valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,275 Commits 20 Branches 25 Tags 21 MiB
579220de6f
Commit Graph

2750 Commits

Author SHA1 Message Date
Tran Trung Hieu
579220de6f Detect the PrintNighmare exploit using ImageLoad 2021-06-30 20:30:22 +07:00
Tran Trung Hieu
5f74a58081 Detect HAFNIUM operations 2021-03-04 00:01:54 +07:00
Florian Roth
9e921115bc
Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth
d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00
Florian Roth
e17986ebd3 rule: HAFNIUM Exchange exploitation 2021-03-03 09:58:43 +01:00
Florian Roth
73a3a1e5cd
Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Florian Roth
8c95f90075
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml 2021-03-03 09:08:24 +01:00
Bhabesh Rai
56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth
6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Florian Roth
5c1dc30a13
Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Florian Roth
c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Florian Roth
b65dbee01f
Merge pull request #1366 from Neo23x0/rule-devel 
rule: SilentProcessExit monitors
 2021-02-26 18:09:44 +01:00
Florian Roth
ba7c7409a3 fix: typo in modified 2021-02-26 17:48:50 +01:00
Florian Roth
79acbbef9f rule: SilentProcessExit monitors 2021-02-26 17:35:42 +01:00
Florian Roth
40710fe89a
Merge pull request #1357 from Neo23x0/rule-devel 
Rule FP fixes
 2021-02-26 11:05:00 +01:00
Florian Roth
274b7b0f2e
fix: search for keywords within message 2021-02-26 09:42:12 +01:00
Florian Roth
9d937705c0 fix: null values in separate filter expression 
> null value in lists cause problems in some backends
 2021-02-25 15:19:26 +01:00
Bhabesh Rai
e1dff01cea Added sigma rule for vSphere RCE CVE-2021-21972 2021-02-24 23:48:08 +05:45
Florian Roth
a8912da1a0 rule: finger.exe execution 2021-02-24 17:47:56 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth
f8b6b9d68e fix: FPs with Suspect Svchost Activity 2021-02-24 13:55:40 +01:00
Florian Roth
0489d4bfa4 fix: rule 2021-02-24 13:44:13 +01:00
Florian Roth
9eb55016bf fix: FPs with WMI Spawning Windows PowerShell 2021-02-24 13:32:30 +01:00
Florian Roth
b032bc3328 fix: FPs with Wmiprvse Spawning Process 2021-02-24 13:27:18 +01:00
Florian Roth
028ce2a548 fix: Sysmon NTLM downgrade attack - too many fps 2021-02-24 13:22:25 +01:00
Joshua Roys
025a17e44b fix: case in level 
Otherwise es-rule ends up with a null risk_score and invalid severity.
 2021-02-22 21:34:06 -05:00
Florian Roth
96803a5a27
Merge pull request #1355 from Neo23x0/rule-devel 
Rule devel
 2021-02-22 17:46:21 +01:00
Florian Roth
94035e1e11 fix: error in condition 2021-02-22 17:30:11 +01:00
Florian Roth
749789c17d fix: condition in eventlog rule 2021-02-22 17:24:19 +01:00
Florian Roth
aea03076c2 rule: simplified rule 2021-02-22 17:19:14 +01:00
Florian Roth
43b2ad580f rule: DEWMODE webshell 2021-02-22 17:15:32 +01:00
Florian Roth
f834862833
Merge pull request #1107 from vburov/patch-10 
Update win_susp_eventlog_cleared.yml
 2021-02-18 11:19:53 +01:00
Florian Roth
a6684c66d6
Merge pull request #1110 from vburov/patch-11 
Update win_disable_event_logging.yml
 2021-02-18 11:18:32 +01:00
Florian Roth
f62fc2e889
Merge pull request #1341 from d4rk-d4nph3/master 
Added rule for TerraMaster TOS CVE-2020-28188
 2021-02-18 11:17:48 +01:00
Florian Roth
786a799c3f
Merge pull request #1345 from blueteam0ps/patch-2 
Created win_sus_auditpol_usage.yml
 2021-02-18 11:17:04 +01:00
Florian Roth
76e6f38215
Merge pull request #1348 from bartlomiej-czyz/patch-1 
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
 2021-02-18 11:14:40 +01:00
Florian Roth
089a931007 rule: ScreenConnect remote access 2021-02-11 13:04:16 +01:00
Florian Roth
4c2691d3c3 rule: disable windows eventlog 2021-02-11 12:28:52 +01:00
Florian Roth
18f2e32774 Domestic Kitten Furball malware pattern 2021-02-08 17:52:55 +01:00
bartlomiej-czyz
b771fb0c55
Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level 2021-02-08 12:45:59 +01:00
Florian Roth
8ae8c213a9
Merge pull request #1337 from architect00/master 
rule: scheduled task deletion
 2021-02-07 15:26:13 +01:00
bartlomiej-czyz
ae15cef5e7
Rename .yaml to .yml 2021-02-03 22:20:48 +01:00
bartlomiej-czyz
e79168ee56
Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
bartlomiej-czyz
3e9c177c65
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml 2021-02-03 22:16:21 +01:00
BlueTeamOps
c3c706503e
Update win_sus_auditpol_usage.yml 2021-02-02 22:24:54 +11:00
BlueTeamOps
b0d0bb95b0
Created win_sus_auditpol_usage.yml 
This adds detection for suspicious behaviour of the auditpol binary
 2021-02-02 19:12:13 +11:00
Bhabesh Rai
a8d33171d7 Fixed c-uri 2021-02-02 10:23:47 +05:45
Florian Roth
309e15dc5c rule: add call by ordinal 2021-02-01 20:16:31 +01:00
Florian Roth
597633c938 rule: ShimCache Flush 2021-02-01 20:05:28 +01:00
Florian Roth
2c48d2b0bb
fix: missing global action and sections 2021-02-01 20:00:06 +01:00