valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,228 Commits 20 Branches 25 Tags 21 MiB
90a21d954a
Commit Graph

6228 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
503df46968
Merge pull request #1518 from frack113/duplicate_uuid 
Two last duplicate UUID
 2021-05-28 09:29:26 +02:00
frack113
9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d 
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
 2021-05-27 21:06:07 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth
06a84350ae
Merge pull request #1517 from SigmaHQ/rule-devel 
rule: suspicious programs - no DLL in command line
 2021-05-27 19:50:12 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth
7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth
6e31bc3037
Merge pull request #1485 from V1D1AN/master 
Update ecs-zeek-elastic-beats-implementation.yml
 2021-05-27 14:59:14 +02:00
Florian Roth
5cf7078fb3
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec 
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
 2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth
9239690ef3
Merge pull request #1488 from dacelbot/master 
Contribute AWS snapshot exfiltration rule
 2021-05-27 12:52:46 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1 
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
 2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
e397a2974e
Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation 
Fix missing eventid when converting windows obfuscation rules
 2021-05-27 12:51:22 +02:00
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
f16aca7a35
Merge pull request #1512 from SigmaHQ/rule-devel 
duplicate UUIDs, regedit as trusted installer
 2021-05-27 12:42:36 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
ffeda2a2a2
Merge pull request #1492 from frack113/es_rule_uuid 
Fix errors when import es-rule ndjson to KIBANA
 2021-05-27 10:24:39 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth
f98716c672
Merge pull request #1500 from frack113/sigmac_add_time_filter 
Sigmac add new filter
 2021-05-27 10:16:19 +02:00
frack113
2a68700991 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:43:08 +02:00
frack113
30cc64a349 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:41:19 +02:00
frack113
e4c32c353a use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:39:16 +02:00
frack113
a878f3b0a5 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:36:47 +02:00
frack113
cbce61bc8c use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:34:46 +02:00
frack113
8d8df10687 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:31:57 +02:00
frack113
ce53a5a67b use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:30:00 +02:00
frack113
417da3ac95 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:28:06 +02:00
frack113
f0d1c9aa7d use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:26:08 +02:00
frack113
788ebbafdc use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:20:29 +02:00
Florian Roth
fb07b204b4
Merge pull request #1510 from SigmaHQ/rule-devel 
CobaltStrike Pipe Rule Changes
 2021-05-26 18:30:34 +02:00
Florian Roth
a5fe7af25f Cobalt Strike Service Installation 2021-05-26 18:05:38 +02:00
Florian Roth
c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00
Florian Roth
d06f2bcf14 fix: sysmon backend "startswith" 2021-05-26 15:42:16 +02:00