valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,874 Commits 20 Branches 25 Tags 21 MiB
b040c129be
Commit Graph

1432 Commits

Author SHA1 Message Date
Florian Roth
b040c129be
fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA)
ae56db97ff
mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
ecco
b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth
53278c2a46
Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth
f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth
be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Florian Roth
7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Thomas Patzke
b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke
0a62b8747e
Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Florian Roth
19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth
fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth
fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
Florian Roth
f88225dd2a
Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth
6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth
ada0edb822
Merge pull request #621 from wagga40/new_koadic_rule 
New Koadic detection rule
 2020-02-26 13:25:03 +01:00
Florian Roth
0ba6874645
Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth
1c90d6badd
level increased 2020-02-26 09:42:31 +01:00
Florian Roth
c8afd4a16b
Merge pull request #637 from tjgeorgen/patch-1 
fix missing status & description in status field
 2020-02-26 09:40:55 +01:00
Florian Roth
031e6d3ee6
Merge pull request #635 from EccoTheFlintstone/fix_fp4 
wmiprvse subprocess: add fallback check on username instead of only l…
 2020-02-26 09:40:34 +01:00
Florian Roth
4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Florian Roth
82d2b1e6f0 Merge branch 'master' into devel 
# Conflicts:
#	rules/windows/process_creation/win_susp_squirrel_lolbin.yml
 2020-02-26 09:27:48 +01:00
Florian Roth
e7aff17e72 FP: OneDrive setup 2020-02-26 09:26:19 +01:00
Tom Georgen
74f3fe70cc
fix missing status & description in status field 2020-02-25 16:30:41 -05:00
Florian Roth
a152853ac3
Merge pull request #624 from Antonlovesdnb/master 
New rules for Macro Detections
 2020-02-25 15:44:31 +01:00
Antonlovesdnb
e8b861bff4
Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb
4c5d489428
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00
Antonlovesdnb
f92e2f2b18
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:23:22 -05:00
Antonlovesdnb
8141b1ae90
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-25 09:22:56 -05:00
Antonlovesdnb
45e4a585bf
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-25 09:22:37 -05:00
Antonlovesdnb
c5b42aeaed
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-25 09:19:03 -05:00
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
ecco
3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco
df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix 
fix false positive on taskkill.exe not related to service stop at all
 2020-02-24 09:58:33 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Florian Roth
ab1dda7685 fix: non-ascii rule 2020-02-21 16:21:39 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00