valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,046 Commits 20 Branches 25 Tags 21 MiB
61b9234d7f
Commit Graph

3046 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Iveco
61b9234d7f
Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Iveco
e913db0dca
Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco
c5211eb94a
Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco
4520082ef7
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco
6d85650390
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco
fc1febdebe
Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco
d0746b50f4
Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco
3280a1dfb0
Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco
5e724a0a54
Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
Iveco
d1b9c0c34a
Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco
e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Florian Roth
f50767c400
Merge pull request #703 from 0xThiebaut/downgrade 
Update the NTLM downgrade registry paths
 2020-04-07 18:13:29 +02:00
Maxime Thiebaut
73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Thomas Patzke
693830fa83 Merge pull request 659 2020-04-03 23:46:53 +02:00
Florian Roth
2a579a0a1b
Merge pull request #699 from mpavlunin/patch-2 
Create new rule T1223
 2020-04-03 19:32:50 +02:00
Florian Roth
4e3985866b
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin
81d0f82272
Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Florian Roth
aa73c39a35
Merge pull request #692 from Neo23x0/ci-deploy 
PyPI deployment via GitHub Actions
 2020-04-03 09:29:49 +02:00
Florian Roth
eef8531a72
Merge pull request #697 from refractionPOINT/lc-remove-timeframe 
Remove generation of LC rules with timeframe.
 2020-04-03 09:29:12 +02:00
Maxime Lamothe-Brassard
f92c5e9b18 Remove generation of LC rules with timeframe. 2020-04-02 15:25:30 -07:00
Florian Roth
ee7babd8cb
fix: security vulnerability with pyyaml < 4.2b1 2020-04-02 12:27:53 +02:00
Florian Roth
dec0c108f9
Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Florian Roth
1196f8d60f
Merge pull request #695 from cobsec/master 
Date typos
 2020-04-02 10:20:18 +02:00
Chris O'Brien
fe5dbece3d
Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien
97c0872c81
Date typo. 2020-04-02 09:53:09 +02:00
Thomas Patzke
0db3bbb097
Merge pull request #693 from Neo23x0/dependabot/pip/pyyaml-5.1 
Bump pyyaml from 3.13 to 5.1
 2020-04-01 23:25:57 +02:00
Florian Roth
af49c24419
Merge pull request #694 from cobsec/master 
Fixed date typo - by the looks of the commit date the month/date were…
 2020-04-01 18:28:14 +02:00
Chris O'Brien
95e0b12d88
Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
dependabot[bot]
c9c73bec3f
Bump pyyaml from 3.13 to 5.1 
Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.13 to 5.1.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/3.13...5.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-03-31 20:40:52 +00:00
Thomas Patzke
2bda0e097f
Merge pull request #691 from Neo23x0/cleanup 
Cleanup
 2020-03-31 22:37:04 +02:00
Thomas Patzke
8c69c7bb02
PyPI deployment via GitHub Actions 2020-03-31 22:36:16 +02:00
Florian Roth
8e39b09ba5
Merge pull request #690 from cnotin/patch-1 
Small typo
 2020-03-31 16:27:21 +02:00
Clément Notin
18cdddb09e
Small typo 2020-03-31 15:22:00 +02:00
Florian Roth
6a70bdb126
Merge pull request #689 from 0xThiebaut/win_ad_enumeration 
Add AD User Enumeration
 2020-03-31 10:56:48 +02:00
Maxime Thiebaut
8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman
b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
Thomas Patzke
d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Thomas Patzke
38a5fe3a29 Removed Travis CI configuration 2020-03-29 22:20:04 +02:00
Florian Roth
f2a2420e24
Merge pull request #687 from Neo23x0/ci-testing 
Ci testing
 2020-03-29 17:25:28 +02:00
Thomas Patzke
4dbe5e2f17
Moved Elasticsearch dependencies to generic dependencies 
Omitting waiting for Elasticsearch as it should be started at this time.
 2020-03-29 15:19:13 +02:00
Thomas Patzke
5e258efbe7
Improved Elasticsearch waiting process 2020-03-29 14:57:34 +02:00
Thomas Patzke
d68b900077
Wait for Elasticsearch before running tests 2020-03-29 14:37:27 +02:00
Thomas Patzke
821a631325
Run Elasticsearch installation as root 2020-03-29 14:00:15 +02:00
Thomas Patzke
fbe40bd1e8
Fixed Elasticsearch test 
* Splitted into separate action
* Install dependencies
 2020-03-29 13:41:03 +02:00
Thomas Patzke
d24c1e2800
CI testing with GitHub Actions 2020-03-29 13:25:04 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00