valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,308 Commits 20 Branches 25 Tags 21 MiB
c25b902add
Commit Graph

1084 Commits

Author SHA1 Message Date
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
Florian Roth
f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth
4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth
98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
Florian Roth
2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth
93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
Florian Roth
da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth
04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth
7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
Florian Roth
ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Florian Roth
2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth
95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke
d42cc78509 Converted rules Sysmon/1 parts to generic process_creation 2019-11-12 21:06:24 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth
b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
Florian Roth
8cc16d252a fix: more FP reductions 2019-11-09 23:36:29 +01:00
Florian Roth
038f205f0f fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00
Florian Roth
fbe138ed90 rule: reduced level of rule to medium due to FPs 2019-11-09 23:24:31 +01:00
Florian Roth
9835950f04 rule: SID to AD object rule level adjusted 2019-11-09 12:49:54 +01:00
Florian Roth
be62fad5cc fix: fixed false positive in suspicious shell spawn rule 2019-11-09 10:45:46 +01:00
Thomas Patzke
8ae824f09f Improved rules 
Reduced false positives
 2019-11-08 23:56:14 +01:00
Thomas Patzke
6e2fe09d24 Removed invalid tags 2019-11-08 22:02:12 +01:00
yugoslavskiy
b176339da8
Merge pull request #479 from alexpetrov12/master 
add rule
 2019-11-08 02:16:22 +03:00
yugoslavskiy
00fc6c62b4
Delete renamed_binary_description.yml 
agreed on improvements. will be added later
 2019-11-08 02:16:01 +03:00
yugoslavskiy
98f32e9098
Delete sysmon_mimikatz_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:31 +03:00
yugoslavskiy
6d61401b12
Delete sysmon_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:20 +03:00
yugoslavskiy
562e07de38
Delete cobalt_execute_assembly.yml 
merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml)
 2019-11-08 01:42:42 +03:00
yugoslavskiy
52d099a6e3 improve sysmon_cobaltstrike_process_injection.yml 2019-11-08 01:41:26 +03:00
yugoslavskiy
4443870577
Delete win_odbcconf_execution.yml 
merged with rules/windows/process_creation/win_odbcconf_execution.yml
 2019-11-08 01:36:03 +03:00
yugoslavskiy
3b34ed6150 add modifiers 2019-11-08 01:34:30 +03:00
yugoslavskiy
6083d70975
Update sysmon_registry_persistence_key_linking.yml 2019-11-07 04:23:20 +03:00
yugoslavskiy
82b185db6a
Update win_sysmon_driver_unload.yml 2019-11-07 04:11:26 +03:00
yugoslavskiy
404a6d9915
Update win_netsh_packet_capture.yml 2019-11-07 03:37:41 +03:00
yugoslavskiy
ddf24819ed
Update silenttrinity_stage_use.yml 2019-11-07 03:33:12 +03:00
yugoslavskiy
0d8c64da86
duplicate rule deleted 
this rule already present in Sigma repo — [./rules/windows/process_creation/win_susp_comsvcs_procdump.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_comsvcs_procdump.yml)
 2019-11-07 03:21:09 +03:00
yugoslavskiy
5513687e63 Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd 2019-11-07 03:03:35 +03:00
Florian Roth
c60563e546 rule: add modified rule date 2019-11-05 11:24:52 +01:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00