SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Florian Roth	e2ade077ed	Merge pull request #1275 from bczyz1/patch-3 update win_apt_slingshot.yml	2020-12-13 19:04:47 +01:00
Florian Roth	612008a4d8	fix identation	2020-12-11 18:40:17 +01:00
Tran Trung Hieu	edc79a8bb6	Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection	2020-12-11 15:17:23 +07:00
Florian Roth	b6d62b7a21	Merge pull request #1302 from Neo23x0/rule-devel TA505 Dropper, minor fix in PowerShell Rule	2020-12-08 10:40:07 +01:00
Florian Roth	640470cefd	TA505 Loader Rule	2020-12-08 10:15:30 +01:00
Florian Roth	540039cbc3	fix: Malicious Nishang PowerShell Commandlets FP with MDATP	2020-12-05 09:33:42 +01:00
tjgeorgen	1c6c3a36fe	include updated RDP att&ck tag	2020-12-04 11:59:23 -05:00
tjgeorgen	0eda1ab462	also update tag for folder variant	2020-12-04 11:42:05 -05:00
tjgeorgen	5208bdd65a	add new version of ATT&CK T1500 tag	2020-12-04 11:19:16 -05:00
yugoslavskiy	a028cdf1ee	Update powershell_shellcode_b64.yml	2020-12-01 02:24:35 +01:00
yugoslavskiy	7309fb7d0e	Update powershell_winlogon_helper_dll.yml	2020-12-01 02:23:02 +01:00
yugoslavskiy	36754ae3d5	Update win_vul_cve_2020_0688.yml	2020-12-01 02:16:22 +01:00
yugoslavskiy	0188e45925	Update win_malware_script_dropper.yml	2020-12-01 02:12:53 +01:00
yugoslavskiy	30ecc8bd26	Update win_malware_script_dropper.yml	2020-12-01 02:08:52 +01:00
yugoslavskiy	6494103839	Update win_susp_powershell_enc_cmd.yml	2020-12-01 01:54:51 +01:00
yugoslavskiy	d1b625d080	Update win_susp_powershell_enc_cmd.yml	2020-12-01 01:51:47 +01:00
yugoslavskiy	3cbc2f0aec	Update win_susp_powershell_enc_cmd.yml	2020-12-01 01:47:23 +01:00
yugoslavskiy	816ce5937c	Update win_susp_crackmapexec_execution.yml	2020-12-01 01:29:35 +01:00
Vasiliy Burov	cf8d195c5c	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-11-30 11:49:42 +03:00
yugoslavskiy	56f94a19f7	Update win_regedit_export_keys.yml	2020-11-30 02:08:54 +01:00
yugoslavskiy	0414d7a498	Merge branch 'oscd' into master	2020-11-30 02:04:03 +01:00
Yugoslavskiy Daniil	d812a3e08e	resolve conflict restoring rule win_susp_replace_lolbin.yml	2020-11-30 01:09:24 +01:00
Yugoslavskiy Daniil	98617609d6	Merge branch 'oscd' into HEAD	2020-11-30 01:07:26 +01:00
Yugoslavskiy Daniil	50623544a2	remove possible duplicate filter	2020-11-29 22:03:19 +01:00
OG	70fb078a56	Update sysmon_office_test_regadd.yml	2020-11-29 18:02:37 +05:30
OG	8e801ede32	Update win_susp_psexec_eula.yml	2020-11-29 17:45:29 +05:30
Jonhnathan	a9fde0117b	Merge branch 'oscd' into oscd_rules_improvement	2020-11-28 14:52:31 -03:00
yugoslavskiy	7dc5233dd9	Update win_susp_commands_recon_activity.yml	2020-11-28 18:43:04 +01:00
yugoslavskiy	5196926d60	Update sysmon_stickykey_like_backdoor.yml	2020-11-28 18:33:21 +01:00
yugoslavskiy	39c2258848	Update sysmon_registry_persistence_search_order.yml	2020-11-28 18:30:41 +01:00
yugoslavskiy	9f8ef95571	Update win_webshell_detection.yml	2020-11-28 18:25:09 +01:00
yugoslavskiy	c761d05a17	Update win_system_exe_anomaly.yml	2020-11-28 18:03:19 +01:00
yugoslavskiy	258334d6d1	Update win_susp_wmi_execution.yml	2020-11-28 18:01:06 +01:00
Jonhnathan	95eb7424aa	Update sysmon_susp_run_key_img_folder.yml	2020-11-28 13:54:59 -03:00
Jonhnathan	f504ccc33f	Update sysmon_susp_reg_persist_explorer_run.yml	2020-11-28 13:52:36 -03:00
