SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Jonhnathan	7f5c75ab3e	Update win_apt_hurricane_panda.yml	2020-10-15 17:30:34 -03:00
Jonhnathan	0926d76449	Update win_apt_equationgroup_dll_u_load.yml	2020-10-15 17:29:44 -03:00
Jonhnathan	8b593aa309	Update win_apt_empiremonkey.yml	2020-10-15 17:29:19 -03:00
Jonhnathan	00232982b2	Update win_apt_emissarypanda_sep19.yml	2020-10-15 17:28:33 -03:00
Jonhnathan	54f1a0c583	Update win_apt_elise.yml	2020-10-15 17:28:07 -03:00
Jonhnathan	d074ea110f	Update win_apt_dragonfly.yml	2020-10-15 17:27:42 -03:00
Jonhnathan	5eac9e5161	Update win_apt_cloudhopper.yml	2020-10-15 17:27:27 -03:00
Jonhnathan	2cdead8778	Update win_apt_chafer_mar18.yml	2020-10-15 17:26:58 -03:00
Jonhnathan	96ef4733c3	Update win_apt_bluemashroom.yml	2020-10-15 17:25:17 -03:00
Jonhnathan	ca31849be1	Update win_apt_bear_activity_gtr19.yml	2020-10-15 17:24:56 -03:00
Jonhnathan	10522becc3	Update win_apt_apt29_thinktanks.yml	2020-10-15 17:24:03 -03:00
Jonhnathan	bc1efd9843	Update sysmon_logon_scripts_userinitmprlogonscript_proc.yml	2020-10-15 17:23:44 -03:00
Jonhnathan	e0c538fdd4	Update sysmon_malware_verclsid_shellcode.yml	2020-10-15 17:19:06 -03:00
Jonhnathan	93faca413e	Update sysmon_lsass_memdump.yml	2020-10-15 17:17:57 -03:00
Jonhnathan	af5c88e5d5	Update sysmon_lazagne_cred_dump_lsass_access.yml	2020-10-15 17:17:39 -03:00
Jonhnathan	a554c3df23	Update sysmon_invoke_phantom.yml	2020-10-15 17:17:19 -03:00
Jonhnathan	1878aa5fbd	Update sysmon_cmstp_execution.yml	2020-10-15 17:16:50 -03:00
Jonhnathan	ce4e22750d	Update powershell_winlogon_helper_dll.yml	2020-10-15 17:15:23 -03:00
Jonhnathan	efe9c2d3d6	Update powershell_shellcode_b64.yml	2020-10-15 17:14:01 -03:00
Jonhnathan	013533fceb	Update powershell_prompt_credentials.yml	2020-10-15 17:13:16 -03:00
Jonhnathan	8cf2596068	Update powershell_malicious_keywords.yml	2020-10-15 17:12:08 -03:00
Jonhnathan	ec10d5a61f	Update powershell_malicious_commandlets.yml	2020-10-15 17:11:20 -03:00
Jonhnathan	4a3607d50b	Update powershell_exe_calling_ps.yml	2020-10-15 17:09:47 -03:00
Jonhnathan	09c43b7517	Update win_wmi_persistence.yml	2020-10-15 17:08:15 -03:00
Jonhnathan	b769728d0b	Update win_pcap_drivers.yml	2020-10-15 17:07:22 -03:00
Jonhnathan	fb851e1f41	Update sysmon_win_binary_susp_com.yml	2020-10-15 16:27:01 -03:00
Jonhnathan	5dc02f3a87	Update sysmon_win_binary_github_com.yml	2020-10-15 16:26:28 -03:00
Jonhnathan	554adb8562	Update sysmon_susp_rdp.yml	2020-10-15 16:25:58 -03:00
Jonhnathan	71785b91b5	Update sysmon_susp_prog_location_network_connection.yml	2020-10-15 16:25:25 -03:00
Jonhnathan	9c58db9271	Update sysmon_rundll32_net_connections.yml	2020-10-15 16:24:38 -03:00
Jonhnathan	bbf0210f70	Update sysmon_rdp_reverse_tunnel.yml	2020-10-15 16:23:17 -03:00
Jonhnathan	689bea2681	Update sysmon_powershell_network_connection.yml	2020-10-15 16:22:13 -03:00
