valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,010 Commits 20 Branches 25 Tags 21 MiB
5a98fdbbbd
Commit Graph

2010 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
zinint
5a98fdbbbd
ART t1004 2019-10-24 16:33:29 +03:00
zinint
317e9d3df9
PS Data Compressed attack.t1002 
PS Data Compressed attack.t1002
 2019-10-24 15:43:46 +03:00
zinint
7c5dc0ca01
Update win_data_compressed.yml 2019-10-24 15:34:13 +03:00
zinint
49f9b797a7
Update sysmon_xsl_script_processing.yml 2019-10-22 15:20:15 +03:00
zinint
a8bd2c8e78
Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00
zinint
74d1fef8b8
Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint
cc6d4b05ac
OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
zinint
daf1034621
Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
zinint
789782ef59
Update sysmon_xsl_script_processing.yml 2019-10-22 00:08:46 +03:00
zinint
56f807cb44
Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:54 +03:00
zinint
0d8eff0d86
Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:10 +03:00
zinint
a1d72f20c8
Update sysmon_xsl_script_processing.yml 2019-10-21 23:51:39 +03:00
zinint
5248f83fb3
Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00
zinint
a685c9c3be
Update sysmon_xsl_script_processing.yml 2019-10-21 23:39:33 +03:00
zinint
784d7138ca
OSCD Task 7 ART T1220 
OSCD Task 7 ART T1220 rule add
 2019-10-21 22:22:55 +03:00
Florian Roth
454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth
08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth
ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
Florian Roth
bd93425639
Added Sumologic to list 2019-10-19 10:11:28 +02:00
Thomas Patzke
fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Thomas Patzke
522f021ef1
Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Thomas Patzke
02d193c518
Merge pull request #470 from stevengoossensB/master 
Mapping the fields in the select statement according to the configuration file
 2019-10-16 22:34:28 +02:00
Florian Roth
deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Steven Goossens
5f7813f71e Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-10-16 16:38:59 +02:00
Steven Goossens
6a1a96a918 Implement mapping when selecting the fields for the AQL query. This was not being done correctly 2019-10-16 16:37:09 +02:00
Florian Roth
ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth
36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth
5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth
c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth
5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Thomas Patzke
8c8ac52b57
Merge pull request #469 from stevengoossensB/master 
Added the cleanValue function for Qradar
 2019-10-16 11:24:57 +02:00
Steven Goossens
c6e0e10613 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-10-16 11:06:53 +02:00
Steven Goossens
2837d3ba74 Added the cleanValue function for Qradar 2019-10-16 10:27:24 +02:00
Florian Roth
d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth
38c19db1c5 Set theme jekyll-theme-minimal 2019-10-15 16:39:49 +02:00
Florian Roth
4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth
e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth
921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth
96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth
49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth
312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth
7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth
5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth
98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth
60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Thomas Patzke
849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00