Jonhnathan	986800056c	Update sysmon_stickykey_like_backdoor.yml	2020-11-28 13:50:13 -03:00
yugoslavskiy	c0c74a05df	Update win_susp_sysvol_access.yml	2020-11-28 17:49:21 +01:00
Jonhnathan	ef34c94e6a	Update sysmon_registry_persistence_search_order.yml	2020-11-28 13:49:18 -03:00
yugoslavskiy	3c75bc922a	Update win_susp_squirrel_lolbin.yml	2020-11-28 17:47:16 +01:00
Jonhnathan	06cc5049a4	Update sysmon_dns_serverlevelplugindll.yml	2020-11-28 13:46:02 -03:00
yugoslavskiy	42f27a41cb	Update win_susp_rundll32_by_ordinal.yml	2020-11-28 17:44:30 +01:00
yugoslavskiy	ca0a6547fb	Update win_susp_run_locations.yml	2020-11-28 17:42:47 +01:00
Jonhnathan	f1455e0c38	Update win_win10_sched_task_0day.yml	2020-11-28 13:42:30 -03:00
Jonhnathan	fe3ed329ef	Update win_webshell_recon_detection.yml	2020-11-28 13:41:11 -03:00
yugoslavskiy	ea550cf551	Update win_susp_regsvr32_anomalies.yml	2020-11-28 17:40:40 +01:00
Jonhnathan	f0bf3d13b5	Update win_webshell_detection.yml	2020-11-28 13:38:34 -03:00
Jonhnathan	9f4bbb7e65	Update win_webshell_detection.yml	2020-11-28 13:35:50 -03:00
yugoslavskiy	bcf62fba72	Update win_susp_ps_appdata.yml	2020-11-28 17:34:34 +01:00
yugoslavskiy	2ed4b26291	Update win_susp_procdump.yml	2020-11-28 17:33:02 +01:00
Jonhnathan	0d0f58c830	Update win_system_exe_anomaly.yml	2020-11-28 13:32:44 -03:00
yugoslavskiy	a3e436363e	Update win_susp_powershell_parent_combo.yml	2020-11-28 17:31:37 +01:00
Jonhnathan	c9b5ba10f8	Update win_susp_wmi_execution.yml	2020-11-28 13:30:34 -03:00
yugoslavskiy	c01c05b826	Update win_susp_powershell_enc_cmd.yml	2020-11-28 17:29:15 +01:00
Jonhnathan	f6117eebc7	Update win_susp_sysvol_access.yml	2020-11-28 13:27:28 -03:00
Jonhnathan	88b4d4c4e5	Update win_susp_sysvol_access.yml	2020-11-28 13:26:22 -03:00
yugoslavskiy	66a504078b	Update win_susp_ping_hex_ip.yml	2020-11-28 17:25:52 +01:00
Jonhnathan	7aa831eac3	Remove additional backslash	2020-11-28 13:25:28 -03:00
Jonhnathan	0357472635	Update win_susp_squirrel_lolbin.yml	2020-11-28 13:24:38 -03:00
Jonhnathan	f70bd415a3	Update win_susp_run_locations.yml	2020-11-28 13:21:04 -03:00
Jonhnathan	5cbefe3737	Update win_susp_regsvr32_anomalies.yml	2020-11-28 13:18:38 -03:00
Jonhnathan	e99f63f811	Update win_susp_ps_appdata.yml	2020-11-28 13:15:24 -03:00
Jonhnathan	fc842c22b2	Update win_susp_prog_location_process_starts.yml	2020-11-28 13:11:15 -03:00
Jonhnathan	a78eb61d92	Remove additional backslash	2020-11-28 13:08:51 -03:00
Jonhnathan	27f47a8ffc	Update win_susp_procdump.yml	2020-11-28 13:08:21 -03:00
Jonhnathan	b61707e7f3	Remove additional backslash	2020-11-28 13:07:06 -03:00
Jonhnathan	c9461506f2	Update win_susp_powershell_enc_cmd.yml	2020-11-28 13:06:10 -03:00
Jonhnathan	2364e9870d	Update win_susp_powershell_enc_cmd.yml	2020-11-28 13:05:47 -03:00
Jonhnathan	f4f8174199	Update win_susp_powershell_enc_cmd.yml	2020-11-28 13:04:36 -03:00
Jonhnathan	53e1201bea	Update win_susp_ping_hex_ip.yml	2020-11-28 13:01:42 -03:00
Jonhnathan	b24945999e	Update win_susp_ping_hex_ip.yml	2020-11-28 13:01:24 -03:00
Jonhnathan	1c56dc463a	Remove additional backslash	2020-11-28 12:38:19 -03:00
Jonhnathan	198bdb9659	Remove Additional backslash	2020-11-28 12:34:06 -03:00
Jonhnathan	63adc6fc09	Update win_susp_direct_asep_reg_keys_modification.yml	2020-11-28 12:32:35 -03:00