Jonhnathan	e20027965f	Update sysmon_notepad_network_connection.yml	2020-10-15 16:21:38 -03:00
Jonhnathan	b479cbdb10	Update sysmon_malware_backconnect_ports.yml	2020-10-15 16:20:27 -03:00
Jonhnathan	22e5f83a6c	Update sysmon_dllhost_net_connections.yml	2020-10-15 16:19:43 -03:00
Jonhnathan	acfe0633e2	Update win_mal_ursnif.yml	2020-10-15 16:18:38 -03:00
Jonhnathan	983e9cb9ae	Update win_mal_ryuk.yml	2020-10-15 16:18:14 -03:00
Jonhnathan	8d44548a2c	Update win_mal_flowcloud.yml	2020-10-15 16:16:08 -03:00
Jonhnathan	ef646e74d8	Update mal_azorult_reg.yml	2020-10-15 16:15:25 -03:00
Jonhnathan	69c90570ec	Update av_webshell.yml	2020-10-15 16:14:08 -03:00
Jonhnathan	cdaa5ef3a6	Update av_relevant_files.yml	2020-10-15 16:13:22 -03:00
Jonhnathan	7dc720cf13	Update av_password_dumper.yml	2020-10-15 16:11:52 -03:00
Jonhnathan	dea145cd5e	Update av_exploiting.yml	2020-10-15 16:11:24 -03:00
Jonhnathan	7adfd75c0a	Update sysmon_svchost_dll_search_order_hijack.yml	2020-10-15 16:10:23 -03:00
Jonhnathan	b6cf10fdd2	Update sysmon_susp_winword_wmidll_load.yml	2020-10-15 16:09:44 -03:00
Jonhnathan	efe5ad92c3	Update sysmon_susp_winword_vbadll_load.yml	2020-10-15 16:09:21 -03:00
Jonhnathan	7c196aed22	Update sysmon_susp_office_kerberos_dll_load.yml	2020-10-15 16:09:03 -03:00
Jonhnathan	38ef5976dc	Update sysmon_susp_office_dsparse_dll_load.yml	2020-10-15 16:08:55 -03:00
Jonhnathan	8aa2f8582b	Update sysmon_susp_office_dsparse_dll_load.yml	2020-10-15 16:07:46 -03:00
Jonhnathan	4de241d44c	Update sysmon_susp_office_dotnet_gac_dll_load.yml	2020-10-15 16:07:10 -03:00
Jonhnathan	ecbec06709	Update sysmon_susp_office_dotnet_clr_dll_load.yml	2020-10-15 16:06:47 -03:00
Jonhnathan	0d4f372351	Update sysmon_susp_office_dotnet_assembly_dll_load.yml	2020-10-15 16:06:21 -03:00
Jonhnathan	1136725728	Update sysmon_susp_image_load.yml	2020-10-15 16:05:50 -03:00
Jonhnathan	56594a5a06	Update sysmon_mimikatz_inmemory_detection.yml	2020-10-15 16:05:11 -03:00
Jonhnathan	569f14eb1e	Update sysmon_tsclient_filewrite_startup.yml	2020-10-15 16:02:52 -03:00
Jonhnathan	7d5e404b32	Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml	2020-10-15 16:02:16 -03:00
Jonhnathan	5790cc2ea7	Update sysmon_susp_adsi_cache_usage.yml	2020-10-15 16:01:46 -03:00
Jonhnathan	9eedeabda9	Update sysmon_quarkspw_filedump.yml	2020-10-15 16:01:24 -03:00
Jonhnathan	d2d49c445a	Update sysmon_powershell_exploit_scripts.yml	2020-10-15 16:00:20 -03:00
Jonhnathan	b6b34b37d9	Update sysmon_ghostpack_safetykatz.yml	2020-10-15 15:59:09 -03:00
Jonhnathan	099843470e	Update sysmon_creation_system_file.yml	2020-10-15 15:58:10 -03:00
Jonhnathan	427962937b	Update sysmon_susp_driver_load.yml	2020-10-15 15:57:05 -03:00
Jonhnathan	1cd56f5dae	Update win_vul_cve_2020_0688.yml	2020-10-15 15:56:36 -03:00
Jonhnathan	ef3af551e9	Update win_user_driver_loaded.yml	2020-10-15 15:56:16 -03:00
