valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,225 Commits 20 Branches 25 Tags 21 MiB
9a0604029e
Commit Graph

4496 Commits

Author SHA1 Message Date
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler
226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Jonhnathan
1cf7bb5735
Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Darin Smith
e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
SomeOne
e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne
a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne
53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne
a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth
3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth
30bee7204c
Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth
83068416fa
Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40
8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113
0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113
fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Bhabesh Rai
48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth
3564cf81f9
Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss
4b520de373
new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth
9e662b9159
Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai
1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
partyh4rd
5a98e36905
Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth
451f25910d
Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth
de8386d553
Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth
4ad3316d74
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth
8973b573bd
Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth
c877a9a68d
Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth
ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth
c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth
8af86fa97e
docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth
3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Florian Roth
161180c357 refactor: extended shellshock rule 2021-04-28 11:47:24 +02:00
Florian Roth
47504fbd56 fix: shellshock expression 2021-04-28 11:46:49 +02:00
BlueTeamOps
59d23535ce
Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps
793504dd6b
Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps
f75ad98903
Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Ian Thieves
65294d97c4
Update win_scm_database_handle_failure.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:28:16 -07:00
Ian Thieves
8efa10465e
Update win_scm_database_privileged_operation.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:25:16 -07:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth
f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Scoubi
23791664eb
Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml 
Gave the wrong name to the file, this is the correct one.
 2021-04-21 08:45:15 -04:00
Scoubi
0b7ed7e690
Add a space 
There was a missing space in `-attack` changed for `- attack`
 2021-04-20 20:50:20 -04:00
Scoubi
fadb889116
Create win_Outlook_C2_Macro_Creation.yml 
BEC is for Business Email Compromise (this can be changed)
 2021-04-20 20:38:20 -04:00
Scoubi
678ce5d528
Create win_Outlook_C2_Macro_Creation.yml 
Not 100% if this is the best place to put it.
 2021-04-20 20:34:19 -04:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Florian Roth
68c59850af
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery 
Fix invalid logsource on lnx_system_info_discovery rule
 2021-04-20 09:06:54 +02:00
Florian Roth
20c5356c9e
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet 
Fix typo on CommandLine
 2021-04-20 09:06:38 +02:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel 
refactor: tightened filter
 2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Cedric Hien
1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Cedric Hien
bbdbab700d Fix invalid logsource on lnx_system_info_discovery rule 2021-04-17 12:57:30 +02:00
Florian Roth
941d47bc28
Merge pull request #1416 from sycophantic/master 
Remove extra spaces
 2021-04-15 13:20:49 +02:00
Steven
a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00
Steven
8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven
9f5e8a02a4 Fix parse errors 2021-04-15 02:46:41 +02:00
Steven
8301b9c221 Fix selection vs selection_1 in rule files 2021-04-15 02:41:04 +02:00
Steven
cce8d945a0 Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category 2021-04-15 02:30:41 +02:00
Steven
a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven
f57e1a2231 Delete .keep file 2021-04-15 02:17:36 +02:00
Steven
70b106ef52 Fix syntax error 2021-04-15 02:11:13 +02:00
Steven
ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven
d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Roberto Rodriguez
db0e969121 HybridConnectionMgr Service Activity 2021-04-12 16:26:15 -04:00
Florian Roth
ce0111aa6a fix: FP with Proxy Execution via Wuauclt 2021-04-12 08:47:29 +02:00
Florian Roth
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth
897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke
08ca62cc88 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-08 23:27:45 +02:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
sycophantic
86b9652086 Remove extra spaces 2021-04-08 13:57:21 -04:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Florian Roth
00f01ea57f Merge branch 'master' into rule-devel 2021-04-07 21:17:51 +02:00
Vasiliy Burov
e73e27e44f
Update win_hack_rubeus.yml 
Added commandline parameters for constrained delegation abuse and for hashes calculation
 2021-04-06 20:18:54 +03:00
Thomas Patzke
42cf81478b
Merge pull request #1412 from defensivedepth/patch-1 
Clean up: Webshell ReGeorg Detection
 2021-04-06 00:35:35 +02:00