Jonhnathan	3481b0dd9e	Update win_susp_curl_start_combo.yml	2020-11-28 12:31:55 -03:00
yugoslavskiy	245a0d3438	Update win_susp_outlook.yml	2020-11-28 13:34:57 +01:00
yugoslavskiy	36299f5139	Update win_susp_net_execution.yml	2020-11-28 13:33:30 +01:00
yugoslavskiy	501791945f	Update win_susp_msiexec_web_install.yml	2020-11-28 13:32:01 +01:00
yugoslavskiy	8293fd8e5b	Update win_susp_iss_module_install.yml	2020-11-28 13:30:27 +01:00
yugoslavskiy	1896a45572	Update win_susp_ntdsutil.yml	2020-11-28 13:28:00 +01:00
Jonhnathan	4411fc5b0e	Update win_susp_commands_recon_activity.yml	2020-11-28 09:14:56 -03:00
Jonhnathan	2bf4644b48	Update win_renamed_paexec.yml	2020-11-28 09:08:48 -03:00
Jonhnathan	4e59fc0dfd	Update win_renamed_binary_highly_relevant.yml	2020-11-28 09:08:09 -03:00
yugoslavskiy	4354303174	Update win_susp_execution_path.yml	2020-11-28 13:07:22 +01:00
yugoslavskiy	77cf5d2563	Update win_susp_exec_folder.yml	2020-11-28 13:04:05 +01:00
yugoslavskiy	201377fa29	Update win_susp_csc_folder.yml	2020-11-28 13:01:03 +01:00
yugoslavskiy	c4a35036a0	Update win_susp_csc.yml	2020-11-28 12:54:18 +01:00
yugoslavskiy	5d7f42a4a6	Update win_susp_crackmapexec_execution.yml	2020-11-28 12:53:00 +01:00
yugoslavskiy	38e7853891	Update win_susp_copy_lateral_movement.yml	2020-11-28 12:44:54 +01:00
yugoslavskiy	34e64a6570	Update win_susp_codepage_switch.yml	2020-11-28 12:42:27 +01:00
yugoslavskiy	5278fcd476	Update win_susp_cmd_http_appdata.yml	2020-11-28 12:34:28 +01:00
yugoslavskiy	fd102c1b5f	Update win_susp_certutil_encode.yml	2020-11-28 12:31:40 +01:00
yugoslavskiy	68365f29c2	Update win_susp_certutil_command.yml	2020-11-28 12:29:30 +01:00
yugoslavskiy	c9596d7e30	Update win_susp_adfind.yml	2020-11-28 12:11:53 +01:00
yugoslavskiy	331a177f69	Update win_proc_wrong_parent.yml	2020-11-28 12:10:37 +01:00
yugoslavskiy	dbb054777a	Update win_plugx_susp_exe_locations.yml	2020-11-28 12:02:16 +01:00
yugoslavskiy	0fdd8e7128	Update win_netsh_port_fwd_3389.yml	2020-11-28 11:32:35 +01:00
yugoslavskiy	5d457f4f79	Update win_netsh_port_fwd.yml	2020-11-28 11:31:27 +01:00
yugoslavskiy	78193d3e3a	Update win_mal_adwind.yml	2020-11-28 11:25:28 +01:00
yugoslavskiy	de41e34d53	Update win_apt_sofacy.yml	2020-11-28 11:21:23 +01:00
yugoslavskiy	fe499d8838	Update win_apt_judgement_panda_gtr19.yml	2020-11-28 11:14:23 +01:00
yugoslavskiy	11c18e14d8	Update win_hack_koadic.yml	2020-11-28 11:12:06 +01:00
yugoslavskiy	eaf2fde6eb	Update win_netsh_fw_add_susp_image.yml	2020-11-28 11:05:04 +01:00
yugoslavskiy	5eec5d485b	Update sysmon_in_memory_assembly_execution.yml	2020-11-28 10:55:18 +01:00
yugoslavskiy	9445d18474	Update win_netsh_wifi_credential_harvesting.yml	2020-11-28 10:39:37 +01:00
yugoslavskiy	687f6d8946	Update win_powershell_download.yml	2020-11-28 10:37:30 +01:00
yugoslavskiy	fe0029e738	Update win_powersploit_empire_schtasks.yml	2020-11-28 10:29:07 +01:00
yugoslavskiy	de5cac99d9	Update win_malware_wannacry.yml	2020-11-28 10:28:04 +01:00
yugoslavskiy	5a4b01662e	Update win_netsh_fw_add.yml	2020-11-28 10:22:24 +01:00
yugoslavskiy	9ae26e2674	Update win_apt_cloudhopper.yml	2020-11-28 10:20:12 +01:00
yugoslavskiy	4a2cce0b40	Update win_apt_chafer_mar18.yml	2020-11-28 10:15:39 +01:00
Florian Roth	1ea4bb0b87	wrong field name	2020-11-28 10:10:00 +01:00
