valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
321 Commits 20 Branches 25 Tags 21 MiB
576981820b
Commit Graph

76 Commits

Author SHA1 Message Date
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth
0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth
6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00