SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Thomas Patzke	58afccb2f3	Fixed ATT&CK tagging	2018-08-08 15:58:19 +02:00
yt0ng	e44b4f450e	DNS TXT Answer with possible execution strings https://twitter.com/stvemillertime/status/1024707932447854592	2018-08-08 15:51:56 +02:00
Thomas Patzke	92c0e0321a	Merge pull request #144 from samsson/patch-7 Added att&ck tags	2018-08-07 11:19:36 +02:00
Lurkkeli	a245820519	added att&ck tag	2018-08-07 08:54:53 +02:00
Lurkkeli	294677a2cc	added att&ck tag	2018-08-07 08:50:01 +02:00
Lurkkeli	a57e87b345	added att&ck tag	2018-08-07 08:49:05 +02:00
Lurkkeli	99253763af	added att&ck tag	2018-08-07 08:45:58 +02:00
Lurkkeli	0bff27ec21	added att&ck tactic added att&ck tactic, no specific techniques applicable	2018-08-07 08:37:51 +02:00
Lurkkeli	198cb63182	added att&ck tactic added att&ck tactic, no specific techniques applicable	2018-08-07 08:36:53 +02:00
Thomas Patzke	518e21fcd2	Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access Add CMSTP UAC Bypass via COM Object Access	2018-08-07 08:33:33 +02:00
Thomas Patzke	b9fdf07926	Extended tagging	2018-08-07 08:33:18 +02:00
Lurkkeli	b50c13dd1f	Update att&ck tag	2018-08-07 08:27:24 +02:00
Thomas Patzke	5d5d42eb9b	Merge pull request #140 from yt0ng/master Possible Shim Database Persistence via sdbinst.exe	2018-08-07 08:22:32 +02:00
Thomas Patzke	80eaedab8b	Fixed tag and date	2018-08-07 08:22:11 +02:00
Thomas Patzke	3509fbd201	Merge pull request #142 from samsson/patch-5 Added ATT&CK tag	2018-08-07 08:20:22 +02:00
Thomas Patzke	b049210641	Fixed tags	2018-08-07 08:20:09 +02:00
Lurkkeli	3456f9a74d	Update sysmon_susp_wmi_execution.yml	2018-08-07 08:19:58 +02:00
Thomas Patzke	64fa3b162d	Tag fixes	2018-08-07 08:18:16 +02:00
Lurkkeli	6472be5e19	Update sysmon_uac_bypass_sdclt.yml	2018-08-07 08:08:53 +02:00
Lurkkeli	21bee17ffd	Update sysmon_uac_bypass_eventvwr.yml	2018-08-07 08:07:49 +02:00
yt0ng	fc091fe3d7	Added ATTCK Mapping	2018-08-05 14:00:22 +02:00
yt0ng	b65cb5eaca	Possible Shim Database Persistence via sdbinst.exe	2018-08-05 13:55:04 +02:00
Thomas Patzke	0e986cae4d	Fixed log source and field names	2018-08-04 22:58:19 +02:00
Florian Roth	acfdb591d0	fiox: Typo in description fixed	2018-07-29 16:22:39 +02:00
Florian Roth	1f845aa1d9	fix: Changed suspicious process creation rule to avoid FPs	2018-07-29 16:22:09 +02:00
Nik Seetharaman	b938fdb0a3	Add CMSTP UAC Bypass via COM Object Access	2018-07-27 02:28:28 -05:00
James Dickenson	5fc118dcac	added a few mitre attack tags to windows sysmon rules	2018-07-26 21:15:07 -07:00
Florian Roth	a9fcecab88	Merge pull request #130 from samsson/patch-4 Fixed typo / Created a rule	2018-07-26 22:34:46 +02:00
Florian Roth	016b15a2a9	Added quotation marks I've added quotation marks to make it clearer (leading dash looks weird)	2018-07-26 18:10:21 +02:00
Lurkkeli	7796492c2b	Update powershell_NTFS_Alternate_Data_Streams	2018-07-26 08:54:08 -07:00
Thomas Patzke	5e3211928f	Merge pull request #132 from dspautz/master Add tags to APT rules	2018-07-25 09:57:35 +02:00
David Spautz	f039f95f4d	Add tags to APT rules	2018-07-25 09:50:01 +02:00
Florian Roth	089498b0b3	Merge pull request #131 from yt0ng/master Possible SafetyKatz Dump of debug.bin	2018-07-25 07:41:38 +02:00
