SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
t0x1c-1	afadda8c04	Suspicious SYSVOL Domain Group Policy Access	2018-09-04 15:52:25 +02:00
Florian Roth	d94c1d2046	fix: duplicate 'tag' key in rule	2018-09-04 14:56:55 +02:00
Florian Roth	1c87f77223	Rule: Fixed false positive in suspicious UA rule	2018-09-04 11:33:05 +02:00
Florian Roth	9cb78558d3	Rule: excluded false positives in rule	2018-09-03 12:02:42 +02:00
Florian Roth	b57f3ded64	Rule: GRR false positives	2018-09-03 11:50:34 +02:00
Florian Roth	2a0fcf6bea	Rule: PowerShell encoded command JAB	2018-09-03 10:08:29 +02:00
Florian Roth	7a3890ad76	Rule: SysInternals EULA accept improved and renamed	2018-08-30 13:16:28 +02:00
Florian Roth	d83f124f5f	Rule: Suspicious communication endpoints	2018-08-30 10:12:12 +02:00
Florian Roth	e70395744b	Rule: Improved Github communication rule	2018-08-30 10:12:12 +02:00
Thomas Patzke	d17cc5c07d	Merge pull request #157 from yt0ng/development Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 22:37:00 +02:00
Unknown	75d72344ca	Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 17:36:22 +02:00
Thomas Patzke	a722fcd2b0	Merge pull request #156 from yt0ng/yt0ng-devel Adding LSASS Access Detected via Attack Surface Reduction	2018-08-27 23:50:42 +02:00
Thomas Patzke	ee15b451b4	Fixed log source name	2018-08-27 23:45:30 +02:00
Thomas Patzke	f2fd3b9443	Merge branch 'master' of https://github.com/Neo23x0/sigma	2018-08-27 23:41:41 +02:00
Thomas Patzke	6e7208553a	Revert "removing for new pull request" This reverts commit `ca7e8d6468`.	2018-08-27 23:39:29 +02:00
Unknown	2f256aa1ef	Adding LSASS Access Detected via Attack Surface Reduction	2018-08-27 10:38:45 +02:00
Thomas Patzke	8308cd6c1a	Rule fix	2018-08-26 22:35:35 +02:00
Thomas Patzke	87e39b8768	Fixed rules	2018-08-26 22:30:47 +02:00
Thomas Patzke	60a5922582	Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master	2018-08-26 22:12:19 +02:00
Florian Roth	5b3175d1d6	Rule: Suspicious procdump use on lsass process	2018-08-26 19:53:57 +02:00
yt0ng	df9f6688eb	Added Deskop Location, RunOnce and ATTCK Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7	2018-08-25 17:32:34 +02:00
yt0ng	eda6f3b9ca	rules/windows/sysmon/sysmon_powershell_DLL_execution.yml	2018-08-25 16:33:54 +02:00
Florian Roth	6bde2cd08f	Update lnx_buffer_overflows.yml	2018-08-25 00:20:34 +02:00
Florian Roth	234a48af19	rule: Linux SSHD exploit CVE-2018-15473 https://github.com/Rhynorater/CVE-2018-15473-Exploit	2018-08-24 16:40:41 +02:00
yt0ng	c7d4b4853d	removing sysmon_powershell_AMSI_bypass.yml	2018-08-23 10:17:19 +02:00
Florian Roth	f47a5c2206	fix: Author list to string	2018-08-23 09:40:28 +02:00
Thomas Patzke	49af499353	Merge pull request #151 from nikseetharaman/workflow_compiler Add Microsoft Workflow Compiler Sysmon Detection	2018-08-23 08:24:35 +02:00
Thomas Patzke	9235175e26	Fixed rule * Added condition * Replaced Description wirh Image attribute and improved search pattern	2018-08-23 08:20:28 +02:00
Thomas Patzke	96cedc31f9	Merge pull request #152 from james0d0a/master Qradar backend: added aggregation and AQL database flow support	2018-08-23 08:14:56 +02:00
Thomas Patzke	73535e58a5	Merge pull request #153 from megan201296/patch-10 Add ATT&CK Matrix tags	2018-08-23 08:06:58 +02:00
Thomas Patzke	d647a7de07	Merge pull request #154 from megan201296/patch-11 Add MITRE ATT&CK tagging	2018-08-23 08:06:39 +02:00
Florian Roth	5de3cd71a4	Merge pull request #149 from yt0ng/development Detects Request to amsiInitFailed that can be used to disable AMSI Scanning	2018-08-22 17:19:10 +02:00
Florian Roth	040ba0338d	fix: Added Event ID in second selection	2018-08-22 17:03:13 +02:00
Florian Roth	0c729d1eea	Already used in different rule	2018-08-22 17:02:03 +02:00
Florian Roth	6ee31f6cd1	Update win_susp_commands_recon_activity.yml Merged recon commands from @yt0ng's rule	2018-08-22 17:00:00 +02:00
megan201296	3f5c32c6da	Add MITRE ATT&CK tagging	2018-08-22 09:35:06 -05:00
megan201296	76aabe7e05	Add ATT&CK Matrix tags	2018-08-22 09:30:55 -05:00
James Dickenson	29bed766dd	removed re-introduced output class from qradar backend. fixed list handling error.	2018-08-21 22:45:12 -07:00
James Dickenson	468f040c0a	Merge branch 'qradar-dev'	2018-08-20 21:54:30 -07:00
Nik Seetharaman	e371d945ed	Add Microsoft Workflow Compiler Sysmon Detection	2018-08-18 00:53:28 -05:00
yt0ng	ca7e8d6468	removing for new pull request	2018-08-17 18:42:10 +02:00
yt0ng	5bb6f566ba	::Merge remote-tracking branch 'upstream/master'	2018-08-17 18:39:36 +02:00
yt0ng	8ecf167e85	Powershell AMSI Bypass via .NET Reflection [Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120	2018-08-17 18:26:04 +02:00
James Dickenson	9a61f40cef	added support flor flow data in qradar backend	2018-08-16 21:44:17 -07:00
yt0ng	07e411fe6b	Oilrig Information gathering whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1	2018-08-15 14:29:59 +02:00
Florian Roth	4e91462838	fix: Bugfix in Adwind rule	2018-08-15 12:33:03 +02:00
Florian Roth	92dc08a304	rule: Added recon command	2018-08-15 12:33:03 +02:00
Florian Roth	7c05b85bcd	rule: Added malware UA	2018-08-15 12:33:03 +02:00
James Dickenson	a8d1831382	Added aggregation support for qradar backend	2018-08-13 23:04:10 -07:00
Thomas Patzke	dce4b4825d	Fixed aggregations without field name Generated query contained field name "None".	2018-08-10 15:07:07 +02:00

1 2 3 4 5 ...

1025 Commits