valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,300 Commits 20 Branches 25 Tags 21 MiB
9e287a1b89
Commit Graph

4300 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
01e1d3a3d7 WannaCry Service Install 2017-05-15 16:06:16 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
d35b6c0353 Backup catalog deletion rule 2017-05-12 23:00:56 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
1ab3c746c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-05-12 21:59:43 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
0b541b2689 Suspicious Windows Process Creations Update 2017-05-12 21:55:30 +02:00
Thomas Patzke
300dbe8f3e Fixed condition 
AND has higher precedence than OR.
 2017-05-09 23:12:02 +02:00
Florian Roth
565c51e5be Removed "1 of" expression (no bug, but cleaner) 2017-05-09 22:58:42 +02:00
Florian Roth
a6678e199b Microsoft Malware Protection Engine Crash - ref CVE-2017-0290 2017-05-09 22:46:57 +02:00
Florian Roth
96deef7d34 Updated sigma signature 2017-05-08 21:25:07 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
75e58b8142 Bugfix and date 2017-05-08 13:10:40 +02:00
Florian Roth
263c98a2c8 Suspicious DNS Server Config Error - ServerLevelPluginDLL issue 2017-05-08 13:09:50 +02:00
Florian Roth
f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
004fed24e0 Linux Generic Rules 2017-05-02 20:32:38 +02:00
Florian Roth
dc4ae35be1 Schtasks frequency - minute 2017-04-28 17:03:35 +02:00
Thomas Patzke
05e9d1e1e9 Check if aggregation is present in BaseBackend 
Caused NotImplementedError in ElasticsearchQueryStringBackend.
 2017-04-17 00:11:20 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
30163939f3 Fix: Rule identifier in EQGRP C2 rule 2017-04-15 23:32:56 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
a0ee92a5c3 Equation group C2 server in firewall log rule 2017-04-15 11:32:56 +02:00
Florian Roth
37449e2c5d Fix: Search to log source in network rule 2017-04-15 11:32:38 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Florian Roth
75a0a2c4bb Merge pull request #27 from benno001/patch-1 
Added field mappings for events with logins
 2017-04-13 01:04:20 +02:00
Nate Guagenti
53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth
a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth
875c187425 Merge pull request #29 from neu5ron/patch-2 
Create win_alert_active_directory_user_control.yml
 2017-04-04 18:56:19 +02:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Florian Roth
c5b19d5661 Merge pull request #28 from neu5ron/patch-1 
Create win_alert_enable_weak_encryption.yml
 2017-04-03 21:27:20 +02:00
Nate Guagenti
85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00