valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,184 Commits 20 Branches 25 Tags 21 MiB
6dc36c8749
Commit Graph

498 Commits

Author SHA1 Message Date
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
Florian Roth
2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Kyle Polley
60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Thomas Patzke
ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke
a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Thomas Patzke
732de3458f
Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke
fdd0823e07
Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Florian Roth
fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296
fdd264d946
Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
megan201296
7997cb3001
Remove duplicate value 2018-10-08 13:00:59 -05:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Ensar Şamil
dec7568d4c
Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli 
Add group by to windows multiple suspicious cli rule
 2018-09-26 11:49:57 +02:00
Florian Roth
a2c6f344ba
Lower case T 2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth
68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
Florian Roth
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1 
Create win_susp_powershell_hidden_b64_cmd.yml
 2018-09-08 10:23:05 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
megan201296
3154be82f3
Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
Lurkkeli
30fc4bd030
powershell xor commandline 
New rule to detect -bxor usage in a powershell commandline.
 2018-09-05 09:21:15 +02:00
Florian Roth
49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00