valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,514 Commits 20 Branches 25 Tags 21 MiB
5f419d6f35
Commit Graph

4254 Commits

Author SHA1 Message Date
Max Altgelt
d2a35edae9
fix: Remove powershell_alternate_hosts from PR 
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
 2021-08-16 08:42:17 +02:00
frack113
c3457c9911 fix titles 2021-08-15 19:05:00 +02:00
frack113
245cb6d510 fix more errors 2021-08-15 18:55:44 +02:00
frack113
12396f615c remove duplicate rule and fix errors 2021-08-15 16:52:24 +02:00
frack113
a75859a976 First commit 2021-08-15 16:00:14 +02:00
frack113
db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113
e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Max Altgelt
ce326cb903
fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00
phantinuss
246ba0c17f
generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
frack113
1b480f2ee6
Merge pull request #1819 from frack113/split_1802_builtin 
Correct lists with only 1 value
 2021-08-13 12:43:26 +02:00
frack113
5e42187062 remove change for Message rule 2021-08-13 11:01:33 +02:00
Max Altgelt
e1ef8f4055
fix: Rewrite another message rule 
Rewrites another message rule. This one is a bit more complex
since a bitmap is used and the string representation is not
available.
 2021-08-13 10:28:34 +02:00
frack113
62e541ec7f
Merge pull request #1784 from frack113/winlogbeat-modules-enabled 
Update Mapping Winlogbeat modules enabled
 2021-08-12 19:14:17 +02:00
Max Altgelt
6f05e33feb
fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth
62c9468180
Merge pull request #1832 from SigmaHQ/rule-devel 
Whoami Refactoring
 2021-08-12 14:28:28 +02:00
Florian Roth
d9d543e545
refactor: removed OriginalFileName from rule to improve compatibilty 2021-08-12 13:28:24 +02:00
Florian Roth
34d70de084
rule: whoami anomalies 2021-08-12 13:28:00 +02:00
Florian Roth
bd0a2a1b9f
rule: renamed whoami 2021-08-12 13:27:51 +02:00
Florian Roth
418a0bbf7e
Merge pull request #1827 from phantinuss/master 
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
 2021-08-12 11:41:50 +02:00
Florian Roth
6ed62b431e
Merge pull request #1830 from SigmaHQ/rule-devel 
SystemNightmare and Typo
 2021-08-12 11:41:16 +02:00
Florian Roth
08883c8e32
refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00
phantinuss
a880663d51
fix: add missing 'all of' for 'and' conjunction of the assignment keywords 2021-08-11 17:46:10 +02:00
phantinuss
1c919c07c7
exchange mailbox export with generic keyword search (Message is not a real field) 2021-08-11 16:57:15 +02:00
Florian Roth
c8d481fd83
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-11 10:10:32 +02:00
Florian Roth
c1f9c33730
rule: SystemNightmare 2021-08-11 10:10:30 +02:00
Florian Roth
d9d1e2c578
Merge pull request #1823 from SigmaHQ/rule-devel 
rule: ProxyLogon rule for MS Exchange
 2021-08-11 09:43:41 +02:00
phantinuss
62eca463ac
new rule LittleCorporal generated maldoc process injection 2021-08-11 09:25:23 +02:00
frack113
63ead346e8
fix modified value 2021-08-10 19:09:34 +02:00
Florian Roth
73a4bd74dc
fix: FPs script exec from temp 2021-08-10 17:10:46 +02:00
frack113
6d869feb43
update modified 2021-08-10 15:12:45 +02:00
Jon Galarneau
1544a351a3
Correcting regex in win_modif_of_services_for_via_commandline.yml 
The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.
