valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,105 Commits 20 Branches 25 Tags 21 MiB
5a0c7f6d11
Commit Graph

2687 Commits

Author SHA1 Message Date
Jonhnathan
7d5e404b32
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 2020-10-15 16:02:16 -03:00
Jonhnathan
5790cc2ea7
Update sysmon_susp_adsi_cache_usage.yml 2020-10-15 16:01:46 -03:00
Jonhnathan
9eedeabda9
Update sysmon_quarkspw_filedump.yml 2020-10-15 16:01:24 -03:00
Jonhnathan
d2d49c445a
Update sysmon_powershell_exploit_scripts.yml 2020-10-15 16:00:20 -03:00
Jonhnathan
b6b34b37d9
Update sysmon_ghostpack_safetykatz.yml 2020-10-15 15:59:09 -03:00
Jonhnathan
099843470e
Update sysmon_creation_system_file.yml 2020-10-15 15:58:10 -03:00
Jonhnathan
427962937b
Update sysmon_susp_driver_load.yml 2020-10-15 15:57:05 -03:00
Jonhnathan
1cd56f5dae
Update win_vul_cve_2020_0688.yml 2020-10-15 15:56:36 -03:00
Jonhnathan
ef3af551e9
Update win_user_driver_loaded.yml 2020-10-15 15:56:16 -03:00
Jonhnathan
4e70b2d797
Update win_user_added_to_local_administrators.yml 2020-10-15 15:55:21 -03:00
Jonhnathan
c0892c63c8
Update win_svcctl_remote_service.yml 2020-10-15 15:54:47 -03:00
Jonhnathan
d96bd0d9f3
Update win_susp_wmi_login.yml 2020-10-15 15:54:21 -03:00
Jonhnathan
496cfcb26a
Update win_susp_sdelete.yml 2020-10-15 15:53:51 -03:00
Jonhnathan
600c7057b1
Update win_susp_sam_dump.yml 2020-10-15 15:53:26 -03:00
Jonhnathan
754e67c0d9
Update win_susp_rc4_kerberos.yml 2020-10-15 15:52:48 -03:00
Jonhnathan
43a56b6759
Update win_susp_raccess_sensitive_fext.yml 2020-10-15 15:51:57 -03:00
Jonhnathan
054255fb17
Update win_susp_psexec.yml 2020-10-15 15:51:16 -03:00
Jonhnathan
dae1f3fa71
Update win_susp_ntlm_rdp.yml 2020-10-15 15:50:44 -03:00
Jonhnathan
9b8817f489
Update win_susp_msmpeng_crash.yml 2020-10-15 15:50:01 -03:00
Jonhnathan
c310d72e2b
Update win_susp_mshta_execution.yml 2020-10-15 15:49:39 -03:00
Jonhnathan
7419396351
Update win_susp_mshta_execution.yml 2020-10-15 15:49:26 -03:00
Jonhnathan
1eb0ccbf14
Update win_susp_local_anon_logon_created.yml 2020-10-15 15:48:36 -03:00
Jonhnathan
e089118718
Update win_possible_dc_shadow.yml 2020-10-15 15:45:55 -03:00
Jonhnathan
6961ee4986
Update win_net_ntlm_downgrade.yml 2020-10-15 15:44:24 -03:00
Jonhnathan
8261737728
Update win_mmc20_lateral_movement.yml 2020-10-15 15:42:07 -03:00
Jonhnathan
8f3542a73e
Update win_mal_wceaux_dll.yml 2020-10-15 15:41:13 -03:00
Jonhnathan
9bfd63ec26
Update win_hack_smbexec.yml 2020-10-15 15:20:08 -03:00
Jonhnathan
e5789a2a52
Update win_dcsync.yml 2020-10-15 15:19:18 -03:00
Jonhnathan
777e49b76c
Update win_av_relevant_match.yml 2020-10-15 15:17:33 -03:00
Jonhnathan
b555628321
Update win_atsvc_task.yml 2020-10-15 15:15:01 -03:00
Jonhnathan
44735049b6
Update win_apt_stonedrill.yml 2020-10-15 15:14:27 -03:00
Jonhnathan
02a1ab4033
Update win_alert_mimikatz_keywords.yml 2020-10-15 15:11:10 -03:00
Jonhnathan
26b442ec48
Update win_alert_lsass_access.yml 
Getting rid of '*' use
 2020-10-15 15:09:35 -03:00
Jonhnathan
79c2b8d570
Update win_GPO_scheduledtasks.yml 
Getting rid of '*' use
 2020-10-15 15:07:16 -03:00
Jonhnathan
4aa96a2ac9
Update win_alert_enable_weak_encryption.yml 2020-10-15 15:05:49 -03:00
Jonhnathan
5765573907
Update win_alert_active_directory_user_control.yml 
Getting rid of '*' use
 2020-10-15 15:04:08 -03:00
Jonhnathan
1c06c9e166
Update win_admin_share_access.yml 
Getting rid of '*' use
