SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
Florian Roth	b5352ac5f7	fix: duplicate UUIDs	2021-05-27 10:29:21 +02:00
Florian Roth	adbdb5b22f	Merge branch 'master' into falsepositives_NOT_a_list	2021-05-27 10:23:19 +02:00
Florian Roth	8aabb58eca	Merge pull request #1498 from w0rk3r/otrf Update broken OTRF Threat Hunter Playbook References	2021-05-26 13:06:16 +02:00
$frack113$ frack113	3717c68bb7	fix typo of level	2021-05-24 10:45:58 +02:00
Jonhnathan	687f2d67fc	Update Threat Hunter Playbook Reference	2021-05-22 01:09:30 -03:00
$frack113$ frack113	cabaccceb8	Fix falsepositives list	2021-05-21 11:15:10 +02:00
$frack113$ frack113	dfe7e4e38c	Fix falsepositives list	2021-05-21 11:12:04 +02:00
$frack113$ frack113	70a5c8bb5f	registry_event is a category	2021-05-12 08:51:38 +02:00
$frack113$ frack113	026320f613	registry_event is a category	2021-05-12 08:36:42 +02:00
phantinuss	da533c7425	fixed title capitalization	2021-05-05 15:22:09 +02:00
phantinuss	254a3bb122	new rules detecting the creation of a local hidden user	2021-05-05 15:12:07 +02:00
Florian Roth	0e9176776d	refactor: moved rule	2021-05-05 12:11:59 +02:00
SomeOne	4aae26cabd	Grouping filters	2021-05-01 21:05:34 +02:00
SomeOne	80dc6aaf59	Add FP and fix filters	2021-05-01 20:54:26 +02:00
Florian Roth	d24f0b8988	feat: generic registry events compatible with native audit logging	2021-04-26 09:31:36 +02:00
Florian Roth	c7ce9154d1	Merge pull request #1030 from stevengoossensB/master Updated sysmon config and rewrite rules to use categories	2021-04-23 16:52:25 +02:00
Steven	d263b937b4	Clean-up service: sysmon as it will be replaced by filling the category	2021-04-15 02:02:25 +02:00
Steven	7b679cc1f7	- Modified rules to use categories instead of hardcoded event IDs - Added file_delete category (Sysmon Event ID 23) to the generic translation file	2021-04-15 01:40:31 +02:00
Roberto Rodriguez	db0e969121	HybridConnectionMgr Service Activity	2021-04-12 16:26:15 -04:00
Thomas Patzke	3fef2a10b8	Merge branch 'pr-1158'	2021-04-08 23:01:54 +02:00
Thomas Patzke	a10db2df89	Fixes&improvements	2021-04-08 01:06:40 +02:00
Thomas Patzke	90efe974b8	Fixes and improvements	2021-04-03 00:08:55 +02:00
Anton Kutepov	d7ef865bb9	Merge remote-tracking branch 'upstream/master' and fix conflicts	2021-03-07 23:36:13 +03:00
Florian Roth	2b5f9f994f	Merge pull request #1376 from SigmaHQ/rule-devel UNC2452 rules - GoldMax, GoldFinder, Sibot	2021-03-05 18:17:20 +01:00
Florian Roth	b864768de8	fix: wrong conditions	2021-03-05 11:55:49 +01:00
Florian Roth	c3b84f2d5b	UNC2452 rules - GoldMax, Sibot, GoldFinder https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/	2021-03-05 11:54:35 +01:00
Anton Kutepov	3f45269296	Merge branch 'oscd' B B B B A	2021-03-02 22:58:41 +03:00
Florian Roth	b65dbee01f	Merge pull request #1366 from Neo23x0/rule-devel rule: SilentProcessExit monitors	2021-02-26 18:09:44 +01:00
Florian Roth	ba7c7409a3	fix: typo in modified	2021-02-26 17:48:50 +01:00
Florian Roth	79acbbef9f	rule: SilentProcessExit monitors	2021-02-26 17:35:42 +01:00
jaegeral	e1f43f17c2	fixed various spelling errors all over rules and source code	2021-02-24 14:43:13 +00:00
Bhabesh Rai	93c7931037	Added Stealthy Office Persistence via VSTO	2021-01-10 17:54:17 +05:45
