valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,978 Commits 20 Branches 25 Tags 21 MiB
7c8cca744f
Commit Graph

4299 Commits

Author SHA1 Message Date
Bhabesh Rai
a58c5ed7cc Added rule for CVE-2021-21978 in VMware View Planner 2021-03-10 18:05:15 +05:45
concorde18
87059fe80b
Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe 2021-03-10 11:35:55 +03:00
concorde18
f694de74aa
Create win_susp_diskshadow.yml 2021-03-10 11:33:12 +03:00
concorde18
b73815e883
Update win_susp_Register_cimprovider.yml 2021-03-10 11:25:13 +03:00
Florian Roth
f0051ffcf6
Merge pull request #1378 from SigmaHQ/rule-devel 
HAFNIUM activity
 2021-03-09 15:42:32 +01:00
Florian Roth
dca5c870d7
Merge pull request #1374 from hieuttmmo/master 
Detect HAFNIUM operations
 2021-03-09 09:16:52 +01:00
Florian Roth
ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth
563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth
2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
BlueTeamOps
26a5300208
added spaces for oudmp and dclist 2021-03-09 08:22:36 +11:00
Anton Kutepov
e4a38a8b71 Merge branch 'master' into oscd 2021-03-07 23:41:11 +03:00
Anton Kutepov
626d7ebd61 Applied the fixes made by the participants during the second sprint. 2021-03-07 23:40:08 +03:00
Anton Kutepov
d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Anton Kutepov
ff6f10b484 Added the author of the duplicated rule (finger.exe) 2021-03-07 23:20:21 +03:00
Florian Roth
2b5f9f994f
Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth
a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth
3a0fc4835a
Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth
b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth
c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth
bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth
62b65a3578
Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth
bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00
Tran Trung Hieu
5f74a58081 Detect HAFNIUM operations 2021-03-04 00:01:54 +07:00
Florian Roth
9e921115bc
Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth
d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00
Florian Roth
e17986ebd3 rule: HAFNIUM Exchange exploitation 2021-03-03 09:58:43 +01:00
Florian Roth
73a3a1e5cd
Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Florian Roth
8c95f90075
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml 2021-03-03 09:08:24 +01:00
Bhabesh Rai
56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth
6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Anton Kutepov
f461becc58 Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 23:34:34 +03:00
Anton Kutepov
3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth
5c1dc30a13
Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Florian Roth
c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Florian Roth
b65dbee01f
Merge pull request #1366 from Neo23x0/rule-devel 
rule: SilentProcessExit monitors
 2021-02-26 18:09:44 +01:00
Florian Roth
ba7c7409a3 fix: typo in modified 2021-02-26 17:48:50 +01:00
Florian Roth
79acbbef9f rule: SilentProcessExit monitors 2021-02-26 17:35:42 +01:00
Florian Roth
40710fe89a
Merge pull request #1357 from Neo23x0/rule-devel 
Rule FP fixes
 2021-02-26 11:05:00 +01:00
Florian Roth
274b7b0f2e
fix: search for keywords within message 2021-02-26 09:42:12 +01:00
Florian Roth
9d937705c0 fix: null values in separate filter expression 
> null value in lists cause problems in some backends
 2021-02-25 15:19:26 +01:00
markus-nclose
67d3d5e220
Fixed CobaltStrike typo 2021-02-25 07:25:20 +02:00
Anton Kutepov
120fd413b8
fix author field 2021-02-25 02:17:28 +03:00
Anton Kutepov
98cc025208 Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00
Anton Kutepov
96afd5845a Merged identical rules. Added the author of the deleted rule to another rule. 2021-02-25 01:20:09 +03:00
Bhabesh Rai
e1dff01cea Added sigma rule for vSphere RCE CVE-2021-21972 2021-02-24 23:48:08 +05:45
Florian Roth
a8912da1a0 rule: finger.exe execution 2021-02-24 17:47:56 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth
f8b6b9d68e fix: FPs with Suspect Svchost Activity 2021-02-24 13:55:40 +01:00
Florian Roth
0489d4bfa4 fix: rule 2021-02-24 13:44:13 +01:00
Florian Roth
9eb55016bf fix: FPs with WMI Spawning Windows PowerShell 2021-02-24 13:32:30 +01:00
Florian Roth
b032bc3328 fix: FPs with Wmiprvse Spawning Process 2021-02-24 13:27:18 +01:00
Florian Roth
028ce2a548 fix: Sysmon NTLM downgrade attack - too many fps 2021-02-24 13:22:25 +01:00
Joshua Roys
025a17e44b fix: case in level 
Otherwise es-rule ends up with a null risk_score and invalid severity.
