valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,248 Commits 20 Branches 25 Tags 21 MiB
7a96b40895
Commit Graph

6248 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
7a96b40895 rule: CVE-2021-1675 eventid extension 2021-06-30 16:08:33 +02:00
Florian Roth
c508e71165 rules: CVE-2021-1675 exploitation events 2021-06-30 14:51:20 +02:00
Florian Roth
d2f7edc778 refactor: change title of older CVE-2021-1675 rule 2021-06-30 14:23:14 +02:00
Florian Roth
a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth
26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth
8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
Florian Roth
a27d3d5880 docs: add 2nd Github upload 2021-06-29 12:31:13 +02:00
Florian Roth
b2ac3353dc rule: CVE-2021-1675 2021-06-29 10:11:08 +02:00
Florian Roth
9e3caf4ceb refactor: non-interactive Powershell to "low" 2021-06-28 16:38:34 +02:00
Florian Roth
d1f1e8e7c4 rule: reg add run key 2021-06-28 09:39:12 +02:00
Florian Roth
ab0502f893 refactor: add wscript.exe to mshta rule 2021-06-28 09:39:04 +02:00
Florian Roth
d48009748f rule: mshta shell spawn 2021-06-28 09:32:28 +02:00
Florian Roth
7b6208c05c rules: PurpleSharp, WMIC ActiveScriptEventConsumer 2021-06-25 09:56:42 +02:00
Florian Roth
9b93165ece BackdoorDiplomacy UA 2021-06-15 10:39:08 +02:00
Florian Roth
bf40b64f91 docs: better title in crowdstrike config 2021-06-10 17:07:01 +02:00
Florian Roth
0cfc462fb9 fix: fixed driver load rule 2021-06-10 16:03:35 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth
9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth
04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth
f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth
32bcdb5b0e
Merge pull request #1532 from frack113/rule-devel_SDelete 
Add windows T1485 SDelete
 2021-06-03 13:50:14 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
Florian Roth
ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth
7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth
6e31bc3037
Merge pull request #1485 from V1D1AN/master 
Update ecs-zeek-elastic-beats-implementation.yml
 2021-05-27 14:59:14 +02:00
Florian Roth
5cf7078fb3
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec 
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
 2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth
9239690ef3
Merge pull request #1488 from dacelbot/master 
Contribute AWS snapshot exfiltration rule
 2021-05-27 12:52:46 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1 
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
 2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
e397a2974e
Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation 
Fix missing eventid when converting windows obfuscation rules
 2021-05-27 12:51:22 +02:00
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00