 2020-10-15 15:03:31 -03:00
Jonhnathan
085dc21d25
Update win_admin_rdp_login.yml 
Getting rid of '*' use
 2020-10-15 15:02:40 -03:00
Jonhnathan
9c7a23e432
Update win_account_discovery.yml 
Getting rid of '*' use
 2020-10-15 15:01:31 -03:00
Jonhnathan
fdd9234acc Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-15 14:57:18 -03:00
Jonhnathan
17e7eee3a6 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-15 14:57:14 -03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
Florian Roth
c56cd2dfff
Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Florian Roth
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth
d7d9c0e772
Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth
8020fe3c40
false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth
60795f7050
Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth
dbdd758365
Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu
d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu
c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade
f76f80db80 Killswitch domain 2020-09-16 20:32:31 -06:00
Mike Wade
7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade
6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00
Florian Roth
2cd9b794e6
Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Remco Hofman
6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Mike Wade
1ddba05eb2 Second round 2020-09-15 07:02:30 -06:00
Mike Wade
da9b32bdd6 we 2020-09-15 06:24:44 -06:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Thomas Patzke
378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
Florian Roth
50db6dcc69
Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00
Bhabesh Rai
03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Mike Wade
57cae0ded1 Fixed reference typo 2020-09-13 22:07:43 -06:00
Mike Wade
52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Mike Wade
249c255435 No Idea why these files are deleted 2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil
1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J
c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott
1f50e0af35
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) 
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
 2020-09-11 16:06:51 +01:00
Tran Trung Hieu
49ba107dce Fixed Title 2020-09-10 17:36:37 +07:00
Tran Trung Hieu
f7d5240d40 Added UID, fixed rule description 2020-09-10 17:20:16 +07:00
Tran Trung Hieu
1b6c6ec5bf Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender 2020-09-10 17:16:06 +07:00
Bhabesh Rai
ed059a9831 Added Credential Dumping by LaZagne 2020-09-09 18:27:14 +05:45
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2 
New rules for Linux
 2020-09-07 09:41:43 +02:00
Florian Roth
39dfcd40ec
Merge pull request #921 from d4rk-d4nph3/master 
Added support for Defender's PSExec and WMI ASR rules.
 2020-09-07 09:40:46 +02:00
Florian Roth
6f96bbbe65
Merge pull request #977 from barvhaim/patch-1 
Update win_new_service_creation.yml typo
 2020-09-07 09:39:28 +02:00
Florian Roth
37751fc3a1
Merge pull request #978 from barvhaim/patch-2 
Update sysmon_apt_muddywater_dnstunnel.yml typo
 2020-09-07 09:39:11 +02:00
e6e6e
98c412044a att&ck tags review: windows/process_creation part 5 
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
 2020-09-07 02:00:41 +04:00
e6e6e
7ae76b8d99 Revert "att&ck tags review: windows/process_creation part 5" 
This reverts commit e94c47e74e.
