valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,010 Commits 20 Branches 25 Tags 21 MiB
a5ec6722a1
Commit Graph

900 Commits

Author SHA1 Message Date
Florian Roth
596140543d
Merge pull request #455 from EccoTheFlintstone/ruler_fix 
Ruler fix
 2019-09-25 17:26:55 +02:00
ecco
4c54e8322a sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00
ecco
a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00
ecco
6a7f7e0f76 add microsoft reference for events fields names 2019-09-23 05:21:30 -04:00
ecco
d48b63a235 ruler rule field name fix for eventID 4776 2019-09-23 05:17:35 -04:00
ecco
c2868f6e03 remove TAB from cli escape as it's currently unsupported in sigmac 2019-09-23 04:46:10 -04:00
ecco
0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
Florian Roth
038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
ecco
b410710338 move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
ecco
fe93d84015 fix FP : field null value can be '-' 2019-09-06 05:14:58 -04:00
Florian Roth
7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
ecco
01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master 
Escaped '\*' to '\*' where required
 2019-09-05 10:57:25 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim 
Fixed commandline to detect any shim install from any location
 2019-09-05 10:28:50 +02:00
ecco
bdf8f99fdb fix typo 2019-09-04 11:31:00 -04:00
Florian Roth
7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
ecco
fc89804f34 rule: impacket framework lateralization detection 2019-09-03 10:28:59 -04:00
ecco
8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco
5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes 2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Florian Roth
70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
ecco
d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy
bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy
803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy
310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Tareq AlKhatib
d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke
dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00
mgreen27
1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00