valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,774 Commits 20 Branches 25 Tags 21 MiB
5b95ef0872
Commit Graph

1774 Commits

Author SHA1 Message Date
Sittikorn S
a310806dbf
Update win_renamed_meg.yml 2021-06-23 08:35:12 +07:00
Sittikorn S
10488512ae
Update win_renamed_meg.yml 2021-06-22 22:27:34 +07:00
Sittikorn S
177442d6df
Update win_renamed_meg.yml 2021-06-22 22:20:49 +07:00
Sittikorn S
6328ce8ef6
Update win_renamed_meg.yml 2021-06-22 22:17:51 +07:00
Sittikorn S
f55cd9ed1b
Update win_renamed_meg.yml 2021-06-22 22:03:56 +07:00
Sittikorn S
268a4c31e3
Update win_renamed_meg.yml 
Change mitre tags T1218.001 to T1218
 2021-06-22 22:00:35 +07:00
Sittikorn S
e6d08d0ad6
Update win_renamed_meg.yml 2021-06-22 21:55:09 +07:00
Sittikorn S
a08b6c4e0a
Create win_renamed_meg.yml 2021-06-22 21:50:07 +07:00
Florian Roth
7e748fa91a
Merge pull request #1567 from BlackB0lt/patch-2 
Create win_script_event_consumer_spawn new rule
 2021-06-22 12:43:34 +02:00
Sittikorn S
d9a749eec0
Update and rename win_script_event_consumer_spawn to win_script_event_consumer_spawn.yml 2021-06-22 16:35:46 +07:00
Florian Roth
cbe97206de
fix: several indentation issues, casing in tags 2021-06-22 11:03:17 +02:00
Andreas Hunkeler
cd0b46ab62 rule: add port proxy registry rule and add references 2021-06-22 08:16:56 +02:00
Sittikorn S
1bcac7b04a
Create win_script_event_consumer_spawn 2021-06-21 21:20:39 +07:00
mlp1515
a5e77bac17 Merge branch 'SigmaHQ:master' into master 2021-06-16 15:32:48 +02:00
Florian Roth
e5cd850640
Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Hasan
8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan
1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan
82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
mlp1515
aa5dab332e
Update win_multiple_suspicious_cli.yml 
Modify modified field
 2021-06-14 08:54:07 +02:00
frack113
558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
mlp1515
ecfb42fcb2
Update win_multiple_suspicious_cli.yml 
Add contains in CommandLine condition
 2021-06-13 13:43:43 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Florian Roth
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Andreas Hunkeler
2d44803bf5
Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth
4d7b3b7afe
Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth
11eca86be3
Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion
9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler
e8ee6aec2f
Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth
7288ae93b9
Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
frack113
a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth
8aabb58eca
Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
frack113
afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113
1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
Florian Roth
576e047e76
Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00
Florian Roth
4c281d117c fix: bug in rule syntax 2021-05-22 15:31:23 +02:00
Florian Roth
7e1ac347ef Merge branch 'master' into rule-devel 2021-05-22 15:27:32 +02:00
Florian Roth
c0d58cb7f9 PAExec and PSexec rules 2021-05-22 10:52:01 +02:00
Jonhnathan
7f335cbb4a
Update Threat Hunter Playbook Reference 2021-05-22 01:08:23 -03:00
Jonhnathan
34e2a81371
Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00
Jonhnathan
89cfef9d49
Update Threat Hunter Playbook Reference 2021-05-22 01:04:20 -03:00
frack113
a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113
f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113
f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113
6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
Florian Roth
a0efd7a4dc
Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler
e58c59dcfd
Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Florian Roth
a30391f3b4
Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
Bhabesh Rai
48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth
3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Cedric Hien
1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Steven
8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven
a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven
70b106ef52 Fix syntax error 2021-04-15 02:11:13 +02:00
Steven
ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Florian Roth
ce0111aa6a fix: FP with Proxy Execution via Wuauclt 2021-04-12 08:47:29 +02:00
Florian Roth
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke
08ca62cc88 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-08 23:27:45 +02:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Vasiliy Burov
e73e27e44f
Update win_hack_rubeus.yml 
Added commandline parameters for constrained delegation abuse and for hashes calculation
 2021-04-06 20:18:54 +03:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Thomas Patzke
b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke
90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
phantinuss
4934f80601
fix: FP tuning for IIS Express and making use of value modifiers 2021-04-01 14:37:20 +02:00
phantinuss
8b4234de3b
refactor: make use of value modifiers 2021-04-01 14:37:17 +02:00
phantinuss
794865c79d
fix: adding filter to condition and reintroducing the users folder constraint 2021-04-01 14:37:17 +02:00
phantinuss
43be8c8cba
refactor: make use of value modifiers 2021-04-01 14:37:16 +02:00
phantinuss
65bc62d401
fix: adding filter out for CamMute.exe 2021-04-01 14:37:14 +02:00
phantinuss
2cab121c71
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-04-01 14:37:13 +02:00
phantinuss
109b7890db
fix: taking windows security 4688 events into account for filter out 2021-04-01 14:36:57 +02:00
Florian Roth
b296c643de
Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
Florian Roth
33af006479
Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt 
Fix ProcessCommandLine field
 2021-03-20 08:29:23 +01:00
Florian Roth
01fcfd4f76
Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent 
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
 2021-03-20 08:29:09 +01:00
Florian Roth
2472926c48
Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion 
Fix win_etw_trace_evasion rule
 2021-03-20 08:28:51 +01:00
Florian Roth
6b2bcd3d87
Merge pull request #1395 from SigmaHQ/rule-devel 
Rule devel
 2021-03-18 10:52:02 +01:00
Florian Roth
92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth
943f8513e2
Merge pull request #1393 from SigmaHQ/rule-devel 
Rule devel
 2021-03-16 16:35:55 +01:00
Florian Roth
bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00