valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,470 Commits 20 Branches 25 Tags 21 MiB
895a2f6154
Commit Graph

179 Commits

Author SHA1 Message Date
frack113
895a2f6154 fix 3 times the same name file 2021-07-02 11:01:07 +02:00
Florian Roth
b09efee045
Merge pull request #1600 from SigmaHQ/rule-devel 
rule: suspicious printer driver - empty manufacturer
 2021-07-01 16:46:09 +02:00
Florian Roth
e97bdf36f9 rule: suspicious printer driver - empty manufacturer 2021-07-01 13:55:21 +02:00
Wojciech Lesicki
7c8f9b2d8c
Merge branch 'SigmaHQ:master' into master 2021-06-29 11:05:42 +02:00
WojciechLesicki
8b2881328f CobaltStrike Service Installations in Registry 2021-06-29 10:52:10 +02:00
Andreas Hunkeler
756b8eed26
Add Synergy as possible FP for PortProxy key 2021-06-28 12:10:16 +02:00
Andreas Hunkeler
366d83ab44
Add fp note to PortProxy rules 2021-06-24 11:21:29 +02:00
Andreas Hunkeler
ed41125f70 fix: remove duplicate status in portproxy reg rule 2021-06-22 08:28:17 +02:00
Andreas Hunkeler
cd0b46ab62 rule: add port proxy registry rule and add references 2021-06-22 08:16:56 +02:00
Hasan
33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan
fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan
415ced0023
Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan
f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan
1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski
bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski
4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth
8aabb58eca
Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
frack113
3717c68bb7 fix typo of level 2021-05-24 10:45:58 +02:00
Jonhnathan
687f2d67fc
Update Threat Hunter Playbook Reference 2021-05-22 01:09:30 -03:00
frack113
cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113
dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Steven
d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Roberto Rodriguez
db0e969121 HybridConnectionMgr Service Activity 2021-04-12 16:26:15 -04:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke
90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov
d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00