valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,347 Commits 20 Branches 25 Tags 21 MiB
8916459bab
Commit Graph

2792 Commits

Author SHA1 Message Date
Florian Roth
a4bec724a6 rule: SonicWall exploitation 2021-01-25 11:54:23 +01:00
Bhabesh Rai
465ab713b0 Added rule for TerraMaster TOS CVE-2020-28188 2021-01-25 13:01:27 +05:45
Florian Roth
b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv
e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger
6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth
efa39eb18d
Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth
4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth
492d931138
Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth
c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth
a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth
8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth
cd4fbca66b
Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth
c00d3a8fe0
Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai
dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth
eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth
fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth
7162528a1a
docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth
3d2c6a118d
Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth
d58cdeab3a
Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp
b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth
cf37abee4d
docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp
5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth
a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai
93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth
c571285fd8
Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth
63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth
19171f5bed
Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth
30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
yugoslavskiy
5ec4e42569
Merge pull request #1165 from w0rk3r/oscd3 
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
 2021-01-06 00:12:22 +03:00
Florian Roth
ab408750ac
Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth
9ecaeb715f
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
ZikyHD
8a6b182fee
Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD
ece829bb25
Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
Florian Roth
0a83f91386
Merge pull request #1321 from d4rk-d4nph3/master 
Fixed typo in file format
 2020-12-28 09:13:48 +01:00
Bhabesh Rai
bf77c8266a Fixed typo in file format 2020-12-28 11:46:02 +05:45
Florian Roth
896fc21911
Merge pull request #1320 from d4rk-d4nph3/master 
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
 2020-12-27 20:37:36 +01:00
Florian Roth
a6212a4490
style: some minor style changes 2020-12-27 20:06:19 +01:00
Bhabesh Rai
1cfad987b0 Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass 2020-12-27 17:34:49 +05:45
Florian Roth
43033ab874
Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu
d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu
4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse
fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse
bf539fd1fe Revert "Fix bug changing the logsource service to category" 
This reverts commit 0f51e53d0e.
 2020-12-23 15:50:49 -05:00
Daniel Masse
71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse
0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse
e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth
cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth
821af35557
Merge pull request #1313 from Neo23x0/rule-devel 
Rule devel
 2020-12-23 13:57:11 +01:00
Florian Roth
7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth
80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth
e67d17a967 rule: improved solarwinds webshell rule 2020-12-22 10:36:34 +01:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1 
Adding 2 rules - Conhost & office test registry persistence
 2020-12-21 18:28:59 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
Florian Roth
377454cb31
Merge pull request #1299 from tjgeorgen/patch-1 
ATT&CK subtechnique tag updates
 2020-12-21 18:24:00 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master 
Added rule for Impacket's PsExec execution
 2020-12-21 18:23:41 +01:00
Florian Roth
9c8e1387a9 rule: Solarwinds SUPERNOVA web shell access 2020-12-17 09:05:08 +01:00
Bhabesh Rai
0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth
80e1a5e7eb
Merge pull request #1292 from toffeebr33k/master 
Create 2 new rules on AWS Privilege Escalation and AWS Enumeration
 2020-12-13 19:06:44 +01:00
Florian Roth
1b0aaf62c3
Merge pull request #1266 from omkar72/ryuk 
modifying couple of rules
 2020-12-13 19:05:54 +01:00
Florian Roth
e2ade077ed
Merge pull request #1275 from bczyz1/patch-3 
update win_apt_slingshot.yml
 2020-12-13 19:04:47 +01:00
Florian Roth
5197f21ed1 fix: duplicate ID 2020-12-13 18:59:04 +01:00
Florian Roth
612008a4d8
fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu
edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth
cfe60d180b
Merge pull request #1301 from d4rk-d4nph3/master 
Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
 2020-12-08 11:09:51 +01:00
Florian Roth
b6d62b7a21
Merge pull request #1302 from Neo23x0/rule-devel 
TA505 Dropper, minor fix in PowerShell Rule
 2020-12-08 10:40:07 +01:00
Florian Roth
2c642c64d2
Removed a value 2020-12-08 10:38:32 +01:00
Florian Roth
a87a81d8cc
Update web_fortinet_cve_2018_13379_preauth_read_exploit.yml 2020-12-08 10:33:52 +01:00
Florian Roth
640470cefd TA505 Loader Rule 2020-12-08 10:15:30 +01:00
Bhabesh Rai
3ddf940812 Added rule for Fortinet CVE-2018-13379 preauth file read exploitation. 2020-12-08 14:46:47 +05:45
Florian Roth
540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
tjgeorgen
