valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,895 Commits 20 Branches 25 Tags 21 MiB
a29ac79a3f
Commit Graph

3367 Commits

Author SHA1 Message Date
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Florian Roth
897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Vasiliy Burov
e73e27e44f
Update win_hack_rubeus.yml 
Added commandline parameters for constrained delegation abuse and for hashes calculation
 2021-04-06 20:18:54 +03:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Thomas Patzke
b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke
90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
phantinuss
4934f80601
fix: FP tuning for IIS Express and making use of value modifiers 2021-04-01 14:37:20 +02:00
phantinuss
8b4234de3b
refactor: make use of value modifiers 2021-04-01 14:37:17 +02:00
phantinuss
794865c79d
fix: adding filter to condition and reintroducing the users folder constraint 2021-04-01 14:37:17 +02:00
phantinuss
43be8c8cba
refactor: make use of value modifiers 2021-04-01 14:37:16 +02:00
phantinuss
bd5ba2ae01
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 14:37:15 +02:00
phantinuss
65bc62d401
fix: adding filter out for CamMute.exe 2021-04-01 14:37:14 +02:00
phantinuss
2cab121c71
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-04-01 14:37:13 +02:00
phantinuss
109b7890db
fix: taking windows security 4688 events into account for filter out 2021-04-01 14:36:57 +02:00
Florian Roth
b296c643de
Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
BlueTeamOps
6ef5f0a0a2
Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
BlueTeamOps
8916459bab
Added additional CS signatures 2021-03-25 22:44:24 +11:00
Florian Roth
48265ad71a
Merge pull request #1398 from SigmaHQ/rule-devel 
MSExchange Management log mapping, some fixes
 2021-03-20 17:21:31 +01:00
Florian Roth
525f4b6a6b
Merge pull request #1388 from Cyb3rPandaH/master 
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
 2021-03-20 08:53:04 +01:00
Florian Roth
e47ee24889
Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth
334dd9a058
Update win_set_oabvirtualdirectory_externalurl.yml 2021-03-20 08:34:02 +01:00
Florian Roth
33af006479
Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt 
Fix ProcessCommandLine field
 2021-03-20 08:29:23 +01:00
Florian Roth
01fcfd4f76
Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent 
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
 2021-03-20 08:29:09 +01:00
Florian Roth
2472926c48
Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion 
Fix win_etw_trace_evasion rule
 2021-03-20 08:28:51 +01:00
Florian Roth
dd4a1ac393 fix: prone to FPs - use is unclear 
https://regex101.com/r/tss5TZ/1
 2021-03-18 16:44:49 +01:00
Florian Roth
6b2bcd3d87
Merge pull request #1395 from SigmaHQ/rule-devel 
Rule devel
 2021-03-18 10:52:02 +01:00
Florian Roth
d30e87d543 fix: lsass access - FPs with AV / EDR software 2021-03-18 09:04:03 +01:00
Florian Roth
92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth
943f8513e2
Merge pull request #1393 from SigmaHQ/rule-devel 
Rule devel
 2021-03-16 16:35:55 +01:00
Florian Roth
bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00
Florian Roth
32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
zikyhd
e91822e070 Fix win_etw_trace_evasion rule 2021-03-15 15:02:18 +01:00
Cedric HIEN
864973888e Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8) 2021-03-15 12:07:05 +01:00
Cedric HIEN
e4f24f4e1f Fix ProcessCommandLine field 2021-03-15 11:56:19 +01:00
Florian Roth
310888bae7
Merge pull request #1386 from SigmaHQ/rule-devel 
Rule devel
 2021-03-15 10:52:57 +01:00
Florian Roth
70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Cyb3rPandaH
f138a27426 CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property 
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
 2021-03-15 00:33:47 -04:00
Florian Roth
a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth
145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth
69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
Florian Roth
48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00