Jonhnathan	4e70b2d797	Update win_user_added_to_local_administrators.yml	2020-10-15 15:55:21 -03:00
Jonhnathan	c0892c63c8	Update win_svcctl_remote_service.yml	2020-10-15 15:54:47 -03:00
Jonhnathan	d96bd0d9f3	Update win_susp_wmi_login.yml	2020-10-15 15:54:21 -03:00
Jonhnathan	496cfcb26a	Update win_susp_sdelete.yml	2020-10-15 15:53:51 -03:00
Jonhnathan	600c7057b1	Update win_susp_sam_dump.yml	2020-10-15 15:53:26 -03:00
Jonhnathan	754e67c0d9	Update win_susp_rc4_kerberos.yml	2020-10-15 15:52:48 -03:00
Jonhnathan	43a56b6759	Update win_susp_raccess_sensitive_fext.yml	2020-10-15 15:51:57 -03:00
Jonhnathan	054255fb17	Update win_susp_psexec.yml	2020-10-15 15:51:16 -03:00
Jonhnathan	dae1f3fa71	Update win_susp_ntlm_rdp.yml	2020-10-15 15:50:44 -03:00
Jonhnathan	9b8817f489	Update win_susp_msmpeng_crash.yml	2020-10-15 15:50:01 -03:00
Jonhnathan	c310d72e2b	Update win_susp_mshta_execution.yml	2020-10-15 15:49:39 -03:00
Jonhnathan	7419396351	Update win_susp_mshta_execution.yml	2020-10-15 15:49:26 -03:00
Jonhnathan	1eb0ccbf14	Update win_susp_local_anon_logon_created.yml	2020-10-15 15:48:36 -03:00
Jonhnathan	e089118718	Update win_possible_dc_shadow.yml	2020-10-15 15:45:55 -03:00
Jonhnathan	6961ee4986	Update win_net_ntlm_downgrade.yml	2020-10-15 15:44:24 -03:00
Jonhnathan	8261737728	Update win_mmc20_lateral_movement.yml	2020-10-15 15:42:07 -03:00
Jonhnathan	8f3542a73e	Update win_mal_wceaux_dll.yml	2020-10-15 15:41:13 -03:00
Jonhnathan	9bfd63ec26	Update win_hack_smbexec.yml	2020-10-15 15:20:08 -03:00
Jonhnathan	e5789a2a52	Update win_dcsync.yml	2020-10-15 15:19:18 -03:00
Jonhnathan	777e49b76c	Update win_av_relevant_match.yml	2020-10-15 15:17:33 -03:00
Jonhnathan	b555628321	Update win_atsvc_task.yml	2020-10-15 15:15:01 -03:00
Jonhnathan	44735049b6	Update win_apt_stonedrill.yml	2020-10-15 15:14:27 -03:00
Jonhnathan	02a1ab4033	Update win_alert_mimikatz_keywords.yml	2020-10-15 15:11:10 -03:00
Jonhnathan	26b442ec48	Update win_alert_lsass_access.yml Getting rid of '*' use	2020-10-15 15:09:35 -03:00
Jonhnathan	79c2b8d570	Update win_GPO_scheduledtasks.yml Getting rid of '*' use	2020-10-15 15:07:16 -03:00
Jonhnathan	4aa96a2ac9	Update win_alert_enable_weak_encryption.yml	2020-10-15 15:05:49 -03:00
Jonhnathan	5765573907	Update win_alert_active_directory_user_control.yml Getting rid of '*' use	2020-10-15 15:04:08 -03:00
Jonhnathan	1c06c9e166	Update win_admin_share_access.yml Getting rid of '*' use	2020-10-15 15:03:31 -03:00
Jonhnathan	085dc21d25	Update win_admin_rdp_login.yml Getting rid of '*' use	2020-10-15 15:02:40 -03:00
Jonhnathan	9c7a23e432	Update win_account_discovery.yml Getting rid of '*' use	2020-10-15 15:01:31 -03:00
Jonhnathan	fdd9234acc	Revert "Create win_susp_replace_lolbin.yml" This reverts commit `e6a6549676`.	2020-10-15 14:57:18 -03:00
