valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,394 Commits 20 Branches 25 Tags 21 MiB
abe353de66
Commit Graph

4623 Commits

Author SHA1 Message Date
Florian Roth
3cd2730a26 rule: process hacker priv esc 2021-05-27 12:49:54 +02:00
Florian Roth
c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth
7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth
b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth
adbdb5b22f
Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
frack113
2a68700991 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:43:08 +02:00
frack113
30cc64a349 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:41:19 +02:00
frack113
e4c32c353a use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:39:16 +02:00
frack113
a878f3b0a5 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:36:47 +02:00
frack113
cbce61bc8c use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:34:46 +02:00
frack113
8d8df10687 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:31:57 +02:00
frack113
ce53a5a67b use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:30:00 +02:00
frack113
417da3ac95 use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:28:06 +02:00
frack113
f0d1c9aa7d use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:26:08 +02:00
frack113
788ebbafdc use same trick as Invoke-Obfuscation Obfuscated IEX Invocation 2021-05-27 09:20:29 +02:00
Florian Roth
a5fe7af25f Cobalt Strike Service Installation 2021-05-26 18:05:38 +02:00
Florian Roth
c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00
Florian Roth
ba12057919
Merge pull request #1505 from WojciechLesicki/master 
Update rule regarding other named pipe
 2021-05-26 14:35:22 +02:00
Florian Roth
8aabb58eca
Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
WojciechLesicki
8b707bc948 Added also \status_ pipe. 2021-05-25 21:58:22 +02:00
WojciechLesicki
f1a0308e73 Add one more pipe, references etc. 2021-05-25 21:07:23 +02:00
Bhabesh Rai
cc9ac2ddcf Added rule for PowerView's malicious cmdlets 2021-05-25 21:04:32 +05:45
WojciechLesicki
38552e98cf Adding some pipes 2021-05-25 15:47:34 +02:00
frack113
3717c68bb7 fix typo of level 2021-05-24 10:45:58 +02:00
frack113
104a004b3d fix typo of tags 2021-05-24 10:41:17 +02:00
frack113
afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113
1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
frack113
a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Florian Roth
211bf35640 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-05-22 15:45:40 +02:00
Florian Roth
02323043d7 Create web_cve_2021_26814_wzuh_rce.yml 2021-05-22 15:45:38 +02:00
Florian Roth
576e047e76
Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00
Florian Roth
4c281d117c fix: bug in rule syntax 2021-05-22 15:31:23 +02:00
Florian Roth
9b7fb0c0f3 Update win_susp_shell_spawn_from_winrm.yml 2021-05-22 15:28:50 +02:00
Florian Roth
7e1ac347ef Merge branch 'master' into rule-devel 2021-05-22 15:27:32 +02:00
Florian Roth
c0d58cb7f9 PAExec and PSexec rules 2021-05-22 10:52:01 +02:00
Jonhnathan
687f2d67fc
Update Threat Hunter Playbook Reference 2021-05-22 01:09:30 -03:00
Jonhnathan
7f335cbb4a
Update Threat Hunter Playbook Reference 2021-05-22 01:08:23 -03:00
Jonhnathan
34e2a81371
Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00
Jonhnathan
89cfef9d49
Update Threat Hunter Playbook Reference 2021-05-22 01:04:20 -03:00
Jonhnathan
26ecbea0ba
Update Threat Hunter Playbook Reference 2021-05-22 01:03:49 -03:00
Jonhnathan
4ebdcf2f1d
Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00
Jonhnathan
c7f7eb6698
Update Threat Hunter Playbook Reference 2021-05-22 01:02:43 -03:00
Jonhnathan
5f6c19f203
Update Threat Hunter Playbook Reference 2021-05-22 01:02:19 -03:00
Jonhnathan
627a83914a
Update Threat Hunter Playbook Reference 2021-05-22 01:01:33 -03:00
Jonhnathan
3853d71c56
Update Threat Hunter Playbook Reference 2021-05-22 01:01:07 -03:00
Jonhnathan
e218c32a4c
Update Threat Hunter Playbook Reference 2021-05-22 01:00:39 -03:00
Jonhnathan
1b32a5c0f3
Update Threat Hunter Playbook Reference 2021-05-22 00:59:54 -03:00
Jonhnathan
93087d2130
Update Threat Hunter Playbook Reference 2021-05-22 00:59:35 -03:00
Jonhnathan
d3afed53ac
Update Threat Hunter Playbook Reference 2021-05-22 00:59:04 -03:00
Jonhnathan
7007287832
Update Threat Hunter Playbook Reference 2021-05-22 00:58:23 -03:00
Jonhnathan
2e139b4264
Update win_protected_storage_service_access.yml 2021-05-22 00:57:25 -03:00
Jonhnathan
085218b25a
Update Threat Hunter Playbook Reference 2021-05-22 00:57:01 -03:00
Jonhnathan
3fb5f1c47e
Update Threat Hunter Playbook Reference 2021-05-22 00:56:32 -03:00
Jonhnathan
943e2c8c88
Update Threat Hunter Playbook Reference 2021-05-22 00:56:03 -03:00
Jonhnathan
9765fcbd0c
Update Threat Hunter Playbook Reference 2021-05-22 00:55:29 -03:00
Jonhnathan
e23147111b
Update Threat Hunter Playbook Reference 2021-05-22 00:54:57 -03:00
frack113
dec9e68876 Fix falsepositives list 2021-05-21 12:38:44 +02:00
frack113
1e2f7c7abf Fix falsepositives list 2021-05-21 12:35:37 +02:00
frack113
0a588a1ecc Fix falsepositives list 2021-05-21 12:33:50 +02:00
frack113
168d5c9dff Fix falsepositives list 2021-05-21 12:32:24 +02:00
frack113
1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113
a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113
ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113
2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113
48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00
frack113
6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
frack113
a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113
f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113
f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113
6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
frack113
cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113
45190c3874 Fix falsepositives list 2021-05-21 11:13:27 +02:00
frack113
dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
Florian Roth
a0efd7a4dc
Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler
e58c59dcfd
Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Andreas Hunkeler
d8ec5fa6af
Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Florian Roth
a30391f3b4
Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler
93241e7fc6
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler
b46f65965d
Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler
3763e54b99
Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler
226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
Florian Roth
ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Jonhnathan
1cf7bb5735
Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Darin Smith
e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
SomeOne
e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne
a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne
53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne
a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth
a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth
e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth
3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth
30bee7204c
Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth
83068416fa
Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40
8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113
cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113
0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113
fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113
ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113
cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113
70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113
026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Bhabesh Rai
48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth
7d7f8c90ec
Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth
980ea97217
Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth
3564cf81f9
Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth
7bc733a3cf
Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth
0fcbce9932
Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth
85736ad859
Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113
f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113
c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113
720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113
a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai
d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth
67e807983c
Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth
416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth
fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth
270aedfd62
Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai
9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer
39a21a9e89
Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth
384f40aa5b
Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth
453fa0f299
Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth
79c11a5cba
Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai
e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss
da533c7425
fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss
254a3bb122
new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss
4b520de373
new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth
9e662b9159
Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth
80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai
1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
partyh4rd
5a98e36905
Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth
451f25910d
Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth
de8386d553
Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth
4ad3316d74
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth
8973b573bd
Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth
c877a9a68d
Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth
ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth
c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth
8af86fa97e
docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth
3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Florian Roth
161180c357 refactor: extended shellshock rule 2021-04-28 11:47:24 +02:00
Florian Roth
47504fbd56 fix: shellshock expression 2021-04-28 11:46:49 +02:00
BlueTeamOps
59d23535ce
Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps
793504dd6b
Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps
f75ad98903
Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Ian Thieves
65294d97c4
Update win_scm_database_handle_failure.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:28:16 -07:00
Ian Thieves
8efa10465e
Update win_scm_database_privileged_operation.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:25:16 -07:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth
f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Scoubi
23791664eb
Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml 
Gave the wrong name to the file, this is the correct one.
 2021-04-21 08:45:15 -04:00
Scoubi
0b7ed7e690
Add a space 
There was a missing space in `-attack` changed for `- attack`
 2021-04-20 20:50:20 -04:00
Scoubi
fadb889116
Create win_Outlook_C2_Macro_Creation.yml 
BEC is for Business Email Compromise (this can be changed)
 2021-04-20 20:38:20 -04:00
Scoubi
678ce5d528
Create win_Outlook_C2_Macro_Creation.yml 
Not 100% if this is the best place to put it.
 2021-04-20 20:34:19 -04:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Florian Roth
68c59850af
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery 
Fix invalid logsource on lnx_system_info_discovery rule
 2021-04-20 09:06:54 +02:00
Florian Roth
20c5356c9e
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet 
Fix typo on CommandLine
 2021-04-20 09:06:38 +02:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel 
refactor: tightened filter
 2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00