valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,925 Commits 20 Branches 25 Tags 21 MiB
bda207660d
Commit Graph

1809 Commits

Author SHA1 Message Date
Florian Roth
a04aa6ac49
rule: ADCSPwn 2021-07-31 10:18:21 +02:00
Florian Roth
ec9c15226f
SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth
77c8225db3
Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth
c3eced4ae7
Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth
dc4380d459
Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth
321a15d004
Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth
6d5e695cd1
Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
frack113
8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Florian Roth
87a911a15e
Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth
428995d00e
Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth
c31bc05aae
Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113
54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth
ee85fdfa3f
Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth
5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113
ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113
227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113
8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth
90ca1a8ad2
fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth
1a538371c9
fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113
8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00
Florian Roth
21c4d241a1 HiveNightmare and Relay attack tools adjustments 2021-07-26 10:59:35 +02:00
John Lambert
2b57f95e72
Update win_grabbing_sensitive_hives_via_reg.yml 2021-07-24 18:17:27 -05:00
John Lambert
da6e747547
cover evasions from unicode substitutions 
Add variations to cover unicode substitutions to avoid evasion.

> Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. 

See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze
 2021-07-24 10:33:15 -05:00
Florian Roth
7cacc57313
Merge pull request #1733 from SigmaHQ/rule-devel 
New hive file pattern for C# version of HiveNightmare
 2021-07-24 16:41:51 +02:00
Florian Roth
ae80f747ae fix: adding experimental status 2021-07-24 12:34:33 +02:00
Florian Roth
a090feecf5
Merge pull request #1732 from SigmaHQ/rule-devel 
Relay attack tools and impacket binaries
 2021-07-24 12:33:48 +02:00
Florian Roth
3eb37c014c rule: Impacket tools and Relay attack tools 2021-07-24 11:08:35 +02:00
frack113
ffcd3a2112 Add test_optional_related test_optional_fields test_optional_falsepositives 2021-07-24 09:41:04 +02:00
Florian Roth
fa344987c0
Merge pull request #1703 from hieuttmmo/master 
Suspicious behaviours related to  SOURGUM
 2021-07-23 10:32:25 +02:00
Florian Roth
7c42a9d6cb
Merge pull request #1728 from SigmaHQ/rule-devel 
HiveNightmare file creation, other rule improvements
 2021-07-23 10:21:35 +02:00
Tran Trung Hieu
77b4a37916 Update the references 2021-07-23 14:58:51 +07:00
Florian Roth
cc8899ea62
Merge pull request #1717 from frack113/netcat 
[OSCD] sysmon_netcat_execution.yml T1095
 2021-07-23 09:51:23 +02:00
Florian Roth
d00ca03cb6
increased level to high 2021-07-23 09:51:00 +02:00
Florian Roth
cbc7a746d4
feat: some often used ncat command line strings 2021-07-22 15:00:50 +02:00
frack113
1b537cac5d add sysmon_netcat_execution.yml 2021-07-21 10:55:54 +02:00
Florian Roth
ddb4744613 regsvr32 anomaly rule update 
https://twitter.com/BlackMatter23/status/1417545425297580045
 2021-07-20 21:14:48 +02:00
frack113
cf8904b560 fix files_with_incorrect_mitre_tags 2021-07-20 12:22:31 +02:00
Florian Roth
66aaa2210c refactor: widened PS1 Empire cmdlines rule 2021-07-20 11:26:22 +02:00
frack113
da6135ccb3 add process_creation_discover_private_keys.yml 2021-07-20 11:20:30 +02:00
Florian Roth
6fbce11094
Merge pull request #1712 from SigmaHQ/rule-devel 
fix: bug in regsvr anomaly rule
 2021-07-18 13:00:19 +02:00
Florian Roth
b7b4c4555f fix: bug in regsvr anomaly rule 2021-07-18 12:59:31 +02:00
Florian Roth
7eb873e48b
Merge pull request #1710 from SigmaHQ/rule-devel 
added more legitimate extensions to regsvr32 rule
 2021-07-17 13:46:21 +02:00
Florian Roth
53c25969ab added more legitimate extensions to regsvr32 rule 2021-07-17 11:20:05 +02:00
Florian Roth
715bca0fd2
Merge pull request #1704 from frack113/redcanary_t1216 
Redcanary t1216
 2021-07-17 09:48:43 +02:00
Florian Roth
b1a00152bc
Merge pull request #1698 from SigmaHQ/rule-devel 
several new rules and fixes
 2021-07-17 09:39:47 +02:00
Florian Roth
b911175f28 Suspicious mshta patterns 2021-07-17 09:04:41 +02:00
Florian Roth
6c79115ce0 Regsvr32 Anomalies extended 2021-07-17 09:04:31 +02:00
Tran Trung Hieu
8effde4e1d More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00
Tran Trung Hieu
1cb631017a Suspicious behaviours related to SOURGUM 2021-07-16 14:13:48 +07:00
frack113
9a7f3036e4 update ref in win_manage-bde_lolbas.yml 2021-07-16 08:34:30 +02:00