SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
Florian Roth	5980cb8d0c	rule: copy from admin share - lateral movement	2019-12-30 14:25:43 +01:00
Florian Roth	86e6b92903	rule: SecurityXploded tool	2019-12-30 14:25:29 +01:00
Florian Roth	5ad793e04a	Merge pull request #582 from tvjust/patch-1 Added new sticky key attack binary	2019-12-30 14:14:20 +01:00
Florian Roth	948af2993b	Merge pull request #583 from msec1203/msec1203-submit-rule1 MS Office Doc Load WMI DLL Rule	2019-12-30 14:13:58 +01:00
msec1203	dbdf6680e0	Update win_susp_winword_wmidll_load.yml Update x2	2019-12-30 18:49:39 +09:00
msec1203	a45f877712	Update win_susp_winword_wmidll_load.yml Fix to error on incorrect mitre tags used.	2019-12-30 18:41:16 +09:00
Florian Roth	e043bc2193	Merge pull request #584 from GelosSnake/master FP in win_system_exe_anomaly.yml	2019-12-29 18:52:43 +01:00
GelosSnake	f574c20432	Update win_system_exe_anomaly.yml fixing to much original fork.	2019-12-29 18:02:49 +02:00
GelosSnake	7e7f6d1182	Update win_system_exe_anomaly.yml Following sigma event I've noticed my twitter account was referenced: https://twitter.com/GelosSnake/status/934900723426439170 Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.	2019-12-29 18:01:19 +02:00
msec1203	845d67f1f3	Initial Upload Submit Sigma Rule For Detecting Word Loading WMI DLL's.	2019-12-29 23:14:29 +09:00
Justin Schoenfeld	a1f07cdb4b	Added new sticky key attack binary	2019-12-29 08:32:23 -05:00
Florian Roth	042c58dfc1	Merge pull request #581 from david-burkett/master Trickbot behavioral recon activity / svchost spawned without CLI	2019-12-28 18:11:34 +01:00
david-burkett	4a65a25070	svchost spawned without cli	2019-12-28 10:28:08 -05:00
Florian Roth	5e59bbb3c3	Added MITRE ATT&CK Technique T1482 https://attack.mitre.org/techniques/T1482/	2019-12-28 16:02:26 +01:00
david-burkett	35b4806104	corrected logic	2019-12-28 09:55:39 -05:00
David Burkett	474a8617e5	Trickbot behavioral recon activity	2019-12-27 21:25:53 -05:00
Florian Roth	62bd2cc3ab	Merge pull request #572 from alessiodallapiazza/master Add the ability to detect PowerUp - Invoke-AllChecks	2019-12-23 12:57:55 +01:00
Alessio Dalla Piazza	0ff81cc693	Merge pull request #1 from alessiodallapiazza/alessiodallapiazza-patch-1 Add the ability to detect PowerUp - Invoke-AllChecks	2019-12-23 11:51:34 +01:00
Alessio Dalla Piazza	f45587074b	Add the ability to detect PowerUp - Invoke-AllChecks PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.	2019-12-23 11:50:57 +01:00
Florian Roth	04afcccd2c	Merge pull request #571 from Neo23x0/devel rule: whoami as local system	2019-12-22 19:23:50 +01:00
Florian Roth	fc8607bbea	rule: whoami as local system	2019-12-22 18:50:26 +01:00
Florian Roth	a7ca386a1b	Merge pull request #570 from Neo23x0/devel CreateMiniDump	2019-12-22 08:40:45 +01:00
Florian Roth	fb76f2b9ac	rule: CreateMiniDump	2019-12-22 08:29:12 +01:00
Florian Roth	511229c0b6	rule: modified Bloodhound rule	2019-12-21 21:22:13 +01:00
Thomas Patzke	530ac854df	Added sigma2attack to CI testing	2019-12-20 22:53:22 +01:00
Thomas Patzke	781f53332b	Merge pull request #566 from christophetd/sigma2attack Add sigma2attack	2019-12-20 21:57:02 +01:00
Florian Roth	1fd4c26005	Merge pull request #569 from Neo23x0/devel rule: improved bloodhound rule	2019-12-20 17:32:21 +01:00
Florian Roth	0fa5ba925e	rule :improved bloodhound rule	2019-12-20 17:23:40 +01:00
Florian Roth	cbebaf637f	Merge pull request #568 from Neo23x0/devel Devel	2019-12-20 16:22:29 +01:00
Florian Roth	0e82dce2a0	fix: fixed wrong condition	2019-12-20 16:11:39 +01:00
Florian Roth	0000257371	rule: improved bloodhound rule	2019-12-20 16:08:26 +01:00
Florian Roth	3a933c38f2	rule: changed level of BloodHound rule	2019-12-20 15:37:58 +01:00
Florian Roth	68efeb909d	rule: false positive condition for BloodHound rule	2019-12-20 15:35:13 +01:00
Florian Roth	825b1edb0f	Merge pull request #567 from Neo23x0/devel Devel	2019-12-20 15:32:56 +01:00
Florian Roth	5f061c15d0	fix: fixed missing condition	2019-12-20 15:18:05 +01:00
Florian Roth	bb466407ee	rule: operation Wocao activity	2019-12-20 15:00:07 +01:00
Florian Roth	708c17e2bc	rule: Bloodhound	2019-12-20 14:59:36 +01:00
Florian Roth	ab038d1ac7	style: minor changes	2019-12-20 14:59:26 +01:00
christophetd	e99b0fe2d7	Add sigma2attack	2019-12-19 00:00:13 +01:00
Riccardo Ancarani	8b70cb6761	Add Covenant default named pipe Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication. The default named pipe name is "\gruntsvc". References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456	2019-12-18 15:19:47 +00:00
Florian Roth	0a26184286	Merge pull request #563 from Neo23x0/devel Devel	2019-12-17 14:48:07 +01:00
Florian Roth	c8b6b5c556	rule: updating csc.exe rule	2019-12-17 13:45:40 +01:00
Florian Roth	7a3041c593	rule: improved csc.exe rule	2019-12-17 11:05:43 +01:00
Florian Roth	e8d92fab0c	rule: ryuk ransomware	2019-12-16 20:33:12 +01:00
Florian Roth	da06e5bc1c	Merge pull request #562 from Neo23x0/devel Improved PowerShell Encoded Command Rule	2019-12-16 19:31:15 +01:00
Florian Roth	bbaa9df217	rule: better JAB rule	2019-12-16 19:08:51 +01:00
Florian Roth	f83eb2268e	rule: improved JAB expression	2019-12-16 19:04:05 +01:00
Florian Roth	bd7c996588	rule: suspicious PS rule modified to cover newest malware campaigns	2019-12-16 19:02:57 +01:00
Florian Roth	7acfecbe66	Merge pull request #530 from bartblaze/master Add scriptlets	2019-12-14 11:24:51 +01:00
Thomas Patzke	d2a940a0a6	Merge branch 'devel' of https://github.com/Neo23x0/sigma	2019-12-13 22:01:40 +01:00

... 2 3 4 5 6 ...

2571 Commits