valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,571 Commits 20 Branches 25 Tags 21 MiB
aa8a0f5e1f
Commit Graph

1212 Commits

Author SHA1 Message Date
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
6ea861da53
Merge pull request #605 from Neo23x0/devel 
Winnti rule and helpful message in test script
 2020-02-01 15:51:16 +01:00
Florian Roth
a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth
7a222920df
added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
1213712978
Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth
afecca3c13
Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth
8c4aadb423
Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth
190afcac88
Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth
e3d61d5579
Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth
033ab26d5e
Added date 2020-01-31 07:21:02 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth
ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
30d872f98f
Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth
8cef4b2941
fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth
bf81ff90a8
fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth
0207eeece4
fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth
2f1890b5e8
Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth
8ec0060938
fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth
6ca100cabf
reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth
0a4d32c7c7
fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth
9828d7f81d
re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth
d90ea6d267
improved rule 2020-01-30 09:58:32 +01:00
Florian Roth
d2122b6b83
Merge pull request #594 from sreemanshanker/master 
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
 2020-01-30 09:14:58 +01:00
Florian Roth
a01773681a
fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth
529e95e3a5
Fixed everything 
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
 2020-01-30 08:17:46 +01:00
Florian Roth
4c90e636b1
changed file name 2020-01-30 08:07:56 +01:00
Florian Roth
a935cea665
fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker
d5c7b4795d
Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth
376092cfd3
Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth
a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth
7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth
d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth
240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth
5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth
e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
Florian Roth
4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth
11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
sbousseaden
a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC)
c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203
4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203
48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake
8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake
9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203
4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld
5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00