 2021-02-22 21:34:06 -05:00
Florian Roth
96803a5a27
Merge pull request #1355 from Neo23x0/rule-devel 
Rule devel
 2021-02-22 17:46:21 +01:00
Florian Roth
94035e1e11 fix: error in condition 2021-02-22 17:30:11 +01:00
Florian Roth
749789c17d fix: condition in eventlog rule 2021-02-22 17:24:19 +01:00
Florian Roth
aea03076c2 rule: simplified rule 2021-02-22 17:19:14 +01:00
Florian Roth
43b2ad580f rule: DEWMODE webshell 2021-02-22 17:15:32 +01:00
Florian Roth
f834862833
Merge pull request #1107 from vburov/patch-10 
Update win_susp_eventlog_cleared.yml
 2021-02-18 11:19:53 +01:00
Florian Roth
a6684c66d6
Merge pull request #1110 from vburov/patch-11 
Update win_disable_event_logging.yml
 2021-02-18 11:18:32 +01:00
Florian Roth
f62fc2e889
Merge pull request #1341 from d4rk-d4nph3/master 
Added rule for TerraMaster TOS CVE-2020-28188
 2021-02-18 11:17:48 +01:00
Florian Roth
786a799c3f
Merge pull request #1345 from blueteam0ps/patch-2 
Created win_sus_auditpol_usage.yml
 2021-02-18 11:17:04 +01:00
Florian Roth
76e6f38215
Merge pull request #1348 from bartlomiej-czyz/patch-1 
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml
 2021-02-18 11:14:40 +01:00
Florian Roth
089a931007 rule: ScreenConnect remote access 2021-02-11 13:04:16 +01:00
Florian Roth
4c2691d3c3 rule: disable windows eventlog 2021-02-11 12:28:52 +01:00
Florian Roth
18f2e32774 Domestic Kitten Furball malware pattern 2021-02-08 17:52:55 +01:00
bartlomiej-czyz
b771fb0c55
Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level 2021-02-08 12:45:59 +01:00
Florian Roth
8ae8c213a9
Merge pull request #1337 from architect00/master 
rule: scheduled task deletion
 2021-02-07 15:26:13 +01:00
GlebSukhodolskiy
daaba7022b
Merge branch 'oscd' into oscd_wmi 2021-02-06 00:34:53 +03:00
yugoslavskiy
fb1f04ec8a
Merge pull request #1249 from oscd-initiative/oscd_art_linux_task_18_T1083 
[OSCD] ART sync, test T1083: File and Directory Discovery (Linux)
 2021-02-04 22:34:47 +01:00
bartlomiej-czyz
ae15cef5e7
Rename .yaml to .yml 2021-02-03 22:20:48 +01:00
bartlomiej-czyz
e79168ee56
Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
bartlomiej-czyz
3e9c177c65
Create win_metasploit_or_impacket_smb_psexec_service_install.yaml 2021-02-03 22:16:21 +01:00
BlueTeamOps
1a124f9193
Added win_ad_find_discovery.yml 
Rule to detect the most commons switches used in AdFind tool
 2021-02-02 23:34:10 +11:00
BlueTeamOps
c3c706503e
Update win_sus_auditpol_usage.yml 2021-02-02 22:24:54 +11:00
BlueTeamOps
b0d0bb95b0
Created win_sus_auditpol_usage.yml 
This adds detection for suspicious behaviour of the auditpol binary
 2021-02-02 19:12:13 +11:00
Bhabesh Rai
a8d33171d7 Fixed c-uri 2021-02-02 10:23:47 +05:45
Florian Roth
309e15dc5c rule: add call by ordinal 2021-02-01 20:16:31 +01:00
Florian Roth
597633c938 rule: ShimCache Flush 2021-02-01 20:05:28 +01:00
Florian Roth
2c48d2b0bb
fix: missing global action and sections 2021-02-01 20:00:06 +01:00
Bhabesh Rai
63e2f4bbce Added rule for Sudo CVE-2021-3156 Exploitation Attempt 2021-02-01 23:08:45 +05:45
Florian Roth
179db920ec
Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth
aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth
33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth
e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth
cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Florian Roth
6b9eef58da
Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth
7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth
a4bec724a6 rule: SonicWall exploitation 2021-01-25 11:54:23 +01:00
Bhabesh Rai
465ab713b0 Added rule for TerraMaster TOS CVE-2020-28188 2021-01-25 13:01:27 +05:45
Florian Roth
b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv
e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger
6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth
efa39eb18d
Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth
4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth
492d931138
Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth
c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth
a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth
8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth
cd4fbca66b
Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth
c00d3a8fe0
Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai
dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth
eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth
fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth
7162528a1a
docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth
3d2c6a118d
Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth
d58cdeab3a
Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp
b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth
cf37abee4d
docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp
5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth
a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth
c571285fd8
Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth
63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth
19171f5bed
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy
3f519ffa20
Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth
30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
GlebSukhodolskiy
da5ec4e952
Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy
05c91cd12f
Merge pull request #1238 from alx1m1k/oscd-3 
[OSCD] T1030: Split A File Into Pieces - Lin/macOS
 2021-01-06 00:33:12 +03:00
yugoslavskiy
057c33354a
Merge pull request #1237 from alx1m1k/oscd-2 
[OSCD] T1027.001: Binary Padding - Lin/macOS
 2021-01-06 00:33:05 +03:00
yugoslavskiy
befcad2df7
Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy
6ebcb10abd
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy
3bf1663503
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
yugoslavskiy
2985836e36
Merge pull request #1140 from omkar72/oscd-5 
[OSCD] adding shortened commands for Netsh in the existing rule
 2021-01-06 00:24:43 +03:00
yugoslavskiy
d25ca9b280
Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy
7889df6644
Merge pull request #1227 from stvetro/oscd-runscripthelper 
[OSCD] - Runscripthelper.exe runs script (LoLBin)
 2021-01-06 00:24:00 +03:00
yugoslavskiy
0ed153237e
Merge pull request #1226 from stvetro/oscd-winword 
[OSCD] - Force winword.exe to load DLL (LoLBin)
 2021-01-06 00:23:52 +03:00
yugoslavskiy
1d2f027035
Merge pull request #1224 from stvetro/oscd 
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
 2021-01-06 00:23:45 +03:00
yugoslavskiy
f4578b0698
Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy
23519e47cd
Merge pull request #1222 from feedb/oscd 
[OSCD] zer0w
 2021-01-06 00:23:25 +03:00
yugoslavskiy
93718975fb
Merge pull request #1221 from grikos/OSCD_117_128 
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
 2021-01-06 00:23:13 +03:00
yugoslavskiy
cd62929bb0
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream 
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
 2021-01-06 00:23:06 +03:00
yugoslavskiy
70eff4b1fc
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy
a5bbccf16c
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative 
[OSCD] Always Install Elevated Alternative
 2021-01-06 00:22:37 +03:00
yugoslavskiy
a217a3cfc7
Merge pull request #1213 from alx1m1k/oscd 
[OSCD] T1552.003: Suspicious history file operations - Linux/macOS
 2021-01-06 00:21:19 +03:00
yugoslavskiy
066be03c19
Merge pull request #1212 from aleqs4ndr/oscd-2020 
[OSCD] Added a rule to detect possible Zerologon exploitation
 2021-01-06 00:21:12 +03:00
yugoslavskiy
29fe6e46d8
Merge pull request #1211 from zipa-original/win_persistence_telemetry 
[OSCD] Added a rule to detect abusing windows telemetry for persistence
 2021-01-06 00:20:51 +03:00
yugoslavskiy
c71e0ae0ea
Merge pull request #1209 from vburov/patch-15 
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
 2021-01-06 00:19:41 +03:00
yugoslavskiy
38661bbc10
Merge pull request #1208 from NikitaStormwind/RTT(17) 
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
 2021-01-06 00:19:20 +03:00
yugoslavskiy
2cf1994763
Merge pull request #1206 from w0rk3r/oscd5 
[OSCD] Windows - Suspicious Service DACL Modification
 2021-01-06 00:18:53 +03:00
yugoslavskiy
aad2838f58
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2 
[OSCD] Always Install Elevated - Slide 50 - Rule 2
 2021-01-06 00:18:44 +03:00
yugoslavskiy
e0286abb62
Merge pull request #1197 from w0rk3r/oscd_rules_improvement2 
[OSCD] Small improvements on others rules
 2021-01-06 00:18:36 +03:00
yugoslavskiy
0b7babaa84
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1 
[OSCD] Always Install Elevated - Slide 50 - Rule 1
 2021-01-06 00:18:26 +03:00
yugoslavskiy
fc1fa23440
Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy
8e50eeb4a9
Merge pull request #1187 from nsaddler/lolbas108 
[OSCD] LOLBAS Manage-bde.yml
 2021-01-06 00:18:02 +03:00