valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,067 Commits 20 Branches 25 Tags 21 MiB
c2e621cf08
Commit Graph

920 Commits

Author SHA1 Message Date
Thomas Patzke
a5579fa8cd
Merge pull request #513 from Karneades/fix-sysmon-rule 
fix: bound sysmon logon script rule to field
 2019-11-02 23:04:35 +01:00
Karneades
0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
Karneades
68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
Florian Roth
3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
Florian Roth
4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth
d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth
3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke
219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke
f4e9690d6b
Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke
78d8ca2b41
Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke
40df0d4534
Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke
6eb49fc1ce
Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke
b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
Karneades
ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades
aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades
f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades
cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
Florian Roth
8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth
1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
Florian Roth
42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
Florian Roth
a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
Florian Roth
86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
Florian Roth
3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
Florian Roth
b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth
0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
Florian Roth
deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth
ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth
c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth
5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth
d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth
4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth
e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth
52fef7ae10
Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth
8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth
0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth
312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d
cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth
7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth
5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth
98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth
60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth
ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth
14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke
60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth
d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth
3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth
6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth
7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth
e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth
4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00