SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
Florian Roth	5d039dd138	rule: Cobalt Strike patterns	2021-07-27 11:24:40 +02:00
Florian Roth	21c4d241a1	HiveNightmare and Relay attack tools adjustments	2021-07-26 10:59:35 +02:00
Florian Roth	9771943116	refactor: new file pattern SeriousSAM	2021-07-24 16:13:36 +02:00
Florian Roth	ae80f747ae	fix: adding experimental status	2021-07-24 12:34:33 +02:00
Florian Roth	3eb37c014c	rule: Impacket tools and Relay attack tools	2021-07-24 11:08:35 +02:00
Florian Roth	07223baaeb	fix: typo in date value	2021-07-24 10:22:07 +02:00
Florian Roth	880a87ce91	fix: avoid false positives with MSF psexec rule	2021-07-23 18:33:38 +02:00
Florian Roth	c0138d5ced	add additional filename pattern to HiveNightmare rule	2021-07-23 10:39:41 +02:00
Florian Roth	5955efa750	adjusted timestamp	2021-07-23 09:45:50 +02:00
Florian Roth	d9dc442f4e	rule: HiveNightmare	2021-07-23 09:41:00 +02:00
Florian Roth	ddb4744613	regsvr32 anomaly rule update https://twitter.com/BlackMatter23/status/1417545425297580045	2021-07-20 21:14:48 +02:00
Florian Roth	66aaa2210c	refactor: widened PS1 Empire cmdlines rule	2021-07-20 11:26:22 +02:00
Florian Roth	b7b4c4555f	fix: bug in regsvr anomaly rule	2021-07-18 12:59:31 +02:00
Florian Roth	53c25969ab	added more legitimate extensions to regsvr32 rule	2021-07-17 11:20:05 +02:00
Florian Roth	b911175f28	Suspicious mshta patterns	2021-07-17 09:04:41 +02:00
Florian Roth	6c79115ce0	Regsvr32 Anomalies extended	2021-07-17 09:04:31 +02:00
Florian Roth	021f211c14	fix: FP with WCE and Windows Cluster Service	2021-07-15 12:09:28 +02:00
Florian Roth	e516aecc74	fix: error in selector	2021-07-14 15:58:55 +02:00
Florian Roth	530e04faec	rule: Script Execution from Temp Folder	2021-07-14 15:52:52 +02:00
Florian Roth	0d794357e8	rule: reg disable security services	2021-07-14 15:52:35 +02:00
Florian Roth	04370c7e91	refactor: improved Raccine uninstall rule	2021-07-14 09:56:35 +02:00
Florian Roth	5e2e6c9b72	Merge branch 'config-adjustments' into rule-devel	2021-07-14 08:35:47 +02:00
Florian Roth	e0f166aba2	rule: Serv-U exploitation https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/	2021-07-14 08:35:25 +02:00
Florian Roth	f78b353352	PrinterNightmare rule updates	2021-07-08 14:35:51 +02:00
Florian Roth	2055f78780	refactor: make the rule more usable	2021-07-08 09:05:57 +02:00
Florian Roth	79338b2dbd	fix: title	2021-07-08 08:33:46 +02:00
Florian Roth	96ea35fd92	rule: suspicious vss ps load	2021-07-07 18:21:57 +02:00
Florian Roth	25dec8a17b	Merge pull request #1649 from leegengyu/patch-9 Update win_apt_apt29_thinktanks.yml - Links	2021-07-07 18:10:27 +02:00
Florian Roth	c3c152d457	Merge pull request #1652 from SigmaHQ/rule-devel refactor: changed cmdkey rule	2021-07-07 18:09:44 +02:00
$frack113$ frack113	8a96aa7855	Add 2 defense-evasion T1562.001 rules	2021-07-07 15:43:55 +02:00
Florian Roth	0c7661e8bc	refactor: changed cmdkey rule	2021-07-07 14:45:03 +02:00
G Y	1adac5b036	Update win_apt_apt29_thinktanks.yml - Links Reference links updated with grammar corrections.	2021-07-07 20:21:41 +08:00
Florian Roth	792f234872	Merge pull request #1636 from leegengyu/patch-6 powershell_data_compressed.yml - Update selection	2021-07-07 10:12:52 +02:00
Florian Roth	2e15742a37	Merge pull request #1637 from frack113/fix_win_rdp_reverse_tunnel.yml win_rdp_reverse_tunnel.yml fix invalid field name	2021-07-07 10:12:16 +02:00
Florian Roth	6e00745288	Merge pull request #1638 from frack113/fix_win_external_device.yml win_external_device.yml fix invalid field name	2021-07-07 10:12:04 +02:00
Florian Roth	bd0628240c	Merge pull request #1639 from frack113/fix_win_possible_dc_shadow.yml fix invalid field EventID 5136	2021-07-07 10:11:51 +02:00
Florian Roth	ad36a03622	Merge pull request #1640 from frack113/fix_win_susp_local_anon_logon_created.yml win_susp_local_anon_logon_created.yml fix invalid case SamAccountName	2021-07-07 10:11:36 +02:00
Florian Roth	dc2377be13	Merge pull request #1644 from leegengyu/patch-7 Update win_admin_rdp_login.yml - Fix Field Name & Value	2021-07-07 10:04:02 +02:00
Florian Roth	0573097696	Merge pull request #1645 from leegengyu/patch-8 Update win_mal_service_installs.yml - Corrected logsource	2021-07-07 10:03:48 +02:00
$frack113$ frack113	bb970de5b7	fix invalid fields name	2021-07-07 09:05:00 +02:00
G Y	6b63a309da	Update win_mal_service_installs.yml - Corrected logsource Fix mistake (incorrect logsource for event ID 4697) in #1629.	2021-07-07 10:33:26 +08:00
G Y	eece2850a7	Update win_admin_rdp_login.yml - Fix Field Name 1. Field name changed to `TargetUserName`. Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 2. Value changed from `Admin-` to `Admin`.	2021-07-07 09:43:55 +08:00
$frack113$ frack113	9cf1d3d5f3	fix invalid case SamAccountName	2021-07-06 15:43:07 +02:00
$frack113$ frack113	bbf908835e	fix invalid field EventID 5136	2021-07-06 15:25:32 +02:00
leegengyu	3594b10d74	Insert modified date	2021-07-06 20:56:31 +08:00
G Y	c5d2a55f6d	powershell_data_compressed.yml - Update selection Changed to ScriptBlockText (due to PowerShell logging-specific context).	2021-07-06 20:36:38 +08:00
Florian Roth	bcf2bf2e4d	Merge pull request #1635 from frack113/fix_win_susp_failed_logons_single_source_kerberos Fix invalid field name	2021-07-06 14:35:06 +02:00
$frack113$ frack113	b0c9bc1d2d	fix invalid field name EventID 6416	2021-07-06 14:27:29 +02:00
$frack113$ frack113	fca3c72087	fix invalid field name	2021-07-06 14:16:01 +02:00
Florian Roth	ff0f1a0222	Merge pull request #1633 from leegengyu/art_convert_yaml_to_md Convert ART reference links from .yaml to .md	2021-07-06 13:39:37 +02:00

1 2 3 4 5 ...

3894 Commits