SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00

Author	SHA1	Message	Date
megan201296	7997cb3001	Remove duplicate value	2018-10-08 13:00:59 -05:00
Florian Roth	54678fcb36	Rule: CertUtil UA https://twitter.com/ItsReallyNick/status/1047151134501216258	2018-10-06 16:47:37 +02:00
Florian Roth	85f0ddd188	Delete win_alert_LSASS_access.yml	2018-10-02 16:48:09 +02:00
Florian Roth	19e2bad96e	Delete sysmon_powershell_DLL_execution.yml	2018-10-02 08:56:09 +02:00
Florian Roth	daddec9217	Delete sysmon_powershell_AMSI_bypass.yml	2018-10-02 08:55:48 +02:00
Florian Roth	aafe9c6dae	Delete sysmon_lethalHTA.yml	2018-10-02 08:55:19 +02:00
Ensar Şamil	dec7568d4c	Rule simplification Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.	2018-09-28 10:58:50 +03:00
Florian Roth	451c18628d	Merge pull request #170 from Karneades/fix-suspicious-cli Add group by to windows multiple suspicious cli rule	2018-09-26 11:49:57 +02:00
Florian Roth	a2c6f344ba	Lower case T	2018-09-26 11:44:12 +02:00
Braz	f35308a4d3	Missing Character Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing. Thanks for your work Flo & Tom!	2018-09-26 11:40:24 +02:00
Florian Roth	edf8dde958	Include cases in which certutil.exe is used	2018-09-23 20:57:34 +02:00
Karneades	c73a9e4164	Fix CommandLine in rule sysmon/sysmon_susp_certutil_command Below is an example of a test - the command line does not include the path nor the .exe. I think this comes from the initial detection on the Image path and the later switch to command line. We could also use both the Image path and the Command Line. Message : Process Create: Image: C:\Windows\SysWOW64\certutil.exe CommandLine: certutil xx -decode xxx Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe"	2018-09-23 20:28:56 +02:00
Karneades	cc82207882	Add group by to win multiple suspicious cli rule * For the detection it's important that these cli tools are started on the same machine for alerting.	2018-09-23 19:38:23 +02:00
Thomas Patzke	81515b530c	ATT&CK tagging QA	2018-09-20 12:44:44 +02:00
Florian Roth	13276ecf31	Rule: AV alerts - webshells	2018-09-09 11:04:27 +02:00
Florian Roth	e5c7dd18de	Rule: AV alerts - relevant files	2018-09-09 11:04:27 +02:00
Florian Roth	7311d727ba	Rule: AV alerts - password dumper	2018-09-09 11:04:27 +02:00
Florian Roth	84b8eb5154	Rule: AV alerts - exploiting frameworks	2018-09-09 11:04:27 +02:00
Florian Roth	82916f0cff	Merge pull request #159 from t0x1c-1/t0x1c-devel Suspicious SYSVOL Domain Group Policy Access	2018-09-08 15:56:54 +02:00
Florian Roth	6f5a73b2e2	style: renamed rule files to all lower case	2018-09-08 10:27:19 +02:00
Florian Roth	68896d9294	style: renamed rule files to all lower case	2018-09-08 10:25:20 +02:00
Florian Roth	788678feb8	Merge pull request #165 from JohnLaTwC/patch-1 Create win_susp_powershell_hidden_b64_cmd.yml	2018-09-08 10:23:05 +02:00
Florian Roth	5d714ab44e	Rule: Added malware UA	2018-09-08 10:22:26 +02:00
Florian Roth	d0f2fbb6d6	Merge pull request #161 from megan201296/patch-12 Fix typo	2018-09-08 10:21:20 +02:00
Florian Roth	3f444b5fc2	Merge pull request #162 from megan201296/patch-13 Added .yml extension and fix typo	2018-09-08 10:21:00 +02:00
Unknown	863736587c	Adding ATTCK	2018-09-08 09:34:27 +02:00
John Lambert	7ce5b3515b	Create win_susp_powershell_hidden_b64_cmd.yml Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.	2018-09-07 20:23:11 -07:00
Unknown	d866097c07	CobaltStrike Malleable Amazon browsing traffic profile	2018-09-07 19:52:35 +02:00
Unknown	cf48a77d5a	Adding CMStar user-agent "O/9.27 (W; U; Z)"	2018-09-07 09:07:24 +02:00
megan201296	3154be82f3	Added .yml extension and fix typo	2018-09-06 20:28:22 -05:00
megan201296	525326d15f	Fix typo	2018-09-06 20:20:11 -05:00
Florian Roth	ec1bd77f2e	Rule: Proxy UA rule update - from Kaspersky report https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/	2018-09-05 20:39:19 +02:00
Florian Roth	49f7da6412	style: changed title casing and minor fixes	2018-09-04 16:15:41 +02:00
Florian Roth	3c240be8a8	fix: more duplicate 'tag' keys in rules	2018-09-04 16:15:02 +02:00
Florian Roth	9c878bef79	fix: duplicate 'tag' key in rule	2018-09-04 16:05:21 +02:00
t0x1c-1	afadda8c04	Suspicious SYSVOL Domain Group Policy Access	2018-09-04 15:52:25 +02:00
Florian Roth	d94c1d2046	fix: duplicate 'tag' key in rule	2018-09-04 14:56:55 +02:00
Florian Roth	1c87f77223	Rule: Fixed false positive in suspicious UA rule	2018-09-04 11:33:05 +02:00
Florian Roth	9cb78558d3	Rule: excluded false positives in rule	2018-09-03 12:02:42 +02:00
Florian Roth	b57f3ded64	Rule: GRR false positives	2018-09-03 11:50:34 +02:00
Florian Roth	2a0fcf6bea	Rule: PowerShell encoded command JAB	2018-09-03 10:08:29 +02:00
Florian Roth	7a3890ad76	Rule: SysInternals EULA accept improved and renamed	2018-08-30 13:16:28 +02:00
Florian Roth	d83f124f5f	Rule: Suspicious communication endpoints	2018-08-30 10:12:12 +02:00
Florian Roth	e70395744b	Rule: Improved Github communication rule	2018-08-30 10:12:12 +02:00
Thomas Patzke	d17cc5c07d	Merge pull request #157 from yt0ng/development Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 22:37:00 +02:00
Unknown	75d72344ca	Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 17:36:22 +02:00
Thomas Patzke	a722fcd2b0	Merge pull request #156 from yt0ng/yt0ng-devel Adding LSASS Access Detected via Attack Surface Reduction	2018-08-27 23:50:42 +02:00
Thomas Patzke	ee15b451b4	Fixed log source name	2018-08-27 23:45:30 +02:00
Thomas Patzke	f2fd3b9443	Merge branch 'master' of https://github.com/Neo23x0/sigma	2018-08-27 23:41:41 +02:00
Thomas Patzke	6e7208553a	Revert "removing for new pull request" This reverts commit `ca7e8d6468`.	2018-08-27 23:39:29 +02:00

1 2 3 4 5 ...

619 Commits