valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,910 Commits 20 Branches 25 Tags 21 MiB
941d47bc28
Commit Graph

5910 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth
9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth
27fef60ace
Merge pull request #1383 from SigmaHQ/rule-devel 
fix: FPs with LSASS Access from Non System Account
 2021-03-10 18:59:29 +01:00
Florian Roth
78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth
29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
yugoslavskiy
519e480333
Merge pull request #1176 from concorde18/DLL-execution-via-register-cimprovider.exe 
Dll execution via register cimprovider.exe
 2021-03-10 17:40:54 +01:00
Bhabesh Rai
a58c5ed7cc Added rule for CVE-2021-21978 in VMware View Planner 2021-03-10 18:05:15 +05:45
concorde18
87059fe80b
Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe 2021-03-10 11:35:55 +03:00
concorde18
f694de74aa
Create win_susp_diskshadow.yml 2021-03-10 11:33:12 +03:00
concorde18
b73815e883
Update win_susp_Register_cimprovider.yml 2021-03-10 11:25:13 +03:00
Johnny Walker
0873c57acf
Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker
4e5a9a58a5
Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Florian Roth
f0051ffcf6
Merge pull request #1378 from SigmaHQ/rule-devel 
HAFNIUM activity
 2021-03-09 15:42:32 +01:00
Florian Roth
dca5c870d7
Merge pull request #1374 from hieuttmmo/master 
Detect HAFNIUM operations
 2021-03-09 09:16:52 +01:00
Florian Roth
ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth
563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth
2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
BlueTeamOps
26a5300208
added spaces for oudmp and dclist 2021-03-09 08:22:36 +11:00
yugoslavskiy
319bce639e
Merge pull request #1377 from aw350m33d/oscd 
[OSCD Sprint #2] Resolved new conflicts with the master branch.
 2021-03-07 22:42:58 +01:00
Anton Kutepov
c68e3b7835 Merge branch 'oscd' of https://github.com/SigmaHQ/sigma into oscd 2021-03-07 23:47:02 +03:00
Anton Kutepov
e4a38a8b71 Merge branch 'master' into oscd 2021-03-07 23:41:11 +03:00
Anton Kutepov
626d7ebd61 Applied the fixes made by the participants during the second sprint. 2021-03-07 23:40:08 +03:00
Anton Kutepov
d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Anton Kutepov
ff6f10b484 Added the author of the duplicated rule (finger.exe) 2021-03-07 23:20:21 +03:00
Florian Roth
2b5f9f994f
Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth
a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth
3a0fc4835a
Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth
b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth
c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth
bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth
62b65a3578
Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth
bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00
Tran Trung Hieu
5f74a58081 Detect HAFNIUM operations 2021-03-04 00:01:54 +07:00
yugoslavskiy
8a6c98e48f
Merge pull request #1371 from aw350m33d/oscd 
[OSCD] Merged upstream/master and oscd to resolve merge conflicts in final PR.
 2021-03-03 16:30:15 +01:00
Florian Roth
9e921115bc
Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth
d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00
Florian Roth
e17986ebd3 rule: HAFNIUM Exchange exploitation 2021-03-03 09:58:43 +01:00
Florian Roth
73a3a1e5cd
Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Florian Roth
8c95f90075
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml 2021-03-03 09:08:24 +01:00
Bhabesh Rai
56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth
6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Anton Kutepov
f461becc58 Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 23:34:34 +03:00
Anton Kutepov
3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth
5c1dc30a13
Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Dennis Potashnik
12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik
e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
Florian Roth
c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Joshua Roys
92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
Thomas Patzke
a08571be91 Merge branch 'master' of https://github.com/Neo23x0/sigma 2021-02-28 21:57:51 +01:00
Thomas Patzke
778d1c15ab Increased required Python version to 3.8 2021-02-28 21:38:09 +01:00