valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
512 Commits 20 Branches 25 Tags 21 MiB
970f01f9f2
Commit Graph

292 Commits

Author SHA1 Message Date
Thomas Patzke
68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
juju4
e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Florian Roth
bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl
9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth
f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Florian Roth
55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Florian Roth
f46e86fbb1 WMI persistence modified 2017-08-24 18:27:40 +02:00
Hans-Martin Münch
09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth
59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth
332f7d27da Win WMI Persistence 
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
 2017-08-22 10:02:54 +02:00
Florian Roth
8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Florian Roth
e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4
b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4
012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4
f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4
d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4
21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke
238f27fa0d Added OperationalError to relevant Python DB exceptions 2017-08-13 00:10:00 +02:00
Thomas Patzke
33b2ff16cf Rule for generic Python SQL exceptuons 
according to PEP 249
 2017-08-12 00:44:18 +02:00
Thomas Patzke
7ba62b791c Application security rules 
* reorganization into separate folder
* adding category
* minor tweaks
 2017-08-12 00:43:10 +02:00
Thomas Patzke
1d3b8e58bd Fixed description 2017-08-06 23:22:31 +02:00
Thomas Patzke
0795d14b41 Spring framework security exceptions rule 2017-08-06 23:21:53 +02:00
Thomas Patzke
f0e6c28e8b Added Ruby on Rails security-related exceptions rule 2017-08-06 22:57:52 +02:00
Thomas Patzke
98f99cebc0 Added author attribute 2017-08-05 23:56:13 +02:00
Thomas Patzke
f58c1b768b Django security errors 2017-08-05 00:56:05 +02:00
Thomas Patzke
4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke
03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth
edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke
d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke
36212fd5c2 Merge branch 'devel-sigmac' 2017-08-03 00:10:37 +02:00
Thomas Patzke
5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke
7706067540 Merge branch 'master' into travis-test 2017-08-02 23:32:40 +02:00
Thomas Patzke
27e5d0c2b4 Fixed further parse error 2017-08-02 23:32:00 +02:00
Thomas Patzke
167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
bfcc119a7f Merge branch 'master' into travis-test 2017-08-02 00:37:07 +02:00
Thomas Patzke
b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke
c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4
5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4
5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4
31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4
3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4
fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4
83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4
f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth
d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth
433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth
cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth
061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth
4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth
eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth
cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth
cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth
fc4cd4036e Linux: Suspicious VSFTPD errors 2017-07-05 18:59:51 -06:00
Florian Roth
ead63fbf75 Linux: Suspicious SSHD errors 2017-06-30 08:47:56 +02:00
Florian Roth
950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth
3f245d27f8 Eventlog cleared ID 104 2017-06-27 17:29:39 +02:00
Thomas Patzke
7fdc78c8bf Merge pull request #36 from dim0x69/master 
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
 2017-06-19 15:32:56 +02:00
Florian Roth
d1f1bd59da Changed level of PsExec events to 'low' 2017-06-17 08:50:16 +02:00
Thomas Patzke
a4c9e24380 File renaming while deletion with SDelete 2017-06-14 16:55:32 +02:00
Thomas Patzke
8c06a5d83f Access to wceaux.dll while WCE pass-the-hash login on source host 2017-06-14 15:59:45 +02:00
Thomas Patzke
4fcdcc3967 Added rule for PsExec 2017-06-12 23:57:06 +02:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
f85d847fa6 PlugX Detection 
https://docs.google.com/spreadsheets/d/1f5OTQpEEvbiW-NzSfVTrzhmnZJ-hrmAZhRM7JXkDBSY/edit#gid=0
https://countuponsecurity.files.wordpress.com/2017/06/acp-search.png
 2017-06-12 10:46:56 +02:00
Thomas Patzke
91b3c39c0d Amended condition 
Changed condition according to proposed syntax for related event matching (#4)
 2017-06-11 23:54:19 +02:00
dimi
ac95e372e5 clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes 2017-06-09 14:15:37 +02:00
dimi
a2a2366dfb rule to detect mimikatz lsadump::changentlm and lsadump::setntlm 2017-06-09 14:05:40 +02:00
Florian Roth
371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth
21108e60a6 Fixed description and title 2017-06-03 14:53:08 +02:00
Florian Roth
ff5e6e3999 Fireball Sigma Rule 2017-06-03 14:49:06 +02:00
Florian Roth
536e328540 Pandemic Implant 2017-06-01 22:48:59 +02:00
Florian Roth
5dd3d4dd57 Generic Hacktool Use Rule 2017-05-31 08:42:35 +02:00
Florian Roth
0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth
ae4cab6783 Corrected - no lists needed 2017-05-25 12:07:11 +02:00
Florian Roth
6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth
01e1d3a3d7 WannaCry Service Install 2017-05-15 16:06:16 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
d35b6c0353 Backup catalog deletion rule 2017-05-12 23:00:56 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
1ab3c746c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-05-12 21:59:43 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
0b541b2689 Suspicious Windows Process Creations Update 2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e Fixed condition 
AND has higher precedence than OR.
 2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be Removed "1 of" expression (no bug, but cleaner) 2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b Microsoft Malware Protection Engine Crash - ref CVE-2017-0290 2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34 Updated sigma signature 2017-05-08 21:25:07 +02:00