valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,238 Commits 20 Branches 25 Tags 21 MiB
736eeabf9f
Commit Graph

19 Commits

Author SHA1 Message Date
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Ivan Kirillov
5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00