SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Florian Roth	c0ab9c5745	Merge pull request #671 from HarishHary/powershell_downgrade_attack Powershell downgrade attack (small improvements)	2020-04-03 09:31:33 +02:00
Florian Roth	6cf0edc076	Merge pull request #685 from teddy-ROxPin/patch-1 Typo fix for powershell_suspicious_invocation_generic.yml	2020-04-03 09:30:32 +02:00
Florian Roth	dec0c108f9	Merge pull request #683 from NVISO-BE/powershell_wmimplant WMImplant detection rule	2020-04-02 11:54:09 +02:00
Chris O'Brien	fe5dbece3d	Date typos...more than I thought...	2020-04-02 10:00:00 +02:00
Chris O'Brien	97c0872c81	Date typo.	2020-04-02 09:53:09 +02:00
Chris O'Brien	95e0b12d88	Fixed date typo - by the looks of the commit date the month/date were swapped.	2020-04-01 18:18:13 +02:00
Clément Notin	18cdddb09e	Small typo	2020-03-31 15:22:00 +02:00
Maxime Thiebaut	8dcbfd9aca	Add AD User Enumeration When the "Read all properties" permission of a user object is set to be audited in the AD, an event of ID 4662 (An operation was performed on an object) is triggered whenever a property is accessed. This rule detects these events by flagging any non-machine `SubjectUserName` (i.e. another user) which accesses an object of the `User` AD schema class. Advantages of this rule include the detection of insider-enumeration through automated tools such as BloodHound or manually through the usage of the PowerShell ActiveDirectory module. Although this rule qualifies as a medium severity one, this event could be qualified as high/critical one if flagged on non-used canary user-accounts. False positives may include administrators performing the initial configuration of new users.	2020-03-31 09:40:07 +02:00
Remco Hofman	b791d599ee	Disabled keywords that could cause FPs	2020-03-30 08:53:52 +02:00
teddy-ROxPin	1a3731f7ae	Typo fix for powershell_suspicious_invocation_generic.yml ' - windowstyle hidden ' changed to ' -windowstyle hidden '	2020-03-29 04:16:15 -06:00
Florian Roth	8ea6b12eed	Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini Add "Suspicious desktop.ini Action" rule	2020-03-28 13:34:01 +01:00
Florian Roth	fe5b5a7782	Merge pull request #673 from j91321/rules-minor-fixes Minor fixes to several rules	2020-03-28 13:27:05 +01:00
Florian Roth	e2b90220a2	Update sysmon_susp_desktop_ini.yml	2020-03-28 13:19:10 +01:00
Florian Roth	bbb10a51f4	Update win_powershell_downgrade_attack.yml	2020-03-28 13:17:58 +01:00
Florian Roth	0e94eb9e86	Update win_powershell_downgrade_attack.yml	2020-03-28 13:12:07 +01:00
Florian Roth	2426b39d83	Merge pull request #678 from justintime/title_collision Eliminate title collision	2020-03-28 12:57:55 +01:00
Remco Hofman	f52ed4150d	WMImplant parameter detection	2020-03-27 15:08:35 +01:00
Iveco	55258e1799	Title capitalized	2020-03-26 17:04:08 +01:00
Iveco	3f577c98e7	Title capalized	2020-03-26 17:03:33 +01:00
Iveco	68c20dca20	Fixed title length	2020-03-26 16:56:46 +01:00
Iveco	39a3af04ce	Fixed title length	2020-03-26 16:56:06 +01:00
Justin Ellison	dabc759136	Eliminate title collision Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.	2020-03-26 09:13:52 -05:00
iveco	ddacde9e6b	add LDAPFragger detections	2020-03-26 15:13:36 +01:00
Florian Roth	28953a2942	fix: MITRE tags in rule	2020-03-25 18:11:04 +01:00
Florian Roth	6584729a0d	rule: powershell downloadfile	2020-03-25 14:58:14 +01:00
Florian Roth	35e43db7a7	fix: converted CRLF line break to LF	2020-03-25 14:36:34 +01:00
Florian Roth	17297193c7	Merge branch 'master' into devel	2020-03-25 14:18:11 +01:00
Florian Roth	50b0d04ee8	rule: Exploited CVE-2020-10189 Zoho ManageEngine	2020-03-25 14:02:53 +01:00
Florian Roth	28d8b87a0f	rule: extended web shell spawn rule	2020-03-25 14:02:39 +01:00
j91321	1d86e0b4a5	Change falsepositives to array	2020-03-24 19:59:54 +01:00
j91321	c784adb10b	Wrong indentation falsepositives	2020-03-24 19:55:41 +01:00
j91321	98a633e54c	Add missing status and falsepositives	2020-03-24 19:53:41 +01:00
j91321	3c74d8b87d	Add correct Source to detection to avoid FP	2020-03-24 19:49:24 +01:00
j91321	bc442d3021	Add path with lowercase system32	2020-03-24 19:48:24 +01:00
j91321	78bfa950d7	Add WinPrvSE.exe to detection	2020-03-24 19:47:10 +01:00
Thomas Patzke	c10332b06c	Merge pull request #663 from neu5ron/updates_sigmac_and_rules Updates sigmac and rules	2020-03-22 00:22:31 +01:00
Harish SEGAR	a88b22a1bd	Fix namefield.	2020-03-20 23:34:15 +01:00
Harish SEGAR	67694e4ba7	Restructure new improvement to process_creation folder.	2020-03-20 23:29:32 +01:00
Harish SEGAR	b9a916ceb4	Removed useless condition.	2020-03-20 22:50:26 +01:00
Harish SEGAR	30fac9545a	Fixed author field.	2020-03-20 22:49:07 +01:00
Harish SEGAR	1f251cec07	Added missing action field	2020-03-20 22:46:19 +01:00
Harish SEGAR	293018a9e7	Added conditions...	2020-03-20 22:33:14 +01:00
Harish SEGAR	74b81120e4	Usage of value modifiers...	2020-03-20 22:03:48 +01:00
Harish SEGAR	b129f09fee	Improvement detection on downgrade of powershell	2020-03-20 21:48:19 +01:00
Maxime Thiebaut	dce18b23b7	Add "Suspicious desktop.ini Action" rule	2020-03-19 21:43:03 +01:00
Florian Roth	6040b1f1f8	Merge pull request #668 from Neo23x0/devel Devel	2020-03-19 18:36:31 +01:00
Florian Roth	8454f60a8e	fix: reduced level due to false positives	2020-03-17 20:40:28 +01:00
neu5ron	4c94906d53	rule should be wildcard AND had a prepended `^` in one of the CommandLine conditions that would have caused to not trigger	2020-03-14 15:00:42 -04:00
neu5ron	4b572f3ccb	newline in description - typo	2020-03-14 14:58:58 -04:00
Florian Roth	cbf0f43934	Merge pull request #655 from msec1203/msec1203-patch-1 add rule for suspicious use of csharp console by scripting utility	2020-03-09 18:01:12 +01:00

1 2 3 4 5 ...

1492 Commits