Florian Roth	dd857c4470	Cosmetics If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.	2018-07-25 07:37:17 +02:00
Florian Roth	cf7f5c7473	Changes I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?	2018-07-25 07:35:59 +02:00
yt0ng	b415fc8d42	Possible SafetyKatz Dump of debug.bin https://github.com/GhostPack/SafetyKatz	2018-07-24 23:51:46 +02:00
Lurkkeli	db82322d17	Update powershell_NTFS_Alternate_Data_Streams	2018-07-24 20:03:07 +02:00
Lurkkeli	0e9c5bb14a	Update sysmon_rundll32_net_connections.yml	2018-07-24 20:01:47 +02:00
Lurkkeli	fd8c5c5bf6	Update powershell_NTFS_Alternate_Data_Streams	2018-07-24 20:00:21 +02:00
Lurkkeli	ad580635ea	Create powershell_NTFS_Alternate_Data_Streams	2018-07-24 19:49:08 +02:00
ntim	c99dc9f643	Tagged windows powershell, other and malware rules.	2018-07-24 10:56:41 +02:00
Thomas Patzke	0d8bc922a3	Merge branch 'master' into master	2018-07-24 08:23:37 +02:00
Thomas Patzke	1601b00862	Merge pull request #125 from james0d0a/attack_tags windows builtin mitre attack tags	2018-07-24 08:18:47 +02:00
Thomas Patzke	01e7675e24	Merge pull request #124 from samsson/patch-1 ATT&CK tagging	2018-07-24 07:58:50 +02:00
Thomas Patzke	30d255ab6f	Fixed tag	2018-07-24 07:58:25 +02:00
Thomas Patzke	baaf8006bc	Merge pull request #123 from yt0ng/sysmon added additional binaries and attack tactics/techniques	2018-07-24 07:57:30 +02:00
David Spautz	e275d44462	Add tags to windows builtin rules	2018-07-24 07:50:32 +02:00
James Dickenson	c4edc26267	windows builtin mitre attack tags	2018-07-23 21:34:20 -07:00
Lurkkeli	1898157df5	ATT&CK tagging Added tag for technique t1015	2018-07-23 23:57:15 +02:00
yt0ng	16160dfc80	added additional binaries and attack tactics/techniques	2018-07-23 15:47:56 +02:00
Florian Roth	1134051fba	Update web_cve_2018_2894_weblogic_exploit.yml Ah, we could do it this way .js	2018-07-23 06:19:25 -06:00
Florian Roth	03a64cca74	Update web_cve_2018_2894_weblogic_exploit.yml We try to avoid false positives	2018-07-23 06:18:38 -06:00
MATTHEW CARR	dfb77e936d	Update web_cve_2018_2894_weblogic_exploit.yml To detect all possible extensions .jspx, .jsw, .jsv, and .jspf	2018-07-23 07:41:47 +02:00
Florian Roth	0f1b440b91	Rule: widened the CVE-2018-2894 WebLogic rule https://twitter.com/lo_security/status/1021148314308358144	2018-07-22 20:36:10 -06:00
Florian Roth	ffb0cf5ed5	Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop	2018-07-22 15:09:45 -06:00
Suleyman Ozarslan	e6cbc17c12	ATT&CK tagging of Scheduled Task Creation	2018-07-22 15:56:47 +03:00
Suleyman Ozarslan	8d9b12be07	ATT&CK tagging of Default PowerSploit Schtasks Persistence	2018-07-22 15:53:56 +03:00
Suleyman Ozarslan	080892b5ab	ATT&CK tagging of MSHTA Spawning Windows Shell	2018-07-20 09:53:55 +03:00
Suleyman Ozarslan	76f277d5fe	ATT&CK tagging of Malicious Named Pipe rule	2018-07-20 09:41:54 +03:00
Suleyman Ozarslan	7e74527344	ATT&CK software tag is added to Bitsadmin Download rule	2018-07-20 09:35:35 +03:00
Florian Roth	1e61adfad1	rule: Changed Registry persistence Explorer RUN key rule	2018-07-19 16:27:19 -06:00
Florian Roth	83d6f12ce3	rule: Registry persistence in Explorer RUN key pointing to suspicious folder	2018-07-19 16:27:19 -06:00
Thomas Patzke	f98158f5ad	Further ATT&CK tagging	2018-07-19 23:36:13 +02:00