Jonhnathan	17e7eee3a6	Revert "Changed the rule to download only and not the copy" This reverts commit `1324bc1ad1`.	2020-10-15 14:57:14 -03:00
Jonhnathan	1324bc1ad1	Changed the rule to download only and not the copy	2020-10-07 16:18:21 -03:00
Jonhnathan	e6a6549676	Create win_susp_replace_lolbin.yml Item 77 of #1014	2020-10-07 10:37:15 -03:00
Florian Roth	c56cd2dfff	Merge pull request #1024 from omkar72/master Com hijack shell folder	2020-10-02 09:24:16 +02:00
omkargudhate22	4487d9cc7e	added event type & changed technique	2020-10-02 09:22:14 +05:30
Florian Roth	d3ee1aba66	docs: MITRE ATT&CK(R) trademark references removed or adjusted https://github.com/Neo23x0/sigma/issues/1028	2020-09-30 08:53:52 +02:00
Florian Roth	c17ca6d5fe	Merge pull request #1018 from savvyspoon/wcry-dns WannaCry Killswitch domain DNS query	2020-09-29 09:27:21 +02:00
omkargudhate22	68a992d903	updated name	2020-09-27 21:57:19 +05:30
omkargudhate22	e7c8197e34	Updated fields & renamed	2020-09-27 21:52:59 +05:30
omkargudhate22	ebe3dce1d7	Update sysmon_comhijack_uac_bypass.yml	2020-09-27 21:44:41 +05:30
omkar72	3f148e6c7c	COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt.	2020-09-27 21:19:04 +05:30
Florian Roth	d7d9c0e772	Merge pull request #1021 from hieuttmmo/master Sigma rule to detect AdFind.exe execution	2020-09-27 09:50:41 +02:00
Florian Roth	8020fe3c40	false positive condition	2020-09-26 17:03:29 +02:00
Florian Roth	60795f7050	Update win_susp_adfind.yml Fear that a simple adfind.exe causes too many false positives	2020-09-26 17:02:39 +02:00
Florian Roth	dbdd758365	Duplicate Rule we already have a rule for that	2020-09-26 17:01:32 +02:00
Tran Trung Hieu	d4dd0600ad	Fix logsource service to process_creation	2020-09-26 21:45:23 +07:00
Tran Trung Hieu	c756fc8576	Detect Suspicious AdFind Execution	2020-09-26 21:34:06 +07:00
Mike Wade	f76f80db80	Killswitch domain	2020-09-16 20:32:31 -06:00
Mike Wade	7b1ef9ea64	fixing test runner issues	2020-09-15 15:45:33 -06:00
Mike Wade	6ed36b0e41	fixed issues with tabs and duplicate tags	2020-09-15 08:52:00 -06:00
Florian Roth	2cd9b794e6	Merge pull request #1007 from d4rk-d4nph3/master Windows Defender AMSI Trigger Detected	2020-09-15 15:45:00 +02:00
Remco Hofman	6cadfa5b2b	Added win_vul_cve_2020_1472 rule	2020-09-15 15:13:53 +02:00
Mike Wade	1ddba05eb2	Second round	2020-09-15 07:02:30 -06:00
Mike Wade	da9b32bdd6	we	2020-09-15 06:24:44 -06:00
Mike Wade	8ce73bd8df	Fixed issues with tags and missing files	2020-09-15 06:10:57 -06:00
Thomas Patzke	378d9c94cf	Merge branch 'master' of https://github.com/socprime/sigma into pr-981	2020-09-15 12:14:49 +02:00
Florian Roth	50db6dcc69	Merge pull request #1002 from scottdermott/master + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)	2020-09-15 08:17:02 +02:00
Bhabesh Rai	03c7d751c0	Windows Defender AMSI Trigger Detected	2020-09-14 18:10:38 +05:45
Mike Wade	57cae0ded1	Fixed reference typo	2020-09-13 22:07:43 -06:00
