valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,800 Commits 20 Branches 25 Tags 21 MiB
772cf4f5e4
Commit Graph

4016 Commits

Author SHA1 Message Date
Florian Roth
772cf4f5e4
Merge pull request #1730 from SigmaHQ/rule-devel 
fix: avoid false positives with MSF psexec rule
 2021-07-23 19:49:45 +02:00
Florian Roth
880a87ce91 fix: avoid false positives with MSF psexec rule 2021-07-23 18:33:38 +02:00
Florian Roth
7ede42f78d
Merge pull request #1729 from SigmaHQ/rule-devel 
add additional filename pattern to HiveNightmare rule
 2021-07-23 10:40:33 +02:00
Florian Roth
c0138d5ced add additional filename pattern to HiveNightmare rule 2021-07-23 10:39:41 +02:00
Florian Roth
fa344987c0
Merge pull request #1703 from hieuttmmo/master 
Suspicious behaviours related to  SOURGUM
 2021-07-23 10:32:25 +02:00
Florian Roth
7c42a9d6cb
Merge pull request #1728 from SigmaHQ/rule-devel 
HiveNightmare file creation, other rule improvements
 2021-07-23 10:21:35 +02:00
Tran Trung Hieu
77b4a37916 Update the references 2021-07-23 14:58:51 +07:00
Florian Roth
38b9e942c1
Merge pull request #1724 from austinsonger/master 
sysmon_dns_over_https_enabled.yml
 2021-07-23 09:52:24 +02:00
Florian Roth
5b95ef0872
Merge pull request #1725 from frack113/add_new_test 
Add check for status and level
 2021-07-23 09:51:37 +02:00
Florian Roth
cc8899ea62
Merge pull request #1717 from frack113/netcat 
[OSCD] sysmon_netcat_execution.yml T1095
 2021-07-23 09:51:23 +02:00
Florian Roth
d00ca03cb6
increased level to high 2021-07-23 09:51:00 +02:00
Florian Roth
5955efa750 adjusted timestamp 2021-07-23 09:45:50 +02:00
Florian Roth
d9dc442f4e rule: HiveNightmare 2021-07-23 09:41:00 +02:00
Austin Songer
d7783ea9d7
Update sysmon_dns_over_https_enabled.yml 2021-07-22 12:42:53 -05:00
frack113
aff5264096 Add check for status and level 2021-07-22 19:25:51 +02:00
Austin Songer
2929f8915e
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:27:41 -05:00
Austin Songer
44630b215e
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:22:56 -05:00
Austin Songer
4ddcea0714
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:09:41 -05:00
Austin Songer
d093fea6a5
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:07:02 -05:00
Austin Songer
6e8df1e9d2
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:05:54 -05:00
Austin Songer
edf1740ec4
Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:05:31 -05:00
Austin Songer
c7685e1c18
Create sysmon_dns_over_https_enabled.yml 2021-07-22 11:04:15 -05:00
Florian Roth
edfd082754
Merge pull request #1716 from frack113/elk_keyword_rule 
powershell_nishang_malicious_commandlets Elk keywords trouble
 2021-07-22 15:01:13 +02:00
Florian Roth
cbc7a746d4
feat: some often used ncat command line strings 2021-07-22 15:00:50 +02:00
Florian Roth
7a8fcf4237
Merge pull request #1718 from frack113/powercat 
[OSCD] powershell_powercat.yml T1095
 2021-07-22 14:53:34 +02:00
Florian Roth
132bd8fdd8
Merge pull request #1720 from frack113/redcanary_t1411_001 
[OSCD] powershell_suspicious_mail_acces.yml T1114.001
 2021-07-22 14:53:21 +02:00
Florian Roth
583cae058e
Merge pull request #1723 from phantinuss/master 
Add sysmon_status and sysmon_error category to thor logsource; logical rule fix
 2021-07-22 14:53:01 +02:00
Florian Roth
9f2f6db598
Merge pull request #1721 from frack113/update_test 
Update date and modified test
 2021-07-22 11:10:25 +02:00
Florian Roth
1cfb0e4689
Update win_mal_flowcloud.yml 2021-07-22 11:09:45 +02:00
phantinuss
3c85bba998
fix: according to the reference the condition should be or; it would never match otherwise anyways 2021-07-22 09:59:04 +02:00
frack113
985a80de96 Find duplicate rules 2021-07-22 08:33:52 +02:00
frack113
fe20158f5e Update date and modified test 2021-07-21 18:28:47 +02:00
frack113
4cc4df35d8 add powershell_suspicious_mail_acces.yml 2021-07-21 15:27:12 +02:00
frack113
72da7a3053 fix tags attack.t1095 2021-07-21 13:08:35 +02:00
frack113
41c4f1d157 add powershell_powercat.yml 2021-07-21 13:04:27 +02:00
frack113
1b537cac5d add sysmon_netcat_execution.yml 2021-07-21 10:55:54 +02:00
Florian Roth
0930a933c3
Merge pull request #1713 from frack113/redcanary_t1552_004 
[OSCD] process_creation_discover_private_keys.yml T1552.004
 2021-07-21 10:43:45 +02:00
Florian Roth
78f903a2cc
Merge pull request #1714 from frack113/redcanary_t1074_001 
[OSCD] win_susp_zip_compress.yml T1074.001
 2021-07-21 10:43:32 +02:00
frack113
44254038d3 fix human error : test-sigmac Error 4 2021-07-21 10:01:46 +02:00
frack113
b9b0ef2066 convert keywords to correct field name Payload 2021-07-21 09:44:26 +02:00
Florian Roth
ddb4744613 regsvr32 anomaly rule update 
https://twitter.com/BlackMatter23/status/1417545425297580045
 2021-07-20 21:14:48 +02:00
frack113
ba50a2309c fix case EventID 2021-07-20 16:26:13 +02:00
frack113
42005a07b7 update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00
frack113
b031a1b4b7 add win_susp_zip_compress.yml 2021-07-20 13:13:53 +02:00
frack113
cf8904b560 fix files_with_incorrect_mitre_tags 2021-07-20 12:22:31 +02:00
Florian Roth
66aaa2210c refactor: widened PS1 Empire cmdlines rule 2021-07-20 11:26:22 +02:00
frack113
da6135ccb3 add process_creation_discover_private_keys.yml 2021-07-20 11:20:30 +02:00
Florian Roth
6fbce11094
Merge pull request #1712 from SigmaHQ/rule-devel 
fix: bug in regsvr anomaly rule
 2021-07-18 13:00:19 +02:00
Florian Roth
b7b4c4555f fix: bug in regsvr anomaly rule 2021-07-18 12:59:31 +02:00
Florian Roth
7eb873e48b
Merge pull request #1710 from SigmaHQ/rule-devel 
added more legitimate extensions to regsvr32 rule
 2021-07-17 13:46:21 +02:00