:50 +02:00
Sittikorn S
c633e825e0
Update sysmon_dns_over_https_enabled.yml 2021-09-08 22:23:51 +07:00
Sittikorn S
847b8f49b4
Update sysmon_dns_over_https_enabled.yml 
Remove HKEY_LOCAL_MACHINE\ and revise Firefox object
 2021-09-08 22:22:53 +07:00
Florian Roth
e388bc6bfa
remove unsupported tag 2021-09-08 16:56:04 +02:00
Florian Roth
c9b4f5d326
CVE-2021-40444 2021-09-08 16:49:49 +02:00
Florian Roth
72ffe99b20
Merge pull request #2001 from SigmaHQ/rule-devel 
filter: empty thumbprint, PetitPotam rule
 2021-09-08 09:09:58 +02:00
frack113
993112c7eb
Merge pull request #2002 from frack113/missing_tag 
Add missing Tags #1974
 2021-09-08 06:26:55 +02:00
frack113
e712d9696b
Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00
Cyb3rEng
e3b376e945
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:26:42 -06:00
Cyb3rEng
4130ceb208
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:25:52 -06:00
Cyb3rEng
8d47f9531b
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:22:01 -06:00
Cyb3rEng
13e6262055
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:20:51 -06:00
Cyb3rEng
8dc1b03fef
Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:19:43 -06:00
Cyb3rEng
bd4d21c41c
Completed changes based on comments 
Removed :
unnecessary event ID
 2021-09-07 21:17:12 -06:00
Cyb3rEng
75a6e5c95b
Completed Changes as per comments 
Removed :
unnecessary event ID
 2021-09-07 21:14:06 -06:00
Cyb3rEng
3b2ebe1580
Completed changes 
Removed :
unnecessary event ID
 2021-09-07 21:12:02 -06:00
Cyb3rEng
8467d5a65a
Modified Rule 
Removed :
unnecessary event ID
 2021-09-07 21:09:07 -06:00
Cyb3rEng
f0f3ecfe2f
Converted to LF 
Removed :
unnecessary event ID
 2021-09-07 21:00:35 -06:00
Cyb3rEng
932b7cf2ba
Merge branch 'SigmaHQ:master' into master 2021-09-07 19:58:09 -06:00
Thomas Patzke
d9edc9f0e3 Merge branch 'fix' 2021-09-08 00:19:09 +02:00
Thomas Patzke
143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113
4c3f8821c4 add missing tags 2021-09-07 18:16:46 +02:00
frack113
4e394d83a1 add missing tags 2021-09-07 17:45:41 +02:00
Rachel Rice
be5351947c
Unset date update 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2021-09-07 16:36:59 +01:00
Florian Roth
1a55f4a294
filter: empty thumbprint, PetitPotam rule 2021-09-07 14:37:03 +02:00
Rachel Rice
eef6e71e2e
Update AWS Update Login Profile Rule fields 
Missed updating field from `responseElements.accessKey.userName` to `requestParameters.userName` on last update.
 2021-09-07 12:39:56 +01:00
frack113
0e5e4fa19d Split global rules 2021-09-07 13:30:32 +02:00
Florian Roth
cfbde22d2d
rule: PRIVATELOG image load 2021-09-07 10:10:14 +02:00
Florian Roth
3a305e82b9
fix: remove renamed files 2021-09-07 09:28:20 +02:00
Florian Roth
a8d8d878a0
remove uppercase files 2021-09-07 09:27:11 +02:00
Florian Roth
8b4fce3473
removed unneeded upper ticks 2021-09-07 09:21:44 +02:00
Florian Roth
c082ce0fe0
Merge branch 'master' into rule-devel 2021-09-07 09:20:47 +02:00
Florian Roth
57bfdc7a02
fix: more upper case chars 2021-09-07 09:19:23 +02:00
Florian Roth
0cce1c0245
fix: missing lowercase chars 2021-09-07 09:17:25 +02:00
Florian Roth
33be089ea2
fix: filename to lowercase 2021-09-07 09:16:35 +02:00
frack113
4f6b87fed5
Merge pull request #1997 from zakibro/master 
New Rule - Linux Hidden Files and Directories
 2021-09-07 09:12:04 +02:00
zakibro
bba66ca762
Update lnx_auditd_hidden_files_directories.yml 
Updating arguments section
 2021-09-07 07:57:50 +02:00
frack113
be442182fe convert to LF 2021-09-06 21:10:08 +02:00
frack113
9ef299c4f4 Change to LF 2021-09-06 21:07:49 +02:00
frack113
3b95b0c913
Remove useless Eventid 
Use tools/config/generic/windows-audit.yml to convert for security 4688
 2021-09-06 20:56:41 +02:00
zakibro
e9fa5bde2b
Update lnx_auditd_hidden_files_directories.yml 
Correction of tag
 2021-09-06 18:55:58 +02:00
Pawel Mazur
7c2895c73f New Rule - Linux Hidden Files and Directories 2021-09-06 18:43:49 +02:00
Pawel Mazur
59eb7ce032 Merge branch 'master' of https://github.com/zakibro/sigma 2021-09-06 18:41:19 +02:00
Pawel Mazur
9f5f25e480 New Rule - Linux Hidden Files and Directories 2021-09-06 18:40:39 +02:00
zakibro
f52860d6ab
Merge branch 'SigmaHQ:master' into master 2021-09-06 18:40:02 +02:00
Pawel Mazur
3eb354e34c Merge branch 'master' of https://github.com/zakibro/sigma 2021-09-06 18:37:45 +02:00
Pawel Mazur
ef3efd8fd3 New Rule Linux - Hidden Files and Directories 2021-09-06 18:37:02 +02:00
Austin Songer
0de95e355a
Update azure_federation_modified.yml 2021-09-06 11:31:52 -05:00
Austin Songer
e6e3fc2eec
Update azure_federation_modified.yml 2021-09-06 11:16:35 -05:00
Austin Songer
6025df63ee
Create azure_federation_modified.yml 2021-09-06 11:06:58 -05:00
Florian Roth
6b2bacd2cc
Merge pull request #1979 from frack113/test_global 
Change ID in global action rule
 2021-09-06 08:44:14 +02:00