Suleyman Ozarslan	05b91847cd	ATT&CK tagging of Suspicious Certutil Command rule	2018-07-19 16:42:39 +03:00
Thomas Patzke	bdea097b80	ATT&CK tagging	2018-07-17 23:58:11 +02:00
Florian Roth	9e92b97661	Merge pull request #111 from nikseetharaman/cmstp_execution Add sysmon_cmstp_execution	2018-07-17 14:39:56 -06:00
Florian Roth	3f0040b983	Removed duplicate status field	2018-07-16 15:55:31 -06:00
Florian Roth	429474b6d6	Merge pull request #113 from megan201296/patch-9 fixed typo	2018-07-16 15:38:52 -06:00
megan201296	02ea2cf923	fixed typo	2018-07-16 16:20:33 -05:00
megan201296	60310e94c6	fixed typo	2018-07-16 16:13:24 -05:00
Nik Seetharaman	3630386230	Add sysmon_cmstp_execution	2018-07-16 02:53:41 +03:00
Florian Roth	7a031709bb	Merge pull request #108 from megan201296/patch-5 fixed typo	2018-07-14 18:31:40 -06:00
Florian Roth	70ab83eb65	Merge pull request #109 from megan201296/patch-6 Fixed typo	2018-07-14 18:31:21 -06:00
megan201296	be7a3b0774	Update sysmon_susp_mmc_source.yml	2018-07-13 18:49:08 -05:00
megan201296	a6455cc612	typo fix	2018-07-13 18:48:36 -05:00
megan201296	8944be1efd	Update sysmon_susp_driver_load.yml	2018-07-13 18:36:12 -05:00
megan201296	a169723005	fixed typo	2018-07-13 13:53:21 -05:00
Thomas Patzke	2dc5295abf	Removed redundant attribute from rule	2018-07-10 22:50:02 +02:00
Florian Roth	57727d2397	Merge pull request #107 from megan201296/typo-fixes Typo fixes	2018-07-10 10:29:10 -06:00
megan201296	24d2d0b258	Fixed typo	2018-07-10 09:14:37 -05:00
megan201296	d6ea0a49fc	Fixed typoes	2018-07-10 09:14:07 -05:00
megan201296	3ec67393cd	Fixed typo	2018-07-10 09:13:41 -05:00
megan201296	b0bc3b66ed	Fixed typo	2018-07-09 13:32:16 -05:00
megan201296	120479abb7	removed duplicates	2018-07-09 12:32:41 -05:00
megan201296	c4bd267151	Fixed typo	2018-07-09 12:02:42 -05:00
megan201296	a7ccfcb50d	Fixed spelling mistake	2018-07-09 09:13:31 -05:00
Florian Roth	c8fef4d093	fix: removed unnecessary lists	2018-07-07 15:43:56 -06:00
Florian Roth	dea019f89d	fix: some threat levels adjusted	2018-07-07 13:00:23 -06:00
yt0ng	6a014a3dc8	MSHTA spwaned by SVCHOST as seen in LethalHTA "Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."	2018-07-06 19:52:58 +02:00
Florian Roth	ed470feb21	Merge pull request #99 from yt0ng/master Detects ImageLoad by uncommon Image	2018-07-06 10:11:02 -06:00
yt0ng	b21afc3bc8	user subTee was removed from Twitter	2018-07-04 17:29:05 +02:00
yt0ng	f84c33d005	Known powershell scripts names for exploitation Detects the creation of known powershell scripts for exploitation	2018-07-04 17:24:18 +02:00
Florian Roth	7867838540	fix: typo in rule description	2018-07-03 05:05:44 -06:00
Florian Roth	e7465d299f	fix: false positive with MsMpEng.exe and svchost.exe as child process	2018-07-03 05:05:44 -06:00
yt0ng	42941ee105	Detects ImageLoad by uncommon Image Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008	2018-07-01 15:47:17 +02:00
Florian Roth	48582a1c93	Bugfix in Flash Downloader Rule	2018-06-30 23:39:38 +02:00
Florian Roth	c3bf968462	High FP Rule	2018-06-29 16:01:46 +02:00
Florian Roth	c26c3ee426	Trying to fix rule	2018-06-28 16:39:47 +02:00
Florian Roth	9e0abc5f0b	Adjusted rules to the new specs reg "not null" usage	2018-06-28 09:30:31 +02:00
scherma	19ba5df207	False positive circumstance	2018-06-27 21:14:38 +01:00

1 2 3 4 5 ...

584 Commits