valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
762 Commits 20 Branches 25 Tags 21 MiB
9705366060
Commit Graph

152 Commits

Author SHA1 Message Date
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth
8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Thomas Patzke
2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth
a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00