valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,460 Commits 20 Branches 25 Tags 21 MiB
a816f4775f
Commit Graph

2460 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
df324a59c5 Merge branch 'master' into devel 2020-01-24 16:21:53 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d
bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth
f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
Thomas Patzke
d408c0fd34 Added ala-rule backend to CI testing 2020-01-24 15:31:06 +01:00
Thomas Patzke
8525e9e961 Moved ala-rule backend code into ala backend module 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
neu5ron
ee1ae805d3 fix name of network_initiated 2020-01-24 15:31:06 +01:00
2d4d
341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth
4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth
c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d
d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d
0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
Maxime Lamothe-Brassard
d1774f7735 Fixed actual event tag 2020-01-24 15:31:06 +01:00
Maxime Lamothe-Brassard
1bfb809b6f Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2020-01-24 15:31:06 +01:00
SOC Prime
2aae27f0a4 Update ala-rule.py 2020-01-24 15:31:06 +01:00
SOC Prime
85f09419fb Update ala-rule.py 2020-01-24 15:31:06 +01:00
vh
8d30459532 Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett
5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
Florian Roth
72341f08c5 Added MITRE ATT&CK Technique T1482 
https://attack.mitre.org/techniques/T1482/
 2020-01-24 15:31:06 +01:00
david-burkett
032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett
991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza
9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
Thomas Patzke
0f4aef1000 Added sigma2attack to CI testing 2020-01-24 15:31:06 +01:00
Thomas Patzke
5f1e933b93
Merge pull request #588 from timbMSFT/timb 
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
 2020-01-20 10:06:06 +01:00
Florian Roth
e9012d57f7
Merge pull request #596 from 2d4d/master 
complete_cve_2019-19781
 2020-01-16 12:46:25 +01:00
2d4d
e35ebcc185 complete_cve_2019-19781 2020-01-15 21:59:33 +01:00
Florian Roth
41c4a499b4 rule: added a reference 2020-01-15 21:27:40 +01:00
Florian Roth
6db20d4bad rule: windows audit cve 2020-01-15 21:23:32 +01:00
Florian Roth
5ef64e4e99 rule: changes at Shitrix rule 2020-01-13 20:15:08 +01:00
Florian Roth
a0bad54dbd
Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml 
add newbm.pl
 2020-01-13 14:48:38 +01:00
Thomas Patzke
7216fe400f Merge branch 'ala-rule' 2020-01-13 13:49:53 +01:00
Thomas Patzke
d95a2606f0 Merge branch 'socprime-master' into ala-rule 2020-01-13 13:48:19 +01:00
Thomas Patzke
638d461b16 Added ala-rule backend to CI testing 2020-01-13 13:47:11 +01:00
Thomas Patzke
7b62b931ce Moved ala-rule backend code into ala backend module 2020-01-13 11:24:46 +01:00