valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,622 Commits 20 Branches 25 Tags 21 MiB
6234f72a6c
Commit Graph

2622 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth
a9403b70d5
Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth
f7a6ffa121
Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
5a4095f13f fix: restored GPL 2020-02-18 10:06:00 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
Florian Roth
2363213fc9
add TimeSketch to list of products that use Sigma 2020-02-17 08:41:23 +01:00
Florian Roth
eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth
d909fefa82
Merge pull request #620 from james0d0a/master 
rule: Zeek Suspicious kerberos network traffic RC4
 2020-02-13 09:34:06 +01:00
Florian Roth
94bb7dd77f
fix: issues 2020-02-13 09:17:21 +01:00
Florian Roth
983f7fcd39
Merge pull request #618 from faloker/master 
More rules for AWS events
 2020-02-13 09:15:04 +01:00
james dickenson
21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson
1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
james dickenson
93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker
6d9c8e44d7
Update rules titles 2020-02-12 23:09:16 +02:00
faloker
1b15dba712
Correct the indentation 2020-02-12 22:48:46 +02:00
faloker
f387cf0c37
Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker
01d2f9f99d
Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker
b26c5d8c51
Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker
ddf5f8ec23
Update conditions 2020-02-12 22:20:15 +02:00
faloker
aacab37f84
Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker
b6c834195e
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth
7a5587f14d
Merge pull request #616 from Neo23x0/devel 
rule: remove keywords in powershell rule prone to FPs
 2020-02-11 16:43:01 +01:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth
d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth
880a0b5593
Merge pull request #614 from timbMSFT/gallium_vpn 
additional gallium ttp
 2020-02-07 17:56:09 +01:00
Florian Roth
080532d20c
logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC)
f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth
be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Florian Roth
1a80b180fd
Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth
10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth
1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth
535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth
8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke
1bc2c0b930 Deduplication of backend list 
Fixes issue #609. Added backend list debug output (class name).
 2020-02-03 22:16:00 +01:00
Thomas Patzke
666542ae7f Added colorama to Pipfile 2020-02-03 22:15:27 +01:00
Florian Roth
016d726d4e
fix: bug in formatting 2020-02-02 11:31:39 +01:00
Florian Roth
dcc7d03c37
docs: better description 2020-02-02 11:31:22 +01:00
Florian Roth
296cf6aa08
fix: fixed examples and added a new one 2020-02-02 09:27:56 +01:00
Florian Roth
68b34467a8
Merge pull request #608 from yt0ng/development 
additional execution observed
 2020-02-02 08:37:59 +01:00