 2021-08-10 08:29:39 -04:00
Florian Roth
17c6fc7038
rule: ProxyLogon rule for MS Exchange 2021-08-10 09:16:30 +02:00
Florian Roth
17fb418271
Merge pull request #1817 from SigmaHQ/rule-devel 
rules: ProxyShell refactoring and new rule
 2021-08-10 08:18:32 +02:00
frack113
78e0e570dd Split PR 1802 builtin net rules 2021-08-09 20:23:35 +02:00
Florian Roth
dbf8aecd83
fix: typo in cmdlet name 2021-08-09 18:05:51 +02:00
Florian Roth
a9ad4eda4a
rules: ProxyShell refactoring and new rule 2021-08-09 17:57:34 +02:00
frack113
dd2aa8706d
Merge pull request #1786 from j91321/anydesk 
Silent installation of AnyDesk (Conti)
 2021-08-09 08:57:32 +02:00
frack113
bacb44ab97
Merge pull request #1780 from Sam0x90/master 
Adding detection rule for esentutl utility
 2021-08-07 16:23:45 +02:00
frack113
f75f8fabab
fix file name 2021-08-07 15:54:43 +02:00
frack113
07d21c58e8
Update process_susp_esentutl_params.yaml 2021-08-07 15:49:25 +02:00
frack113
89ee63f63b
Merge pull request #1791 from SigmaHQ/rule-devel 
More rules - including the ones for ProxyShell
 2021-08-07 11:49:16 +02:00
Florian Roth
9be9e4a24f
fix: more changes to incomplete windivert rule 2021-08-07 11:22:44 +02:00
Florian Roth
88a721a1ab
docs: add space in title 2021-08-07 10:13:05 +02:00
Florian Roth
1dcf25878c
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-07 10:10:48 +02:00
Florian Roth
0a8904a61e
fix: issues with new rule 2021-08-07 10:10:12 +02:00
frack113
5f89a29ea7
fix file name 2021-08-07 10:01:23 +02:00
Florian Roth
1ac49a2055
rule: ProxyShell patterns 2021-08-07 09:22:24 +02:00
Florian Roth
c0360cd1ca
change name and line breaks 2021-08-06 18:53:08 +02:00
Florian Roth
7de55075f7
fix: condition 2021-08-06 18:45:38 +02:00
Florian Roth
d69e2333c8
various fixes 2021-08-06 18:44:54 +02:00
Florian Roth
e02b85dc99
'--start-with-win' is pretty specific 2021-08-06 18:41:14 +02:00
Ján Trenčanský
2f3b48c347
Fix title 2021-08-06 14:18:30 +02:00
Ján Trenčanský
516e1ade6d
Silent installation of AnyDesk 2021-08-06 14:06:35 +02:00
frack113
f4bef0fc39 Add Microsoft-Windows-Windows Defender/Operational 2021-08-06 11:12:34 +02:00
frack113
cf8d8d3ed4 fix TargetFilename case error 2021-08-06 08:43:05 +02:00
Sam0x90
96911e55b9
Adding detection rule for esentutl utility 
Used by Conti affiliates to target NTDS file and MSEdge info
 2021-08-06 00:55:57 +04:00
Florian Roth
eb247704fe
Merge pull request #1761 from d4rk-d4nph3/master 
Added rule for Cabinet file expansion and Pypykatz
 2021-08-05 15:50:12 +02:00
Florian Roth
c44b22b52f
Merge pull request #1762 from frack113/redcanary_collection 
[OSCD] Redcanary TA0009 collection
 2021-08-05 15:49:10 +02:00
Florian Roth
83505351bc
Merge pull request #1764 from frack113/fix_product 
fix product sysmon_apt_sourgrum.yml
 2021-08-05 15:48:35 +02:00
Florian Roth
448868302d
Merge pull request #1767 from frack113/redcanary_t1497_001 
[OSCD] Detect Virtualization Environment (Windows) T1497.001
 2021-08-05 15:47:37 +02:00
Florian Roth
3634901bf1
Update poweshell_detect_vm_env.yml 2021-08-05 15:47:29 +02:00
Florian Roth
6a11190e79
Merge pull request #1769 from frack113/fix_powershell_400 
Cleanup eventid 400 powershell-classic
 2021-08-05 15:47:04 +02:00
Florian Roth
da6b5f8ec5
Merge pull request #1770 from frack113/redcanary_powershell_T1070.006 
[OSCD] powershell_timestomp.yml T1070.006
 2021-08-05 15:46:48 +02:00
Florian Roth
b1fb462c39
Update powershell_timestomp.yml 2021-08-05 15:46:01 +02:00
Florian Roth
9b7be5985e
Merge pull request #1773 from phantinuss/master 
Two CobaltStrike BOF rules and a little fix on the local rule test script usage text
 2021-08-05 15:42:47 +02:00
Florian Roth
6507e8c060
Merge pull request #1774 from frack113/fix_4104_ScriptBlockText 
Clean-up Powershell EventID 4104
 2021-08-05 15:42:35 +02:00
Florian Roth
52b41da731
Merge pull request #1775 from austinsonger/sysmon_disabled_pua_protection_on_microsoft_defender.yml 
Create sysmon_disabled_pua_protection_on_microsoft_defender.yml
 2021-08-05 15:42:17 +02:00
Florian Roth
c05dacb1f0
Merge pull request #1776 from austinsonger/sysmon_disabled_tamper_protection_on_microsoft_defender.yml 
sysmon_disabled_tamper_protection_on_microsoft_defender.yml
 2021-08-05 15:41:54 +02:00
Austin Songer
483dacb209
Create sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml 2021-08-04 19:11:00 -05:00
Austin Songer
ff7fb4e4d2
Create sysmon_disabled_tamper_protection_on_microsoft_defender.yml 2021-08-04 19:08:10 -05:00
Austin Songer
6a2663a3ae
Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 17:00:34 -05:00
Austin Songer
8d195bf5d5
Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:11:31 -05:00
Austin Songer
bae075713c
Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:10:37 -05:00
Austin Songer
f89ba18c5d
Create sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 11:27:41 -05:00
phantinuss
882ea7ec22
fix: remove unnecessary single value list 2021-08-04 15:50:39 +02:00
frack113
f040725dd8 fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00
phantinuss
994701bd8e
CobaltStrike injected AMSI bypass 2021-08-04 11:28:58 +02:00
frack113
644fe80786 add powershell_timestomp.yml 2021-08-03 16:01:54 +02:00
Bhabesh Rai
85b88c7646 Added rule for pypykatz 2021-08-03 15:06:27 +05:45
frack113
b5e4b04cb5 fix eventid 400 powershell-classic 2021-08-03 10:04:15 +02:00
frack113
0efe69bd36 add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00
Florian Roth
97d2dc89a8
fix: order of modifiers 2021-08-02 00:25:09 +02:00
Florian Roth
bda207660d
refactor: modified CobaltStrike service install rule 2021-07-31 12:51:42 +02:00
Florian Roth
a04aa6ac49
rule: ADCSPwn 2021-07-31 10:18:21 +02:00
Florian Roth
6cd2e26fa0
rule: WinDivert driver load 2021-07-30 16:54:29 +02:00
frack113
f9aff7d403 fix product sysmon_apt_sourgrum.yml 2021-07-30 16:02:38 +02:00
Bhabesh Rai
1f0d4ca3dc Merge branch 'master' of https://github.com/d4rk-d4nph3/sigma into master 2021-07-30 12:36:21 +05:45
Bhabesh Rai
9131ed6db5 Added rule for Cabinet file expansion 2021-07-30 12:36:05 +05:45
frack113
ccaffc79f7 update ref win_susp_psr_capture_screenshots.yml 2021-07-30 08:40:21 +02:00
frack113
dfa28944d0 update ref in sysmon_creation_mavinject_dll.yml 2021-07-30 08:31:37 +02:00
frack113
e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
Florian Roth
ab16490d33
fix: re CS rule 2021-07-30 08:24:41 +02:00
frack113
38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113
eff6b50a89 add process_creation_susp_recon.yml 2021-07-30 08:15:13 +02:00
Florian Roth
096395a49a
fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth
0cbb6f82ad
CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth
ec9c15226f
SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth
5ce5465559
Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
Florian Roth
77c8225db3
Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth
f57f5931ed
Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth
59a93ef964
Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth
c3eced4ae7
Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth
dc4380d459
Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth
321a15d004
Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth
6d5e695cd1
Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth
7f820c7b29
rule updates 2021-07-28 16:20:21 +02:00
phantinuss
9833cc34e5
direct syscall to NtOpenProcess 2021-07-28 15:14:30 +02:00
Florian Roth
aefd50f049
fix: avoid FPs with HTool string 2021-07-28 14:23:54 +02:00
frack113
2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113
8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Florian Roth
87a911a15e
Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth
428995d00e
Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth
c31bc05aae
Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113
54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth
ee85fdfa3f
Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth
5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113
ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113
227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113
8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth
90ca1a8ad2
fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth
1a538371c9
fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113
7287a46f2f Tune false positive 2021-07-27 10:05:57 +02:00
frack113
f3bcffeb0a Tune false positive 2021-07-27 09:58:00 +02:00
frack113
8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00
Florian Roth
9f27ab5426
Merge pull request #1738 from JohnLaTwC/patch-4 
cover evasions from unicode substitutions
 2021-07-27 08:05:48 +02:00
Florian Roth
e49f4c86b6
Merge pull request #1726 from austinsonger/aws_route_53_domain_transferred_to_another_account.yml 
Aws route 53 domain transferred to another account.yml
 2021-07-27 08:02:27 +02:00
Florian Roth
21c4d241a1 HiveNightmare and Relay attack tools adjustments 2021-07-26 10:59:35 +02:00
John Lambert
2b57f95e72
Update win_grabbing_sensitive_hives_via_reg.yml 2021-07-24 18:17:27 -05:00
John Lambert
da6e747547
cover evasions from unicode substitutions 
Add variations to cover unicode substitutions to avoid evasion.

> Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. 

See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze
 2021-07-24 10:33:15 -05:00
Florian Roth
7cacc57313
Merge pull request #1733 from SigmaHQ/rule-devel 
New hive file pattern for C# version of HiveNightmare
 2021-07-24 16:41:51 +02:00
Florian Roth
9771943116 refactor: new file pattern SeriousSAM 2021-07-24 16:13:36 +02:00
Florian Roth
ae80f747ae fix: adding experimental status 2021-07-24 12:34:33 +02:00
Florian Roth
a090feecf5
Merge pull request #1732 from SigmaHQ/rule-devel 
Relay attack tools and impacket binaries
 2021-07-24 12:33:48 +02:00
Florian Roth
c0bc51e849
Merge pull request #1731 from frack113/more_check 
Update test_rules.py
 2021-07-24 11:10:00 +02:00
Florian Roth
3eb37c014c rule: Impacket tools and Relay attack tools 2021-07-24 11:08:35 +02:00
Florian Roth
07223baaeb fix: typo in date value 2021-07-24 10:22:07 +02:00
frack113
ffcd3a2112 Add test_optional_related test_optional_fields test_optional_falsepositives 2021-07-24 09:41:04 +02:00
Florian Roth
772cf4f5e4
Merge pull request #1730 from SigmaHQ/rule-devel 
fix: avoid false positives with MSF psexec rule
 2021-07-23 19:49:45 +02:00
Florian Roth
880a87ce91 fix: avoid false positives with MSF psexec rule 2021-07-23 18:33:38 +02:00
Florian Roth
7ede42f78d
Merge pull request #1729 from SigmaHQ/rule-devel 
add additional filename pattern to HiveNightmare rule
 2021-07-23 10:40:33 +02:00
Florian Roth
c0138d5ced add additional filename pattern to HiveNightmare rule 2021-07-23 10:39:41 +02:00
Florian Roth
fa344987c0
Merge pull request #1703 from hieuttmmo/master 
Suspicious behaviours related to  SOURGUM
 2021-07-23 10:32:25 +02:00
Florian Roth
7c42a9d6cb
Merge pull request #1728 from SigmaHQ/rule-devel 
HiveNightmare file creation, other rule improvements
 2021-07-23 10:21:35 +02:00
Tran Trung Hieu
77b4a37916 Update the references 2021-07-23 14:58:51 +07:00
Florian Roth
38b9e942c1
Merge pull request #1724 from austinsonger/master 
sysmon_dns_over_https_enabled.yml
 2021-07-23 09:52:24 +02:00
Florian Roth
5b95ef0872
Merge pull request #1725 from frack113/add_new_test 
Add check for status and level
 2021-07-23 09:51:37 +02:00
Florian Roth
cc8899ea62
Merge pull request #1717 from frack113/netcat 
[OSCD] sysmon_netcat_execution.yml T1095
 2021-07-23 09:51:23 +02:00
Florian Roth
d00ca03cb6
increased level to high 2021-07-23 09:51:00 +02:00
Florian Roth
5955efa750 adjusted timestamp 2021-07-23 09:45:50 +02:00
Florian Roth
d9dc442f4e rule: HiveNightmare 2021-07-23 09:41:00 +02:00