valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
656 Commits 20 Branches 25 Tags 21 MiB
b1bfa64231
Commit Graph

278 Commits

Author SHA1 Message Date
Thomas Patzke
b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Thomas Patzke
dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth
e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth
b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth
a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth
8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
Florian Roth
af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth
648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades
49c12f1df8
Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth
a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Florian Roth
0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth
f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth
5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth
1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth
25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth
9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth
5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth
0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Florian Roth
285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Florian Roth
78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth
93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Thomas Patzke
2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth
3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00