valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,925 Commits 20 Branches 25 Tags 21 MiB
bda207660d
Commit Graph

4063 Commits

Author SHA1 Message Date
Florian Roth
bda207660d
refactor: modified CobaltStrike service install rule 2021-07-31 12:51:42 +02:00
Florian Roth
a04aa6ac49
rule: ADCSPwn 2021-07-31 10:18:21 +02:00
Florian Roth
6cd2e26fa0
rule: WinDivert driver load 2021-07-30 16:54:29 +02:00
Florian Roth
ab16490d33
fix: re CS rule 2021-07-30 08:24:41 +02:00
Florian Roth
096395a49a
fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth
0cbb6f82ad
CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth
ec9c15226f
SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth
5ce5465559
Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
Florian Roth
77c8225db3
Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth
f57f5931ed
Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth
59a93ef964
Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth
c3eced4ae7
Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth
dc4380d459
Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth
321a15d004
Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth
6d5e695cd1
Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth
7f820c7b29
rule updates 2021-07-28 16:20:21 +02:00
Florian Roth
aefd50f049
fix: avoid FPs with HTool string 2021-07-28 14:23:54 +02:00
frack113
2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113
8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Florian Roth
87a911a15e
Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth
428995d00e
Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth
c31bc05aae
Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113
54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth
ee85fdfa3f
Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth
5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113
ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113
227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113
8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth
90ca1a8ad2
fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth
1a538371c9
fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113
7287a46f2f Tune false positive 2021-07-27 10:05:57 +02:00
frack113
f3bcffeb0a Tune false positive 2021-07-27 09:58:00 +02:00
frack113
8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00
Florian Roth
9f27ab5426
Merge pull request #1738 from JohnLaTwC/patch-4 
cover evasions from unicode substitutions
 2021-07-27 08:05:48 +02:00
Florian Roth
e49f4c86b6
Merge pull request #1726 from austinsonger/aws_route_53_domain_transferred_to_another_account.yml 
Aws route 53 domain transferred to another account.yml
 2021-07-27 08:02:27 +02:00
Florian Roth
21c4d241a1 HiveNightmare and Relay attack tools adjustments 2021-07-26 10:59:35 +02:00
John Lambert
2b57f95e72
Update win_grabbing_sensitive_hives_via_reg.yml 2021-07-24 18:17:27 -05:00
John Lambert
da6e747547
cover evasions from unicode substitutions 
Add variations to cover unicode substitutions to avoid evasion.

> Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. 

See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze
 2021-07-24 10:33:15 -05:00
Florian Roth
7cacc57313
Merge pull request #1733 from SigmaHQ/rule-devel 
New hive file pattern for C# version of HiveNightmare
 2021-07-24 16:41:51 +02:00
Florian Roth
9771943116 refactor: new file pattern SeriousSAM 2021-07-24 16:13:36 +02:00
Florian Roth
ae80f747ae fix: adding experimental status 2021-07-24 12:34:33 +02:00
Florian Roth
a090feecf5
Merge pull request #1732 from SigmaHQ/rule-devel 
Relay attack tools and impacket binaries
 2021-07-24 12:33:48 +02:00
Florian Roth
c0bc51e849
Merge pull request #1731 from frack113/more_check 
Update test_rules.py
 2021-07-24 11:10:00 +02:00
Florian Roth
3eb37c014c rule: Impacket tools and Relay attack tools 2021-07-24 11:08:35 +02:00
Florian Roth
07223baaeb fix: typo in date value 2021-07-24 10:22:07 +02:00
frack113
ffcd3a2112 Add test_optional_related test_optional_fields test_optional_falsepositives 2021-07-24 09:41:04 +02:00
Florian Roth
772cf4f5e4
Merge pull request #1730 from SigmaHQ/rule-devel 
fix: avoid false positives with MSF psexec rule
 2021-07-23 19:49:45 +02:00
Florian Roth
880a87ce91 fix: avoid false positives with MSF psexec rule 2021-07-23 18:33:38 +02:00
Florian Roth
7ede42f78d
Merge pull request #1729 from SigmaHQ/rule-devel 
add additional filename pattern to HiveNightmare rule
 2021-07-23 10:40:33 +02:00
Florian Roth
c0138d5ced add additional filename pattern to HiveNightmare rule 2021-07-23 10:39:41 +02:00