valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,119 Commits 20 Branches 25 Tags 21 MiB
a3a45e4a10
Commit Graph

170 Commits

Author SHA1 Message Date
Thomas Patzke
08eec2b6e6
Merge pull request #1094 from NikitaStormwind/Regular30 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
 2020-10-13 21:43:16 +02:00
Thomas Patzke
5f4d60951d
Merge pull request #1112 from NikitaStormwind/regular29(1) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
 2020-10-13 21:34:38 +02:00
Thomas Patzke
7e8930f15e
Merge pull request #1142 from NikitaStormwind/regular28(1) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
 2020-10-13 11:38:26 +02:00
Thomas Patzke
0c77edb859
Merge pull request #1120 from bczyz1/oscd 
[OSCD] Create powershell_icmp_exfiltration.yml
 2020-10-13 11:37:40 +02:00
Timur Zinniatullin
d1ef56bddb
@aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin
870574b635
Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
Thomas Patzke
cb86c509f1
Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke
eaa9f293e7
Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke
5664f72a2a
Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Nikita P. Nazarov
c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
Bartlomiej Czyz
e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz
b6876e5123 remove redundant reference 2020-10-11 23:35:17 +02:00
Vasiliy Burov
1320e0b733
Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Bartlomiej Czyz
94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov
64b07ff51a
Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Vasiliy Burov
c868ef655c
Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov
7aaf4654cd
Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov
00f5d1ec92
Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov
51f00c153c
Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov
dd9c29377b
Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov
8f2ddc632e
Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz
a5dea8c596 [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00
Bartlomiej Czyz
6dcd4a6c6d [OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00
Nikita P. Nazarov
414c98e7ba Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:37:07 +03:00
Nikita Nazarov
31095033ab
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:25:59 +03:00
Nikita Nazarov
80a3a6c048
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:52:01 +03:00
Nikita Nazarov
b4377ed632
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:45:07 +03:00
Nikita Nazarov
3ba4eeac7b
Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-08 17:36:20 +03:00
Nikita P. Nazarov
2db2ab30c4 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-08 17:08:43 +03:00
Nikita Nazarov
d3f0ddd2b1
Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00
Nikita Nazarov
bfa3635cd2
Update powershell_accessing_win_api.yml 2020-10-07 14:47:29 +03:00
Nikita P. Nazarov
0ad9fc61de Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00
Nikita P. Nazarov
c90d99c0f9 Accessing WinAPI in PowerShell 2020-10-06 19:57:57 +03:00
aw350m3
eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
aw350m3
c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3
c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Ryan Plas
25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
zaphod
1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00