yugoslavskiy	29fe6e46d8	Merge pull request #1211 from zipa-original/win_persistence_telemetry [OSCD] Added a rule to detect abusing windows telemetry for persistence	2021-01-06 00:20:51 +03:00
yugoslavskiy	6f2e8c56b2	Merge pull request #1182 from nsaddler/lolbas80 [OSCD] LOLBAS wab.yml	2021-01-06 00:16:53 +03:00
yugoslavskiy	46eb01f3c5	Merge pull request #1164 from GlebSukhodolskiy/oscd_reg [OSCD] Modified Rule "Autorun Keys Modification"	2021-01-06 00:11:58 +03:00
yugoslavskiy	319ebd158c	Merge pull request #1155 from sn0w0tter/oscd2 [OSCD] LOLBAS atbroker suspicious creation of ATs	2021-01-06 00:11:13 +03:00
yugoslavskiy	39991a8ab6	Merge pull request #1106 from stvetro/2020 [OSCD] Suspicious ftp.exe usage (LOLBin)	2021-01-05 23:13:03 +03:00
yugoslavskiy	c7e9522f29	Merge pull request #1077 from uchakin/oscd [OSCD] UAC bypass added	2021-01-05 23:06:24 +03:00
yugoslavskiy	87e5e5a7fc	Merge pull request #1069 from nsaddler/oscd3 [OSCD] Powershell Script Installed as a Service Rule added	2021-01-05 22:58:21 +03:00
Florian Roth	40e0e3bc99	Merge pull request #1193 from w0rk3r/oscd_rules_improvement [OSCD] Windows Rules - Review for improvements on selections and logic	2020-12-31 12:10:15 +01:00
Daniel Masse	d2edf715f2	Split up cmstp rule into 3 separate rules and remove duplicates	2020-12-23 12:17:39 -05:00
Florian Roth	f20f346a6a	Merge pull request #1264 from omkar72/sdev-1 Adding 2 rules - Conhost & office test registry persistence	2020-12-21 18:28:59 +01:00
Florian Roth	e78d7e6aee	Merge pull request #1296 from mat-gas/fix-references fix "references" field + add test for references in plural form	2020-12-21 18:25:35 +01:00
OG	70fb078a56	Update sysmon_office_test_regadd.yml	2020-11-29 18:02:37 +05:30
Jonhnathan	a9fde0117b	Merge branch 'oscd' into oscd_rules_improvement	2020-11-28 14:52:31 -03:00
yugoslavskiy	5196926d60	Update sysmon_stickykey_like_backdoor.yml	2020-11-28 18:33:21 +01:00
yugoslavskiy	39c2258848	Update sysmon_registry_persistence_search_order.yml	2020-11-28 18:30:41 +01:00
Jonhnathan	95eb7424aa	Update sysmon_susp_run_key_img_folder.yml	2020-11-28 13:54:59 -03:00
Jonhnathan	f504ccc33f	Update sysmon_susp_reg_persist_explorer_run.yml	2020-11-28 13:52:36 -03:00
Jonhnathan	986800056c	Update sysmon_stickykey_like_backdoor.yml	2020-11-28 13:50:13 -03:00
Jonhnathan	ef34c94e6a	Update sysmon_registry_persistence_search_order.yml	2020-11-28 13:49:18 -03:00
Jonhnathan	06cc5049a4	Update sysmon_dns_serverlevelplugindll.yml	2020-11-28 13:46:02 -03:00
mat	b3e36281b5	fix reference field + add test for references in plural form	2020-11-27 10:17:45 +01:00
Jonhnathan	2ba146be07	Remove additional backlash	2020-11-20 02:03:06 -03:00
Jonhnathan	493fa3d5ee	Update sysmon_susp_mic_cam_access.yml	2020-11-20 02:02:26 -03:00
Jonhnathan	9e3a612953	Remove additional backlash	2020-11-20 02:01:43 -03:00
Jonhnathan	6c88dd700e	Update sysmon_stickykey_like_backdoor.yml	2020-11-20 02:00:53 -03:00
Jonhnathan	1e640b50f9	Remove additional backlash	2020-11-20 01:58:20 -03:00
Jonhnathan	acff5ef4f9	Update sysmon_registry_persistence_key_linking.yml	2020-11-20 01:57:34 -03:00
Jonhnathan	e35b09e1a6	Remove out of context falsepositive	2020-11-20 01:55:48 -03:00
Jonhnathan	d595df2879	Fix	2020-11-20 01:53:15 -03:00
Jonhnathan	6f3daad053	Update sysmon_apt_oceanlotus_registry.yml	2020-11-20 01:51:53 -03:00
