valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,781 Commits 20 Branches 25 Tags 21 MiB
7ddb63ec1b
Commit Graph

1892 Commits

Author SHA1 Message Date
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Florian Roth
7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Florian Roth
052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
Florian Roth
df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth
5abf101c0b
Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
IPv777
77a8ac59ef
remove duplicate 2020-07-24 16:38:08 +02:00
Ryan Plas
aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas
e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Florian Roth
8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Florian Roth
951c6fee8b
Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
Daniel Masse
13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth
769a9212a5
Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley
023bf76363
Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Aidan Bracher
ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher
1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher
4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Aidan Bracher
4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher
3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher
dcf20e580d Updated tags to include sub-techniques 2020-07-18 02:50:57 +01:00
Aidan Bracher
1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher
2d227a08c5 Updated suspicious service with sub-techniques 2020-07-18 02:40:22 +01:00
Aidan Bracher
97452a9df3 Update to include sub-technique mapping 2020-07-18 02:38:47 +01:00
Aidan Bracher
30bd591c96 Update win_apt_ke3chang to include sub-techniques 2020-07-18 02:37:56 +01:00
Aidan Bracher
ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher
ea1b2ae59f Updated invoke_phantom with sub-technique mapping 2020-07-18 02:32:42 +01:00
Aidan Bracher
23dd2e3cac Updated to include sub-technique mapping 2020-07-18 02:29:58 +01:00
Aidan Bracher
2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Florian Roth
3025d6850c
Merge pull request #932 from rtkdmasse/rule-selection-typos 
Change the selection from Command to CommandLine in a couple of rules
 2020-07-16 09:10:15 +02:00
Florian Roth
992bf676f9
Update sysmon_apt_pandemic.yml 2020-07-16 08:48:32 +02:00
Florian Roth
b1de627e94
Update win_apt_zxshell.yml 2020-07-16 08:47:24 +02:00
Daniel Masse
0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth
f8e10273ef
Merge pull request #929 from Neo23x0/pr/919 
Pr/919
 2020-07-15 21:30:57 +02:00
Florian Roth
d0c09f10a9 changed newline character to LF 2020-07-15 16:46:44 +02:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth
8f66803ddf
Merge pull request #927 from Neo23x0/rule-devel 
improved CVE-2020-1350 rule
 2020-07-15 12:06:31 +02:00
Florian Roth
1c103a749f fix: more FPs based on feedback 
https://twitter.com/GossiTheDog/status/1283341486680166400
 2020-07-15 12:05:50 +02:00
Florian Roth
c2eb110fca fix: more exact patterns 2020-07-15 11:56:11 +02:00
Florian Roth
ae7fbb9245 fix: false positive filters based on SOC Prime's rule 2020-07-15 11:49:20 +02:00
Florian Roth
e5a34a965c
Merge pull request #926 from Neo23x0/rule-devel 
rule: CVE-2020-1350
 2020-07-15 11:19:07 +02:00
Florian Roth
80639afd43 rule: CVE-2020-1350 2020-07-15 11:03:31 +02:00
Florian Roth
c7e412788a
Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth
38c29977ff
Merge pull request #925 from Neo23x0/rule-devel 
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923
 2020-07-14 18:14:51 +02:00