yugoslavskiy	17813c947c	Update win_apt_bluemashroom.yml	2020-11-28 09:48:30 +01:00
yugoslavskiy	26fa500e21	Update win_control_panel_item.yml	2020-11-28 09:38:49 +01:00
yugoslavskiy	2e5e4a20d2	Update powershell_clear_powershell_history.yml	2020-11-28 09:26:18 +01:00
yugoslavskiy	016a89c186	Update win_susp_net_recon_activity.yml	2020-11-28 08:00:07 +01:00
Jonhnathan	702f697168	Update win_powershell_download.yml	2020-11-27 16:10:10 -03:00
Jonhnathan	fb119d6112	Remove additional backslash	2020-11-27 16:06:15 -03:00
Jonhnathan	bf5aa947e3	Update win_office_spawn_exe_from_users_directory.yml	2020-11-27 16:04:55 -03:00
Jonhnathan	f6aaa957ff	Update win_netsh_wifi_credential_harvesting.yml	2020-11-27 16:01:25 -03:00
Jonhnathan	d996e97fdd	Update win_netsh_port_fwd_3389.yml	2020-11-27 16:00:04 -03:00
Jonhnathan	b816754018	Update win_netsh_port_fwd_3389.yml	2020-11-27 15:59:25 -03:00
Jonhnathan	5acd8d622b	Update win_netsh_port_fwd.yml	2020-11-27 15:57:53 -03:00
Jonhnathan	9171d8913c	Remove Additional backslash	2020-11-27 15:45:08 -03:00
Jonhnathan	0bf996d66e	Update win_netsh_fw_add.yml	2020-11-27 15:44:22 -03:00
Jonhnathan	3f5a2af2db	Update win_mshta_spawn_shell.yml	2020-11-27 15:43:29 -03:00
Jonhnathan	345c6627a8	Update win_mmc_spawn_shell.yml	2020-11-27 15:42:22 -03:00
Jonhnathan	3854a0ed8d	Update Logic	2020-11-27 15:38:16 -03:00
Jonhnathan	84b35dd6b8	Update win_malware_script_dropper.yml	2020-11-27 15:30:53 -03:00
Jonhnathan	217dd53c62	Update win_malware_notpetya.yml	2020-11-27 15:29:29 -03:00
Jonhnathan	3410a1eece	Update win_malware_formbook.yml	2020-11-27 15:26:15 -03:00
Jonhnathan	253c0839ec	Update logic	2020-11-27 15:25:38 -03:00
Jonhnathan	5f5af0bd36	Update win_malware_dridex.yml	2020-11-27 15:10:31 -03:00
Jonhnathan	7672db2aeb	Update Logic	2020-11-27 12:37:04 -03:00
Jonhnathan	22ae395e4a	Update win_impacket_lateralization.yml	2020-11-27 12:35:27 -03:00
Jonhnathan	e18829697f	Update Logic	2020-11-27 12:33:31 -03:00
Jonhnathan	9331686368	Update Logic	2020-11-27 12:27:23 -03:00
Jonhnathan	dbd97647f6	Remove Additional backslash and update logic	2020-11-27 12:22:04 -03:00
Jonhnathan	421ab4dc5f	Update win_exploit_cve_2017_0261.yml	2020-11-27 12:18:06 -03:00
Jonhnathan	3f9edf19a9	Update win_control_panel_item.yml	2020-11-27 12:15:12 -03:00
Jonhnathan	bde2b95cdc	Remove Additional backslash	2020-11-27 12:14:34 -03:00
Jonhnathan	e58333f808	Update win_commandline_path_traversal.yml	2020-11-27 12:13:45 -03:00
mat	b3e36281b5	fix reference field + add test for references in plural form	2020-11-27 10:17:45 +01:00
Jonhnathan	a403082631	Update win_bypass_squiblytwo.yml	2020-11-26 23:33:00 -03:00
Jonhnathan	d5803b89ef	Update win_apt_zxshell.yml	2020-11-26 23:31:10 -03:00
Jonhnathan	89a4aa84bf	Update win_apt_winnti_pipemon.yml	2020-11-26 23:29:10 -03:00
Jonhnathan	df93846117	Update win_apt_unidentified_nov_18.yml	2020-11-26 23:26:18 -03:00
Jonhnathan	b234d577d6	Update win_apt_sofacy.yml	2020-11-26 23:21:53 -03:00
Jonhnathan	77bae30bef	Update win_apt_slingshot.yml	2020-11-26 23:18:32 -03:00
Jonhnathan	f2dd516b7c	Fix logic	2020-11-26 23:16:03 -03:00
Jonhnathan	127607c5e7	Remove Additional backslash	2020-11-26 23:14:51 -03:00
Jonhnathan	bce74198ab	Remove Additional backslash	2020-11-26 23:14:24 -03:00
Jonhnathan	fda266adb6	Update win_apt_hurricane_panda.yml	2020-11-26 23:12:26 -03:00