Jonhnathan	9967bd1fe5	Update sysmon_apt_oceanlotus_registry.yml	2020-11-20 01:51:01 -03:00
Jonhnathan	1af9e9ed48	Update sysmon_win_reg_persistence.yml	2020-11-20 01:47:19 -03:00
Jonhnathan	8d8c29e0fe	Update sysmon_uac_bypass_sdclt.yml	2020-11-20 01:42:17 -03:00
Jonhnathan	372f000b7f	Update sysmon_uac_bypass_eventvwr.yml	2020-11-20 01:41:20 -03:00
Jonhnathan	e8aa9a854a	Update sysmon_uac_bypass_eventvwr.yml	2020-11-20 01:40:29 -03:00
Jonhnathan	57e98e3957	Remove additional backlash	2020-11-20 01:38:57 -03:00
Jonhnathan	9cf2ea5862	Update sysmon_susp_service_installed.yml	2020-11-20 01:38:17 -03:00
Jonhnathan	1acc19a8d5	Remove additional backlash	2020-11-20 01:37:24 -03:00
v3t0	3d206b08d8	[OSCD] Added a rule to detect potential persistence using registry keys	2020-11-15 19:04:12 -05:00
yugoslavskiy	efc3f298b8	simplify syntax	2020-11-04 23:03:34 +01:00
GlebSukhodolskiy	8068487340	test trigger	2020-11-03 12:04:03 +03:00
GlebSukhodolskiy	544876951f	fixed duplication v2	2020-11-03 02:34:34 +03:00
GlebSukhodolskiy	48e46c279a	fixed duplication	2020-11-03 02:25:22 +03:00
GlebSukhodolskiy	cf8c721662	fixed optimization and references	2020-11-03 02:16:13 +03:00
GlebSukhodolskiy	e2c4af012b	Changed to Placeholders Usage A query was too big to pass a test, so I changed logic to placeholders usage.	2020-11-03 00:56:42 +03:00
omkar72	86a849728d	ryuk changes	2020-10-30 13:15:11 +05:30
Roberto Rodriguez	972326f761	A few more - 7 Rules	2020-10-29 21:11:41 -04:00
omkargudhate22	df07d53fea	formatting values	2020-10-25 18:23:29 +05:30
omkar72	021842eaa3	office test reg	2020-10-25 12:36:08 +05:30
stvetro	9d286b4d47	Deleted not my rule Was added by mistake =)	2020-10-23 12:38:13 +04:00
Наталья Шорникова	789e7227be	Splitting into two	2020-10-18 02:16:11 +03:00
nsaddler	3aff4836ca	Update sysmon_wab_dllpath_reg_change.yml	2020-10-18 00:19:27 +03:00
Alexey Lednyov	1a0e2b3c8e	Add a technique tag	2020-10-17 08:46:57 +03:00
Alexey Lednyov	761bebfece	Fix title	2020-10-17 01:10:47 +03:00
Alexey Lednyov	69bde540c7	Added a rule to detect the use windows telemetry mechanism for persistence	2020-10-17 00:48:14 +03:00
Jonhnathan	1584ddf918	Update sysmon_susp_service_installed.yml	2020-10-15 20:50:42 -03:00
Jonhnathan	457217bfc0	Update sysmon_win_reg_persistence.yml	2020-10-15 20:11:52 -03:00
Jonhnathan	229e57777a	Update sysmon_win_reg_persistence.yml	2020-10-15 20:11:37 -03:00
Jonhnathan	8a52610bf8	Update sysmon_uac_bypass_eventvwr.yml	2020-10-15 20:11:11 -03:00
Jonhnathan	6ea18efdaf	Update sysmon_sysinternals_eula_accepted.yml	2020-10-15 20:10:44 -03:00
Jonhnathan	7dfb8f0e99	Update sysmon_suspicious_keyboard_layout_load.yml	2020-10-15 20:10:21 -03:00
Jonhnathan	9c434eaf04	Update sysmon_susp_service_installed.yml	2020-10-15 20:10:06 -03:00
Jonhnathan	33ed01e285	Update sysmon_susp_run_key_img_folder.yml	2020-10-15 20:09:42 -03:00
Jonhnathan	45466cf95d	Update sysmon_susp_reg_persist_explorer_run.yml	2020-10-15 20:08:47 -03:00
Jonhnathan	b55b78c42d	Update sysmon_susp_lsass_dll_load.yml	2020-10-15 20:08:12 -03:00
Jonhnathan	17ade8e5f5	Update sysmon_susp_download_run_key.yml	2020-10-15 20:07:53 -03:00
Jonhnathan	6fc6409c7f	Update sysmon_stickykey_like_backdoor.yml	2020-10-15 20:07:11 -03:00
Jonhnathan	03ea1375e2	Update sysmon_registry_persistence_search_order.yml	2020-10-15 20:05:46 -03:00

1 2 3 4 5

202 Commits