Mike Wade	52ab677798	Fixed my git issue	2020-09-13 22:03:04 -06:00
Mike Wade	249c255435	No Idea why these files are deleted	2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil	1fc202fe5d	fix typos, update tags	2020-09-13 15:46:45 +02:00
Dermott, Scott J	c72ac8f73e	Merge branch 'master' of https://github.com/scottdermott/sigma	2020-09-11 16:19:54 +01:00
Scott Dermott	1f50e0af35	+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) AD Connect on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC). https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028	2020-09-11 16:06:51 +01:00
Tran Trung Hieu	49ba107dce	Fixed Title	2020-09-10 17:36:37 +07:00
Tran Trung Hieu	f7d5240d40	Added UID, fixed rule description	2020-09-10 17:20:16 +07:00
Tran Trung Hieu	1b6c6ec5bf	Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender	2020-09-10 17:16:06 +07:00
Bhabesh Rai	ed059a9831	Added Credential Dumping by LaZagne	2020-09-09 18:27:14 +05:45
Florian Roth	de5444a81e	Merge pull request #989 from oscd-initiative/master [OSCD Initiative][ATT&CK tags update]	2020-09-08 13:27:58 +02:00
Florian Roth	af3b93a522	Merge pull request #914 from omergunal/ogunal-2 New rules for Linux	2020-09-07 09:41:43 +02:00
Florian Roth	39dfcd40ec	Merge pull request #921 from d4rk-d4nph3/master Added support for Defender's PSExec and WMI ASR rules.	2020-09-07 09:40:46 +02:00
Florian Roth	6f96bbbe65	Merge pull request #977 from barvhaim/patch-1 Update win_new_service_creation.yml typo	2020-09-07 09:39:28 +02:00
Florian Roth	37751fc3a1	Merge pull request #978 from barvhaim/patch-2 Update sysmon_apt_muddywater_dnstunnel.yml typo	2020-09-07 09:39:11 +02:00
e6e6e	98c412044a	att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes	2020-09-07 02:00:41 +04:00
e6e6e	7ae76b8d99	Revert "att&ck tags review: windows/process_creation part 5" This reverts commit `e94c47e74e`.	2020-09-07 01:28:08 +04:00
e6e6e	e94c47e74e	att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes	2020-09-07 01:19:41 +04:00
Alexey Lednyov	7834fdd750	att&ck tags review: windows/registry_event	2020-09-06 22:10:44 +03:00
ecco	ebc1d38027	fix in memory powershell false positive	2020-09-06 09:25:56 -04:00
ecco	b9f7d58dbc	fix ADSI rule false positive	2020-09-06 09:17:53 -04:00
grikos	961e4eef4c	att&ck tags review: windows/process_creation part 6	2020-09-05 20:35:21 +03:00
Florian Roth	22465037ac	Update win_susp_mpcmdrun_download.yml	2020-09-04 16:50:57 +02:00
Florian Roth	3283e33cbc	Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml	2020-09-04 16:49:44 +02:00
Matthew Matchen	df532be142	Added ID field using UUID generated value	2020-09-04 16:38:52 +02:00
Matthew Matchen	2c69815b7b	Removed empty ID field	2020-09-04 16:32:41 +02:00
Matthew Matchen	e0baa097a8	Initial creation	2020-09-04 16:00:23 +02:00

1 2 3 4 5 ...

2742 Commits