Jonhnathan	d0b6694767	Update win_apt_greenbug_may20.yml	2020-11-26 23:05:44 -03:00
Jonhnathan	707fbe048e	Update win_apt_evilnum_jul20.yml	2020-11-26 23:05:08 -03:00
Jonhnathan	a113c0f3b4	Remove Additional backslash	2020-11-26 23:00:05 -03:00
Jonhnathan	d57d7c1e5b	Remove Additional backslash	2020-11-26 22:59:35 -03:00
Jonhnathan	f61317b2f9	Update sysmon_in_memory_assembly_execution.yml	2020-11-26 22:50:48 -03:00
Jonhnathan	784cab1dfe	Fix missing logic and Field	2020-11-26 22:46:17 -03:00
Jonhnathan	48f16a0ca8	Update win_susp_net_recon_activity.yml	2020-11-26 22:39:49 -03:00
Florian Roth	c6fc9de144	New Trickbot wermgr rule	2020-11-26 09:54:27 +01:00
Florian Roth	c111ab3141	Improved Trickbot recon rule	2020-11-26 09:54:13 +01:00
Florian Roth	b31ed47ccf	Merge branch 'master' into devel	2020-11-26 09:44:56 +01:00
bczyz1	05398ae95e	change field newprocessname -> image	2020-11-23 13:43:19 +01:00
bczyz1	193021eff8	Update win_apt_slingshot.yml fix condition	2020-11-20 09:19:03 +01:00
Jonhnathan	31e0cfb13f	Update win_susp_covenant.yml	2020-11-20 02:36:20 -03:00
Jonhnathan	ec1944e2d7	Update win_susp_copy_system32.yml	2020-11-20 02:31:26 -03:00
Jonhnathan	5d7131bbf2	Update win_susp_compression_params.yml	2020-11-20 02:29:41 -03:00
Jonhnathan	32ed588adb	Update detection Logic	2020-11-20 02:27:58 -03:00
Jonhnathan	b274be8d4e	Update detection Logic	2020-11-20 02:25:32 -03:00
Jonhnathan	c31c0d981a	Update detection logic	2020-11-20 02:23:18 -03:00
Jonhnathan	23edcc6dc6	Update win_susp_certutil_command.yml	2020-11-20 02:21:55 -03:00
Jonhnathan	8af17dda5b	Update win_spn_enum.yml	2020-11-20 02:17:31 -03:00
Jonhnathan	d5cb4246c2	Remove additional backlash	2020-11-20 02:16:51 -03:00
Jonhnathan	0606cd3dde	Update detection Logic	2020-11-20 02:10:27 -03:00
Jonhnathan	ebb4580378	Remove additional backlash	2020-11-20 02:04:28 -03:00
Jonhnathan	2ba146be07	Remove additional backlash	2020-11-20 02:03:06 -03:00
Jonhnathan	493fa3d5ee	Update sysmon_susp_mic_cam_access.yml	2020-11-20 02:02:26 -03:00
Jonhnathan	9e3a612953	Remove additional backlash	2020-11-20 02:01:43 -03:00
Jonhnathan	6c88dd700e	Update sysmon_stickykey_like_backdoor.yml	2020-11-20 02:00:53 -03:00
Jonhnathan	1e640b50f9	Remove additional backlash	2020-11-20 01:58:20 -03:00
Jonhnathan	acff5ef4f9	Update sysmon_registry_persistence_key_linking.yml	2020-11-20 01:57:34 -03:00
Jonhnathan	e35b09e1a6	Remove out of context falsepositive	2020-11-20 01:55:48 -03:00
Jonhnathan	d595df2879	Fix	2020-11-20 01:53:15 -03:00
Jonhnathan	6f3daad053	Update sysmon_apt_oceanlotus_registry.yml	2020-11-20 01:51:53 -03:00
Jonhnathan	9967bd1fe5	Update sysmon_apt_oceanlotus_registry.yml	2020-11-20 01:51:01 -03:00
Jonhnathan	1af9e9ed48	Update sysmon_win_reg_persistence.yml	2020-11-20 01:47:19 -03:00
Jonhnathan	8d8c29e0fe	Update sysmon_uac_bypass_sdclt.yml	2020-11-20 01:42:17 -03:00
Jonhnathan	372f000b7f	Update sysmon_uac_bypass_eventvwr.yml	2020-11-20 01:41:20 -03:00
Jonhnathan	e8aa9a854a	Update sysmon_uac_bypass_eventvwr.yml	2020-11-20 01:40:29 -03:00
Jonhnathan	57e98e3957	Remove additional backlash	2020-11-20 01:38:57 -03:00
Jonhnathan	9cf2ea5862	Update sysmon_susp_service_installed.yml	2020-11-20 01:38:17 -03:00
Jonhnathan	1acc19a8d5	Remove additional backlash	2020-11-20 01:37:24 -03:00
