valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,476 Commits 20 Branches 25 Tags 21 MiB
647d98ac71
Commit Graph

2476 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
647d98ac71
Merge pull request #599 from vitaliy0x1/master 
Detection Rules for AWS events
 2020-01-29 21:01:20 +01:00
Florian Roth
376092cfd3
Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth
05d7448a9a
Minor Changes 2020-01-29 20:25:46 +01:00
Florian Roth
d1357ddc50
Minor changes 2020-01-29 20:25:14 +01:00
Florian Roth
8a4f9ad7f8
Minor changes 2020-01-29 20:24:31 +01:00
Florian Roth
a6d7af270d
Added date 2020-01-29 20:23:40 +01:00
Florian Roth
56e1e6b13d
Lower case service name 2020-01-29 20:23:12 +01:00
Florian Roth
f1ce6ba6ad
Lowering level 
Lowering level to medium for events that can have a legitimate cause
 2020-01-29 20:22:34 +01:00
Florian Roth
56576b539f
Merge pull request #602 from Neo23x0/devel 
rule: FromBase64String command line
 2020-01-29 16:12:29 +01:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
1948fd94bd
Merge pull request #601 from Neo23x0/devel 
Devel
 2020-01-28 11:35:57 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
60f55cbd2b
Merge pull request #590 from Neo23x0/devel 
Devel
 2020-01-24 16:29:19 +01:00
Florian Roth
df324a59c5 Merge branch 'master' into devel 2020-01-24 16:21:53 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d
bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth
f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
Thomas Patzke
d408c0fd34 Added ala-rule backend to CI testing 2020-01-24 15:31:06 +01:00
Thomas Patzke
8525e9e961 Moved ala-rule backend code into ala backend module 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
neu5ron
ee1ae805d3 fix name of network_initiated 2020-01-24 15:31:06 +01:00
2d4d
341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth
4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth
c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d
d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d
0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
Maxime Lamothe-Brassard
d1774f7735 Fixed actual event tag 2020-01-24 15:31:06 +01:00
Maxime Lamothe-Brassard
1bfb809b6f Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2020-01-24 15:31:06 +01:00
SOC Prime
2aae27f0a4 Update ala-rule.py 2020-01-24 15:31:06 +01:00
SOC Prime
85f09419fb Update ala-rule.py 2020-01-24 15:31:06 +01:00
vh
8d30459532 Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
Florian Roth
72341f08c5 Added MITRE ATT&CK Technique T1482 
https://attack.mitre.org/techniques/T1482/
 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
Thomas Patzke
0f4aef1000 Added sigma2attack to CI testing 2020-01-24 15:31:06 +01:00