valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,300 Commits 20 Branches 25 Tags 21 MiB
9e287a1b89
Commit Graph

4300 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth
1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth
dd4a1ac393 fix: prone to FPs - use is unclear 
https://regex101.com/r/tss5TZ/1
 2021-03-18 16:44:49 +01:00
Florian Roth
d30e87d543 fix: lsass access - FPs with AV / EDR software 2021-03-18 09:04:03 +01:00
Florian Roth
92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth
bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00
Florian Roth
32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
Florian Roth
70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Florian Roth
a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth
145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth
69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
Florian Roth
48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth
9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth
78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth
29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
Florian Roth
ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth
563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth
2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
Florian Roth
2b5f9f994f
Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth
a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth
3a0fc4835a
Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth
b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth
c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth
bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth
62b65a3578
Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth
bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00
Florian Roth
9e921115bc
Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth
d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00
Florian Roth
e17986ebd3 rule: HAFNIUM Exchange exploitation 2021-03-03 09:58:43 +01:00
Florian Roth
73a3a1e5cd
Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Florian Roth
8c95f90075
Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml 2021-03-03 09:08:24 +01:00
Bhabesh Rai
56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth
6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Florian Roth
5c1dc30a13
Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Florian Roth
c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Thomas Patzke
a08571be91 Merge branch 'master' of https://github.com/Neo23x0/sigma 2021-02-28 21:57:51 +01:00
Thomas Patzke
778d1c15ab Increased required Python version to 3.8 2021-02-28 21:38:09 +01:00
Thomas Patzke
6995e6378b Added LGPL to distribution 2021-02-28 21:32:38 +01:00
Florian Roth
b65dbee01f
Merge pull request #1366 from Neo23x0/rule-devel 
rule: SilentProcessExit monitors
 2021-02-26 18:09:44 +01:00
Florian Roth
ba7c7409a3 fix: typo in modified 2021-02-26 17:48:50 +01:00
Florian Roth
79acbbef9f rule: SilentProcessExit monitors 2021-02-26 17:35:42 +01:00
Florian Roth
40710fe89a
Merge pull request #1357 from Neo23x0/rule-devel 
Rule FP fixes
 2021-02-26 11:05:00 +01:00
Florian Roth
274b7b0f2e
fix: search for keywords within message 2021-02-26 09:42:12 +01:00
Florian Roth
9d937705c0 fix: null values in separate filter expression 
> null value in lists cause problems in some backends
 2021-02-25 15:19:26 +01:00
markus-nclose
67d3d5e220
Fixed CobaltStrike typo 2021-02-25 07:25:20 +02:00
Bhabesh Rai
e1dff01cea Added sigma rule for vSphere RCE CVE-2021-21972 2021-02-24 23:48:08 +05:45
Florian Roth
a8912da1a0 rule: finger.exe execution 2021-02-24 17:47:56 +01:00
Florian Roth
767e2adfae
Merge pull request #1358 from jaegeral/spelling 
fixed various spelling errors all over rules and source code
 2021-02-24 16:53:53 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth
f8b6b9d68e fix: FPs with Suspect Svchost Activity 2021-02-24 13:55:40 +01:00