Jonhnathan	ab2edd1ff0	Update sysmon_malware_verclsid_shellcode.yml	2020-11-20 01:34:43 -03:00
Jonhnathan	240a8b9aa0	Update sysmon_lazagne_cred_dump_lsass_access.yml	2020-11-20 01:33:04 -03:00
Jonhnathan	ebd9973dcb	Update sysmon_lazagne_cred_dump_lsass_access.yml	2020-11-20 01:32:41 -03:00
Jonhnathan	2194744803	Update sysmon_invoke_phantom.yml	2020-11-20 01:30:58 -03:00
Jonhnathan	4af7f00f4a	Improve logic	2020-11-20 01:30:01 -03:00
Jonhnathan	728276ef13	Improve Logic	2020-11-20 01:22:20 -03:00
Jonhnathan	ee43919eec	Change detection logic	2020-11-20 01:05:06 -03:00
Jonhnathan	c42911cb47	Update win_wmi_persistence.yml	2020-11-20 00:58:49 -03:00
Jonhnathan	718792e0ba	Update win_tool_psexec.yml	2020-11-20 00:57:16 -03:00
Jonhnathan	b3e0b55250	Remove additional backslash	2020-11-20 00:53:13 -03:00
Jonhnathan	813afd4f4c	Remove additional backslash	2020-11-20 00:52:54 -03:00
Jonhnathan	f6a89e9707	Fix Detection Logic	2020-11-20 00:51:22 -03:00
Jonhnathan	0ffd1ef47f	Remove additional backslash	2020-11-19 23:15:38 -03:00
Jonhnathan	351a9920ed	Update win_mal_flowcloud.yml	2020-11-19 23:14:44 -03:00
Jonhnathan	43ffb80d94	Remove additional backslash	2020-11-19 23:09:50 -03:00
Jonhnathan	44652c4ffd	Remove additional backslash	2020-11-19 23:08:40 -03:00
Jonhnathan	9a5b17f2bb	Remove additional backslash	2020-11-19 23:04:26 -03:00
Jonhnathan	f79caba72a	Remove additional backslash	2020-11-19 22:58:50 -03:00
Jonhnathan	6ecafac619	Update sysmon_susp_driver_load.yml	2020-11-19 22:56:34 -03:00
Jonhnathan	f42ef96140	Fix Reference	2020-11-19 22:50:27 -03:00
Jonhnathan	fdd28556cf	Fix ref	2020-11-19 22:48:20 -03:00
Jonhnathan	4f4fcbc576	Update win_susp_wmi_login.yml	2020-11-19 22:47:20 -03:00
Jonhnathan	ea385767b9	Update win_susp_ntlm_auth.yml	2020-11-19 22:40:43 -03:00
Jonhnathan	5d85bbba56	Improve detection logic	2020-11-19 22:37:13 -03:00
Jonhnathan	c20bce4a77	Update win_susp_msmpeng_crash.yml	2020-11-19 22:30:48 -03:00
Jonhnathan	7fe2c00ac1	Update win_net_ntlm_downgrade.yml	2020-11-19 22:14:37 -03:00
Jonhnathan	371c112143	Fix the detection logic ObjectName = admin was included in the query using AND, not OR.	2020-11-19 21:45:19 -03:00
v3t0	3d206b08d8	[OSCD] Added a rule to detect potential persistence using registry keys	2020-11-15 19:04:12 -05:00
stvetro	19eb8306d3	Removed unnessary antifalse positive	2020-11-14 09:50:29 +04:00
Ryan Plas	d4d694b4da	Logic fix for sysmon_non_priv_program_files_move	2020-11-10 10:01:47 -05:00
Florian Roth	af4d546408	Merge pull request #1282 from Neo23x0/rule-devel fix: FPs with notepad++ GUP rule	2020-11-10 13:39:28 +01:00
Florian Roth	2e9d7951a6	Merge pull request #1272 from bczyz1/patch-2 Fix typo in win_apt_lazarus_session_hijack.yml	2020-11-10 13:35:08 +01:00
Florian Roth	f6c0fb2d33	fix: FPs with notepad++ GUP rule	2020-11-09 16:34:12 +01:00
Florian Roth	c3785d6dc7	rule: FPs with WmiPrvSE rule	2020-11-05 16:44:33 +01:00
bczyz1	c554aaea8f	update win_apt_slingshot.yml - optimized rule - added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)	2020-11-05 15:51:22 +01:00
yugoslavskiy	efc3f298b8	simplify syntax	2020-11-04 23:03:34 +01:00
yugoslavskiy	2f789c45dc	change a syntax a bit to re-run the tests	2020-11-04 22:30:27 +01:00
bczyz1	4a5b2d642e	Fix typo in win_apt_lazarus_session_hijack.yml	2020-11-03 14:46:29 +01:00