 2020-09-07 01:28:08 +04:00
e6e6e
e94c47e74e att&ck tags review: windows/process_creation part 5 
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
 2020-09-07 01:19:41 +04:00
Alexey Lednyov
7834fdd750 att&ck tags review: windows/registry_event 2020-09-06 22:10:44 +03:00
ecco
ebc1d38027 fix in memory powershell false positive 2020-09-06 09:25:56 -04:00
ecco
b9f7d58dbc fix ADSI rule false positive 2020-09-06 09:17:53 -04:00
grikos
961e4eef4c att&ck tags review: windows/process_creation part 6 2020-09-05 20:35:21 +03:00
Florian Roth
22465037ac
Update win_susp_mpcmdrun_download.yml 2020-09-04 16:50:57 +02:00
Florian Roth
3283e33cbc
Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml 2020-09-04 16:49:44 +02:00
Matthew Matchen
df532be142 Added ID field using UUID generated value 2020-09-04 16:38:52 +02:00
Matthew Matchen
2c69815b7b Removed empty ID field 2020-09-04 16:32:41 +02:00
Matthew Matchen
e0baa097a8 Initial creation 2020-09-04 16:00:23 +02:00
aw350m3
bd5026f6b9 fixed typos in tags 2020-09-03 14:29:05 +00:00
aw350m3
198e42d724 deleted extra spaces 2020-09-03 14:22:31 +00:00
aw350m3
b00047a4e8 att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:54 +00:00
Alexey Lednyov
cf011e4a00 Removed duplicate key 'modified' 2020-09-03 17:12:37 +03:00
Alexey Lednyov
1eb675f693 att&ck tags review: web, network/zeek 2020-09-03 17:06:37 +03:00
Florian Roth
720ac0d998
fix: syntax bug in rule 2020-09-03 09:18:28 +02:00
Yugoslavskiy Daniil
71fec94417 review network/cisco/aaa 2020-09-03 00:34:41 +02:00
Florian Roth
198469bed3 Merge branch 'master' into rule-devel 2020-09-02 17:40:12 +02:00
Florian Roth
423f81c912
Update win_mouse_lock.yml 2020-09-02 14:49:37 +02:00
Florian Roth
73bc514f60 fix: 1 of them / one selection 2020-09-02 12:34:35 +02:00
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil
11e0f794d9 review windows/process_creation part 4 2020-09-02 02:34:34 +02:00
aw350m3
7c6c5263ab fix duplication of key modified in win_malware_emotet.yml 2020-09-01 17:09:54 +00:00
aw350m3
8ed3eb1494 att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:59 +00:00
grikos
65d201b1e4 att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00
Yugoslavskiy Daniil
e04b896cbc fix tags 2020-08-29 21:34:20 +02:00
grikos
a95c4347d9 fixed typo in tag 2020-08-29 20:19:46 +03:00
grikos
6092bfcec1 att&ck tags review: windows/process_creation part 9 2020-08-29 19:22:09 +03:00
aw350m3
ae99a2b207 Removed extra space that broke tests 2020-08-29 04:46:12 +00:00
aw350m3
4ed3db8d23 Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-29 04:39:45 +00:00
aw350m3
da766a245f att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00
Yugoslavskiy Daniil
cd12ab8a77 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-29 02:03:39 +02:00
Yugoslavskiy Daniil
5b70cfd3f7 review windows/sysmon 2020-08-29 02:03:28 +02:00
yugoslavskiy
21a8667720
Merge pull request #1 from zinint/master 
Linux rules reviewed
 2020-08-29 01:55:24 +02:00
grikos
293662810e att&ck tags review: windows/process_creation part 8 2020-08-28 17:14:26 +03:00
vh
a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Alexey Lednyov
880b10cce1 att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00
Florian Roth
7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
aw350m3
eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
Timur Zinniatullin
8dba6ceee6 2nd review 2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf Update lnx_auditd_create_account.yml 2020-08-25 09:20:27 +03:00
aw350m3
c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3
c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3
5af0f1392d att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:35 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
Yugoslavskiy Daniil
5026438524 fix modified field 2020-08-25 01:29:57 +02:00
aw350m3
1999fb609e Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-24 23:14:13 +00:00
Yugoslavskiy Daniil
f274f39b54 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-25 01:09:24 +02:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
aw350m3
08170bbcca fix tags for suspicious outbound kerberos activity rule 2020-08-23 21:10:29 +00:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
aw350m3
4cdd8be354 Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:20:58 +00:00
aw350m3
3aa1ad68fb windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00
aw350m3
80deaf84ca windows/network_connection folder reviewed 2020-08-22 23:36:30 +00:00
Florian Roth
79adaceffa
Merge pull request #979 from barvhaim/patch-3 
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
 2020-08-18 15:08:15 +02:00
Florian Roth
bc74ac1f8a
Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Bar Haim
bd96b1c5ad
Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Bar Haim
c7dc9df87e
Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim
4168f1e430
Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00