SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00

Author	SHA1	Message	Date
msec1203	a45f877712	Update win_susp_winword_wmidll_load.yml Fix to error on incorrect mitre tags used.	2019-12-30 18:41:16 +09:00
msec1203	845d67f1f3	Initial Upload Submit Sigma Rule For Detecting Word Loading WMI DLL's.	2019-12-29 23:14:29 +09:00
Florian Roth	98aa4d4ecb	fix: fixed typo in rule for renamed procdump	2019-11-19 15:59:07 +01:00
Florian Roth	2c855be9d3	fix: casing fix in renamed procdump rule	2019-11-18 15:57:14 +01:00
Florian Roth	93f890b31d	rule: renamed procdump	2019-11-18 15:27:04 +01:00
Thomas Patzke	0592cbb67a	Added UUIDs to rules	2019-11-12 23:12:27 +01:00
Thomas Patzke	5f6a4225ec	Unified line terminators of rules to Unix	2019-11-12 23:05:36 +01:00
Thomas Patzke	d42cc78509	Converted rules Sysmon/1 parts to generic process_creation	2019-11-12 21:06:24 +01:00
Thomas Patzke	0065e2420f	Merge branch 'oscd-qa'	2019-11-12 20:54:11 +01:00
Florian Roth	b7c3f8da91	refactor: cleanup, single element lists, renamed files, level adjustments	2019-11-12 12:55:05 +01:00
Florian Roth	038f205f0f	fix: FPs with UserInitMprLogonScript rule	2019-11-09 23:32:53 +01:00
Florian Roth	fbe138ed90	rule: reduced level of rule to medium due to FPs	2019-11-09 23:24:31 +01:00
yugoslavskiy	b176339da8	Merge pull request #479 from alexpetrov12/master add rule	2019-11-08 02:16:22 +03:00
yugoslavskiy	98f32e9098	Delete sysmon_mimikatz_сreds_dump.yml merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml	2019-11-08 02:06:31 +03:00
yugoslavskiy	6d61401b12	Delete sysmon_сreds_dump.yml merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml	2019-11-08 02:06:20 +03:00
yugoslavskiy	562e07de38	Delete cobalt_execute_assembly.yml merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml)	2019-11-08 01:42:42 +03:00
yugoslavskiy	52d099a6e3	improve sysmon_cobaltstrike_process_injection.yml	2019-11-08 01:41:26 +03:00
yugoslavskiy	6083d70975	Update sysmon_registry_persistence_key_linking.yml	2019-11-07 04:23:20 +03:00
yugoslavskiy	ce849a1184	Merge branch 'master' into oscd	2019-11-04 20:48:19 +03:00
yugoslavskiy	1f1fd68331	Merge pull request #472 from feedb/oscd add 11 new rules: - rules/linux/auditd/lnx_auditd_web_rce.yml - rules/windows/process_creation/process_creation_susp_bginfo.yml - rules/windows/process_creation/process_creation_susp_cdb.yml - rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml - rules/windows/process_creation/process_creation_susp_dnx.yml - rules/windows/process_creation/process_creation_susp_dxcap.yml - rules/windows/process_creation/process_creation_susp_msoffice.yml - rules/windows/process_creation/process_creation_susp_odbcconf.yml - rules/windows/process_creation/process_creation_susp_openwith.yml - rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml - rules/windows/sysmon/sysmon_webshell_creation_detect.yml	2019-11-04 20:40:58 +03:00
yugoslavskiy	19396fd274	Update sysmon_webshell_creation_detect.yml	2019-11-04 19:23:52 +03:00
Karneades	0117dac1db	fix: bound sysmon logon script rule to field Fixed rule: - rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml	2019-11-02 11:47:20 +01:00
Florian Roth	8ff85499c8	rule: svchost dll search order hijack	2019-10-28 12:03:03 +01:00
alexpetrov12	7aa804fe90	added new rules Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking	2019-10-25 18:01:36 +03:00
alexpetrov12	cc998aa667	fix	2019-10-24 00:48:43 +03:00
alexpetrov12	f1ccf296f4	fix	2019-10-24 00:40:58 +03:00
alexpetrov12	d3715a508b	fix	2019-10-23 18:15:46 +03:00
alexpetrov12	4c84412944	added new rule silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump	2019-10-23 18:08:30 +03:00
alexpetrov12	e38540a37f	fix	2019-10-23 13:28:04 +03:00
alexpetrov12	c1cfbacd24	fix	2019-10-23 13:18:57 +03:00
alexpetrov12	ad9b98541c	fix	2019-10-23 13:05:38 +03:00
alexpetrov12	fa4a8c974d	fix	2019-10-23 12:45:06 +03:00
alexpetrov12	f4ea01217e	fix	2019-10-23 02:47:04 +03:00
alexpetrov12	ebe4fe0377	fix	2019-10-23 02:42:37 +03:00
alexpetrov12	6c4f4ce309	fix	2019-10-23 02:25:04 +03:00
alexpetrov12	8d0c89b598	added new rules add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload	2019-10-23 01:55:03 +03:00
root	2bd9d8a9d8	add rule sysmon_webshell_creation_detect.yml	2019-10-22 05:56:37 +02:00
root	fb53855ae5	add rule sysmon_webshell_creation_detect.yml	2019-10-22 05:50:49 +02:00
Florian Roth	deb3ecf404	fix: relevant fields in lsass dll load rule	2019-10-16 19:09:20 +02:00
Florian Roth	c396526f40	rule: LSASS DLL load via undocumented Registry key https://twitter.com/SBousseaden/status/1183745981189427200	2019-10-16 13:18:44 +02:00
Florian Roth	e870c86fb0	rule: keyboad layout preloads extended with '	2019-10-15 15:11:00 +02:00
Florian Roth	7ee3974428	rule: suspicious keyboard layout load	2019-10-14 16:25:27 +02:00
Florian Roth	e0009bfb4a	fix: merged duplicate rules	2019-10-01 16:14:38 +02:00
Florian Roth	d8af435827	rule: RUN key pointing to suspicious folders	2019-10-01 16:08:31 +02:00
Florian Roth	c44f940fb6	rule: suspicious RUN key created by exe in temp/download folders	2019-10-01 16:08:13 +02:00
Florian Roth	de3a843bea	Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3 sysmon eventid 3: filter on outgoing connections (initiated: true) to…	2019-09-28 10:16:02 +02:00
ecco	7a1d48cccd	fix: PsExec false positives	2019-09-26 04:50:43 -04:00
ecco	4c54e8322a	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
ecco	0c96777f6a	sysmon rules cleanup and move to process_creation	2019-09-11 10:24:43 -04:00
Florian Roth	038900e2fe	fix: renamed powershell rule	2019-09-06 17:33:56 +02:00

1 2 3 4 5 ...

429 Commits