valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,528 Commits 20 Branches 25 Tags 21 MiB
9c94cf42fe
Commit Graph

3826 Commits

Author SHA1 Message Date
Florian Roth
537d89d185
Merge pull request #1575 from SigmaHQ/rule-devel 
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
 2021-06-25 12:15:35 +02:00
CriimBow
188b847670
Typo on Find-DomainObjectPropertyOutlier 2021-06-25 10:35:33 +02:00
Florian Roth
7b6208c05c rules: PurpleSharp, WMIC ActiveScriptEventConsumer 2021-06-25 09:56:42 +02:00
Andreas Hunkeler
3de0679d5a
Add fp note to PortProxy rules 2021-06-24 11:22:41 +02:00
Andreas Hunkeler
366d83ab44
Add fp note to PortProxy rules 2021-06-24 11:21:29 +02:00
Florian Roth
1dd557e543
fix: global action unneeded 2021-06-23 09:23:08 +02:00
Sittikorn S
c0724e533f
Update and rename win_renamed_meg.yml to win_renamed_megasync.yml 2021-06-23 09:24:42 +07:00
Sittikorn S
a310806dbf
Update win_renamed_meg.yml 2021-06-23 08:35:12 +07:00
Adeem Mawani
8077dedbc5 Add rule to detect AD enumeration 2021-06-22 15:57:49 -04:00
Sittikorn S
10488512ae
Update win_renamed_meg.yml 2021-06-22 22:27:34 +07:00
Sittikorn S
177442d6df
Update win_renamed_meg.yml 2021-06-22 22:20:49 +07:00
Sittikorn S
6328ce8ef6
Update win_renamed_meg.yml 2021-06-22 22:17:51 +07:00
Sittikorn S
f55cd9ed1b
Update win_renamed_meg.yml 2021-06-22 22:03:56 +07:00
Sittikorn S
268a4c31e3
Update win_renamed_meg.yml 
Change mitre tags T1218.001 to T1218
 2021-06-22 22:00:35 +07:00
Sittikorn S
e6d08d0ad6
Update win_renamed_meg.yml 2021-06-22 21:55:09 +07:00
Sittikorn S
a08b6c4e0a
Create win_renamed_meg.yml 2021-06-22 21:50:07 +07:00
Florian Roth
7e748fa91a
Merge pull request #1567 from BlackB0lt/patch-2 
Create win_script_event_consumer_spawn new rule
 2021-06-22 12:43:34 +02:00
Sittikorn S
d9a749eec0
Update and rename win_script_event_consumer_spawn to win_script_event_consumer_spawn.yml 2021-06-22 16:35:46 +07:00
Florian Roth
cbe97206de
fix: several indentation issues, casing in tags 2021-06-22 11:03:17 +02:00
Florian Roth
a87f8d1384
Merge pull request #1569 from Karneades/PortProxy 
rule: add port proxy registry rule and further references
 2021-06-22 11:01:17 +02:00
Andreas Hunkeler
ed41125f70 fix: remove duplicate status in portproxy reg rule 2021-06-22 08:28:17 +02:00
Andreas Hunkeler
cd0b46ab62 rule: add port proxy registry rule and add references 2021-06-22 08:16:56 +02:00
frack113
e3e0b1ec35 fix ProcessName|endswith 2021-06-21 21:28:46 +02:00
frack113
edfb67ddc7 fix TargetImage|endswith 2021-06-21 21:21:34 +02:00
frack113
6558a5b110 fix TargetImage|endswith 2021-06-21 21:19:04 +02:00
frack113
0bc04605cb fix TargetImage|endswith 2021-06-21 21:14:36 +02:00
frack113
4ff1395a1f fix category and TargetImage|endswith 2021-06-21 21:06:54 +02:00
frack113
b23423beba convert to TargetImage|endswith 2021-06-21 20:51:26 +02:00
Sittikorn S
1bcac7b04a
Create win_script_event_consumer_spawn 2021-06-21 21:20:39 +07:00
WojciechLesicki
f816ed4f5e Update for "modified" date. 2021-06-20 00:11:55 +02:00
WojciechLesicki
2e7aed5262 Added space in "Service File Name" field as it was in the previous version. 2021-06-19 23:45:01 +02:00
Florian Roth
e5cd850640
Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Hasan
33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan
fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan
8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan
415ced0023
Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan
f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan
1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan
1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan
82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth
1650d4638d
Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth
0377a30893
fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth
59df5119c2
Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
luffynextgen
6fd7979659
Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
frack113
558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
Florian Roth
3f46d0ea28
Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113
fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113
4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113
a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113
7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
0cfc462fb9 fix: fixed driver load rule 2021-06-10 16:03:35 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski
b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen
e170a4a12a
Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski
bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski
4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth
5e35e387dd
Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth
45c3d4702b
Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth
78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth
9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth
04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth
28abdf3a81
Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen
c75d92410d
Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth
b2d0fbba2c
Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth
8a04bea6aa
Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Andreas Hunkeler
2d44803bf5
Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth
242b56031f
Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113
5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113
e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
mvelazco
178df3f056 fixing title lengths 2021-06-04 10:57:52 -04:00
frack113
169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
mvelazco
d8aa0ae124 adding references 2021-06-03 23:38:10 -04:00
mvelazco
d4f66f2af6 rolling back unwanted changes 2021-06-03 18:29:06 -04:00
mvelazco
7ebab6f872 Merge branch 'master' of github.com:mvelazc0/sigma 2021-06-03 18:26:09 -04:00
mvelazco
103fe2b344 minor fixes and 3 extra sigma rules 2021-06-03 18:26:07 -04:00
mvelazco
f53675f41a Merge branch 'SigmaHQ:master' into master 2021-06-03 14:54:41 -07:00
mvelazco
50d734a17a Adding 4 initial sigma rules 2021-06-03 17:51:47 -04:00
frack113
537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
Remco Hofman
12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth
42036049ec
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth
b45561c4c9
Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth
4d7b3b7afe
Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth
11eca86be3
Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion
9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler
e8ee6aec2f
Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth
7288ae93b9
Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth
eb4300756e
Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
frack113
7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113
a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
frack113
33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
Hasan
fdeb8a8e7f Added rule to detect ISO mounts 2021-05-29 22:48:29 +05:00
frack113
9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d 
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
 2021-05-27 21:06:07 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth
39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth
9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth
c3ab7d19f1
Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth
431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth
a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth
fa45298474
Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley
f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth
61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth
71625c54f0
Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth
d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth
d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth
7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth
5cf7078fb3
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth
ea430c8823
Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth
8d834cf681
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth
d8827fc29d
Merge pull request #1481 from ZikyHD/improve_win_tool_psexec 
Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule
 2021-05-27 12:53:56 +02:00
Florian Roth
1bf9546fad
Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth
a80c29a7c2
Merge pull request #1491 from w0rk3r/patch-1 
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
 2021-05-27 12:52:14 +02:00
Florian Roth
059e669ac6
Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth
e397a2974e
Merge pull request #1511 from frack113/fix_missing_eventid_Obfuscation 
Fix missing eventid when converting windows obfuscation rules
 2021-05-27 12:51:22 +02:00
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
frack113
2a68700991 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:43:08 +02:00
frack113
30cc64a349 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:41:19 +02:00
frack113
e4c32c353a use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:39:16 +02:00
frack113
a878f3b0a5 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:36:47 +02:00
frack113
cbce61bc8c use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:34:46 +02:00
frack113
8d8df10687 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:31:57 +02:00