1c6c3a36fe
include updated RDP att&ck tag 2020-12-04 11:59:23 -05:00
tjgeorgen
0eda1ab462
also update tag for folder variant 2020-12-04 11:42:05 -05:00
tjgeorgen
5208bdd65a
add new version of ATT&CK T1500 tag 2020-12-04 11:19:16 -05:00
OG
70fb078a56
Update sysmon_office_test_regadd.yml 2020-11-29 18:02:37 +05:30
OG
8e801ede32
Update win_susp_psexec_eula.yml 2020-11-29 17:45:29 +05:30
mat
b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth
c6fc9de144 New Trickbot wermgr rule 2020-11-26 09:54:27 +01:00
Florian Roth
c111ab3141 Improved Trickbot recon rule 2020-11-26 09:54:13 +01:00
Florian Roth
b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
bczyz1
05398ae95e
change field newprocessname -> image 2020-11-23 13:43:19 +01:00
toffeebr33k
c8c4183678
Update aws_enum_listing.yml 2020-11-22 01:53:58 +08:00
toffeebr33k
3d0e1988c6
Update aws_enum_listing.yml 2020-11-22 01:41:20 +08:00
toffeebr33k
273590b151
Update aws_enum_listing.yml 2020-11-22 01:17:42 +08:00
toffeebr33k
52fca0fe3a
Update aws_enum_listing.yml 2020-11-22 01:05:56 +08:00
toffeebr33k
e764ca687a
Update aws_enum_listing.yml 2020-11-22 00:50:34 +08:00
toffeebr33k
00504ee186
Update aws_update_login_profile.yml 2020-11-22 00:42:25 +08:00
toffeebr33k
3dd1525b98
Update aws_update_login_profile.yml 2020-11-22 00:38:41 +08:00
toffeebr33k
6b65180464
Add files via upload 2020-11-22 00:33:47 +08:00
toffeebr33k
cff82ff79a
Delete aws_update_login_profile.yml 2020-11-22 00:33:17 +08:00
toffeebr33k
7e1c918b4d
Delete aws_enum_listing.yml 2020-11-22 00:32:59 +08:00
toffeebr33k
551764b630
Add files via upload 2020-11-22 00:26:17 +08:00
toffeebr33k
3dd25ddea4
Delete aws_update_login_profile.yml 2020-11-22 00:25:54 +08:00
toffeebr33k
fba9c12bb2
Delete aws_enum_listing.yml 2020-11-22 00:25:29 +08:00
toffeebr33k
6c1f3f5969
Update aws_update_login_profile.yml 2020-11-21 23:45:10 +08:00
toffeebr33k
70e725e82e
Update aws_enum_listing.yml 2020-11-21 23:44:14 +08:00
toffeebr33k
596d1b6e4c
Update aws_update_login_profile.yml 2020-11-21 23:29:49 +08:00
toffeebr33k
a786ebd04b
Update aws_enum_listing.yml 2020-11-21 23:28:57 +08:00
toffeebr33k
1ca903b168
Update aws_enum_listing.yml 2020-11-21 23:22:07 +08:00
toffeebr33k
7f61591865
Add files via upload 2020-11-21 23:12:50 +08:00
bczyz1
193021eff8
Update win_apt_slingshot.yml 
fix condition
 2020-11-20 09:19:03 +01:00
Florian Roth
af4d546408
Merge pull request #1282 from Neo23x0/rule-devel 
fix: FPs with notepad++ GUP rule
 2020-11-10 13:39:28 +01:00
Florian Roth
2e9d7951a6
Merge pull request #1272 from bczyz1/patch-2 
Fix typo in win_apt_lazarus_session_hijack.yml
 2020-11-10 13:35:08 +01:00
Florian Roth
f6c0fb2d33 fix: FPs with notepad++ GUP rule 2020-11-09 16:34:12 +01:00
Florian Roth
c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
bczyz1
c554aaea8f
update win_apt_slingshot.yml 
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)
 2020-11-05 15:51:22 +01:00
Florian Roth
908023fa66 rule: added second expression 2020-11-04 16:43:35 +01:00
bczyz1
4a5b2d642e
Fix typo in win_apt_lazarus_session_hijack.yml 2020-11-03 14:46:29 +01:00
Florian Roth
f848bb912c rule: reworked weblogic CVE-2020-14882 rule 2020-11-03 10:39:40 +01:00
Florian Roth
dd0d1d053c rule: WebLogic exploit CVE-2020-14882 2020-11-02 11:11:37 +01:00
omkargudhate22
f1bb9726ca
updated mitre tag 2020-10-30 13:35:40 +05:30
omkar72
86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
omkargudhate22
df07d53fea
formatting values 2020-10-25 18:23:29 +05:30
omkargudhate22
06890ba28b
update title 2020-10-25 15:10:12 +05:30
omkar72
021842eaa3 office test reg 2020-10-25 12:36:08 +05:30
omkar72
42de51cadc conhost executions 2020-10-25 12:33:59 +05:30
Florian Roth
75637324e0
feat: cover newest emotet campaigns 2020-10-23 23:44:48 +02:00
Florian Roth
ee789a309c fix: FP with expression 2020-10-20 13:11:10 +02:00
Florian Roth
198b292c26 rule: emotet encoded commands 2020-10-20 12:51:58 +02:00
Florian Roth
48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Jonhnathan
8f6ad7df6b
Update win_etw_trace_evasion.yml 2020-10-15 09:22:13 -03:00
Jonhnathan
043033c1b7
Update win_etw_trace_evasion.yml 2020-10-13 22:59:06 -03:00
Jonhnathan
ac1a6927ad
Update win_etw_trace_evasion.yml 2020-10-13 22:55:13 -03:00
Jonhnathan
e3446b873a
Correct duplicated selection 2020-10-13 22:54:30 -03:00
Jonhnathan
b1c9871b74
Add Additional detections for other techniques 2020-10-13 22:51:48 -03:00
Jonhnathan
a01c08f617
Removed reference to deprecated rule and improve logic 2020-10-13 17:45:35 -03:00
Jonhnathan
4c75d22d93 Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-13 17:40:10 -03:00
Jonhnathan
1455d414bc Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-13 17:40:07 -03:00
Florian Roth
3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
Florian Roth
0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth
e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth
2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
Vasiliy Burov
e10771652b
Update win_disable_event_logging.yml 2020-10-09 18:27:04 +03:00
Vasiliy Burov
c77a190a6b
Update win_susp_eventlog_cleared.yml 
Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.
 2020-10-09 16:51:18 +03:00
Jonhnathan
1324bc1ad1
Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
Jonhnathan
e6a6549676
Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
Florian Roth
c56cd2dfff
Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22
4487d9cc7e
added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Florian Roth
c17ca6d5fe
Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22
68a992d903
updated name 2020-09-27 21:57:19 +05:30
omkargudhate22
e7c8197e34
Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22
ebe3dce1d7
Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72
3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30