GlebSukhodolskiy	8068487340	test trigger	2020-11-03 12:04:03 +03:00
GlebSukhodolskiy	544876951f	fixed duplication v2	2020-11-03 02:34:34 +03:00
GlebSukhodolskiy	48e46c279a	fixed duplication	2020-11-03 02:25:22 +03:00
GlebSukhodolskiy	cf8c721662	fixed optimization and references	2020-11-03 02:16:13 +03:00
GlebSukhodolskiy	e2c4af012b	Changed to Placeholders Usage A query was too big to pass a test, so I changed logic to placeholders usage.	2020-11-03 00:56:42 +03:00
feedb	e93dd7fe61	fix	2020-11-01 15:25:12 +03:00
Vasiliy Burov	903ce08277	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-11-01 14:21:27 +03:00
yugoslavskiy	ea71828d34	change syntax a bit to re-run the test	2020-10-31 23:57:13 +01:00
stvetro	8dc8fdc44b	Added antifalsepositive condition 4688 always has non empty cmd	2020-10-31 12:46:30 +04:00
omkargudhate22	f1bb9726ca	updated mitre tag	2020-10-30 13:35:40 +05:30
omkar72	86a849728d	ryuk changes	2020-10-30 13:15:11 +05:30
Vasiliy Burov	ab60fdcef4	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-29 23:38:22 +03:00
Vasiliy Burov	683824ee46	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-29 11:44:45 +03:00
Vasiliy Burov	d743cbbe4b	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-29 11:14:43 +03:00
Semanur Guneysu	46c52b4347	Update sysmon_abusing_debug_privilege.yml	2020-10-28 20:11:29 +03:00
nsaddler	07f777d1b5	Update powershell_CL_Mutexverifiers_LOLScript_v2.yml	2020-10-28 19:32:18 +03:00
nsaddler	7ee644eac0	Update powershell_CL_Invocation_LOLScript_v2.yml	2020-10-28 19:30:21 +03:00
nsaddler	d0a796439b	Update powershell_CL_Invocation_LOLScript.yml	2020-10-28 19:25:43 +03:00
Наталья Шорникова	a4a3e01f25	Splitting into two rules	2020-10-28 19:13:29 +03:00
Наталья Шорникова	55a7fe6b9d	Splitting into two rules	2020-10-28 19:08:23 +03:00
Vasiliy Burov	d90ec67cce	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-28 11:44:21 +03:00
Vasiliy Burov	744c637125	Delete win_rdp_session_hijacking.yml	2020-10-28 11:38:39 +03:00
Vasiliy Burov	931ccde3e6	Merge branch 'patch-15' of https://github.com/vburov/sigma into patch-15	2020-10-28 11:27:48 +03:00
Vasiliy Burov	eec398ea0e	Merge branch 'master' into patch-15	2020-10-28 11:27:28 +03:00
Vasiliy Burov	2d2464ba22	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-28 11:20:26 +03:00
Vasiliy Burov	fdbd8de219	Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit `eb166222bd`.	2020-10-28 10:51:18 +03:00
Vasiliy Burov	00f1326ae6	Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit `64e48ed94d`.	2020-10-28 10:50:53 +03:00
Jonhnathan	28febe5dd2	Update win_apt_chafer_mar18.yml	2020-10-27 23:28:04 -03:00
Jonhnathan	0860978412	Update win_apt_bear_activity_gtr19.yml	2020-10-27 23:26:34 -03:00
Jonhnathan	e24e6da3b5	Update win_apt_apt29_thinktanks.yml	2020-10-27 23:24:04 -03:00
Jonhnathan	467af2ebb5	Update sysmon_susp_prog_location_network_connection.yml	2020-10-27 22:56:32 -03:00
Jonhnathan	266109f3d8	Update win_mal_ryuk.yml	2020-10-27 22:47:41 -03:00
Jonhnathan	514f9ccd28	Update win_mal_ryuk.yml	2020-10-27 22:42:15 -03:00
Jonhnathan	187d1d3e3b	Update win_user_driver_loaded.yml	2020-10-27 22:37:50 -03:00
Jonhnathan	dbad6c637f	Update av_webshell.yml	2020-10-27 22:35:45 -03:00
Jonhnathan	0afe48a0a0	Update av_relevant_files.yml	2020-10-27 22:34:57 -03:00
Jonhnathan	95da1ec500	Update av_relevant_files.yml	2020-10-27 22:32:16 -03:00
Jonhnathan	d3c6d9df31	Update win_mal_ryuk.yml	2020-10-27 22:21:16 -03:00
Jonhnathan	98c7639db7	Update mal_azorult_reg.yml	2020-10-27 22:19:04 -03:00
Jonhnathan	8f4d6f802b	Update mal_azorult_reg.yml	2020-10-27 22:18:41 -03:00
Jonhnathan	bfb50a3d42	Update sysmon_susp_office_dsparse_dll_load.yml	2020-10-27 22:13:02 -03:00
Jonhnathan	3477866451	Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml	2020-10-27 22:10:17 -03:00
Jonhnathan	9fd203e2a3	Update mal_azorult_reg.yml	2020-10-27 22:07:45 -03:00
Jonhnathan	ebb84486f5	Update sysmon_susp_adsi_cache_usage.yml	2020-10-27 22:04:31 -03:00
Jonhnathan	182b12614b	Update sysmon_quarkspw_filedump.yml	2020-10-27 22:02:47 -03:00
Jonhnathan	dde5b46726	Update win_susp_sam_dump.yml	2020-10-27 22:01:31 -03:00
Jonhnathan	61ccdc598d	Update win_susp_local_anon_logon_created.yml	2020-10-27 22:00:42 -03:00
Jonhnathan	3eea825898	Update win_net_ntlm_downgrade.yml	2020-10-27 21:59:49 -03:00
Jonhnathan	53ff19f167	Update win_mmc20_lateral_movement.yml	2020-10-27 21:55:17 -03:00
Vasiliy Burov	64e48ed94d	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-27 23:33:56 +03:00
Vasiliy Burov	eb166222bd	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-27 23:15:28 +03:00
Vasiliy Burov	172c619719	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-27 22:50:09 +03:00
Vasiliy Burov	edede617cf	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-27 22:36:12 +03:00
Vasiliy Burov	515c4dd9cd	Added some false positives issues	2020-10-27 20:35:22 +03:00
Vasiliy Burov	66965cec33	Added some false positives issues	2020-10-27 17:31:46 +03:00
Semanur Guneysu	1e32391e59	Merge branch 'master' of https://github.com/semanurguneysu/sigma into oscd	2020-10-26 19:49:56 +03:00
Semanur Guneysu	27dbf73c0d	Update sysmon_abusing_debug_privilege.yml comment added	2020-10-26 19:25:36 +03:00
invrep-de	8a9db12d30	Enhanced to improve specificity Enhanced to improve specificity per feedback received;	2020-10-26 12:05:16 -04:00
invrep-de	dc41f64023	[OSCD] Bad Opsec Defaults Sacrificial Processes Incorporate feedback from @yugoslavskiy;	2020-10-26 11:52:16 -04:00
Semanur Guneysu	1b3cb8a64b	Delete .DS_Store	2020-10-26 18:15:57 +03:00
Semanur Guneysu	db49c436a3	Update sysmon_abusing_debug_privilege.yml	2020-10-26 18:08:05 +03:00
Semanur Guneysu	bc5e9b57e9	Update sysmon_abusing_debug_privilege.yml	2020-10-26 17:45:13 +03:00
Semanur Guneysu	2dab2d420c	Update sysmon_abusing_debug_privilege.yml	2020-10-26 15:24:00 +03:00
Semanur Guneysu	4e1143502e	Create .DS_Store	2020-10-26 15:18:20 +03:00
Semanur Guneysu	cb5a541a5e	Update sysmon_abusing_debug_privilege.yml NT AUTHORITY\SYSTEM	2020-10-26 14:56:25 +03:00
Semanur Guneysu	3ff10b160f	Update sysmon_abusing_debug_privilege.yml	2020-10-26 14:44:27 +03:00
Semanur Guneysu	e65b8249d7	Update sysmon_abusing_debug_privilege.yml	2020-10-26 14:39:43 +03:00
S.kiran kumar	b5e07f0a37	Update silenttrinity_stager_msbuild_activity.yml	2020-10-26 17:00:50 +05:30
Semanur Guneysu	70beef515d	Update sysmon_abusing_debug_privilege.yml mitre tag added.Checked.	2020-10-26 14:01:46 +03:00
Vasiliy Burov	b84fc7850c	Update win_susp_multiple_files_renamed_or_deleted.yml	2020-10-26 13:48:19 +03:00

... 4 5 6 7 8 ...

3367 Commits