SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00

Author	SHA1	Message	Date
yugoslavskiy	c8ee6e9631	Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov [OSCD] Ilyas Ochkov contribution	2019-11-14 00:22:48 +03:00
yugoslavskiy	b47748399d	Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml	2019-11-14 00:19:30 +03:00
yugoslavskiy	1fe7f55d47	Update sysmon_suspicious_outbound_kerberos_connection.yml	2019-11-14 00:10:05 +03:00
yugoslavskiy	07ad11f3ae	Update sysmon_possible_dns_rebinding.yml	2019-11-14 00:08:50 +03:00
yugoslavskiy	ded75d033a	Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml	2019-11-13 23:47:24 +03:00
yugoslavskiy	0cb1d4fdbd	Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml	2019-11-13 23:44:03 +03:00
yugoslavskiy	bba360212a	Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml	2019-11-13 23:43:45 +03:00
yugoslavskiy	e6e308ef51	Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml	2019-11-13 23:40:29 +03:00
yugoslavskiy	385ebac502	Merge pull request #497 from Heirhabarov/master OSCD Task 1 - Privilege Escalation	2019-11-11 01:33:28 +03:00
yugoslavskiy	8adc51d4aa	Update sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml	2019-11-11 01:30:19 +03:00
yugoslavskiy	69a99bc2c3	Merge pull request #493 from alx1m1k/oscd [OSCD] rules from Jet CSIRT team	2019-11-10 23:11:24 +03:00
yugoslavskiy	1f5a31f0e7	fix logsource for remote_powershell_session_process.yml	2019-11-10 23:10:24 +03:00
yugoslavskiy	fcde35d6ab	Update sysmon_regsvr32_network_activity.yml	2019-11-10 22:51:53 +03:00
yugoslavskiy	0beeaadb6f	Update sysmon_narrator_feedback_persistance.yml	2019-11-10 22:47:48 +03:00
yugoslavskiy	5756df1922	rename file	2019-11-10 21:56:34 +03:00
yugoslavskiy	e5e44e2ade	Merge pull request #488 from stvetro/oscd [OSCD][ART] Task 7: T1060, T1031	2019-11-10 21:39:32 +03:00
yugoslavskiy	f2f1628506	Update and rename sysmon_runkey_from_powershell.yml to sysmon_asep_regirstry_modification.yml	2019-11-10 21:36:21 +03:00
yugoslavskiy	0db5436778	add tieto dns exfil rules	2019-11-10 20:27:21 +03:00
yugoslavskiy	bdac415fea	Merge pull request #486 from yugoslavskiy/tieto_oscd [OSCD] Tieto DNS exfiltration rules	2019-11-10 19:36:02 +03:00
yugoslavskiy	4fa928866f	oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml	2019-11-10 18:43:41 +03:00
yugoslavskiy	c0ac9b8fb9	fix conflict	2019-11-10 17:31:33 +03:00
yugoslavskiy	127335a0ec	Merge pull request #482 from yugoslavskiy/master [OSCD][The ThreatHunter-Playbook] Task 6: DONE	2019-11-10 17:27:54 +03:00
yugoslavskiy	a59d4fdd33	Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd	2019-11-10 14:47:27 +03:00
Florian Roth	038f205f0f	fix: FPs with UserInitMprLogonScript rule	2019-11-09 23:32:53 +01:00
Florian Roth	fbe138ed90	rule: reduced level of rule to medium due to FPs	2019-11-09 23:24:31 +01:00
yugoslavskiy	b176339da8	Merge pull request #479 from alexpetrov12/master add rule	2019-11-08 02:16:22 +03:00
yugoslavskiy	98f32e9098	Delete sysmon_mimikatz_сreds_dump.yml merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml	2019-11-08 02:06:31 +03:00
yugoslavskiy	6d61401b12	Delete sysmon_сreds_dump.yml merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml	2019-11-08 02:06:20 +03:00
yugoslavskiy	562e07de38	Delete cobalt_execute_assembly.yml merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml)	2019-11-08 01:42:42 +03:00
yugoslavskiy	52d099a6e3	improve sysmon_cobaltstrike_process_injection.yml	2019-11-08 01:41:26 +03:00
yugoslavskiy	6083d70975	Update sysmon_registry_persistence_key_linking.yml	2019-11-07 04:23:20 +03:00
yugoslavskiy	ce849a1184	Merge branch 'master' into oscd	2019-11-04 20:48:19 +03:00
yugoslavskiy	1f1fd68331	Merge pull request #472 from feedb/oscd add 11 new rules: - rules/linux/auditd/lnx_auditd_web_rce.yml - rules/windows/process_creation/process_creation_susp_bginfo.yml - rules/windows/process_creation/process_creation_susp_cdb.yml - rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml - rules/windows/process_creation/process_creation_susp_dnx.yml - rules/windows/process_creation/process_creation_susp_dxcap.yml - rules/windows/process_creation/process_creation_susp_msoffice.yml - rules/windows/process_creation/process_creation_susp_odbcconf.yml - rules/windows/process_creation/process_creation_susp_openwith.yml - rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml - rules/windows/sysmon/sysmon_webshell_creation_detect.yml	2019-11-04 20:40:58 +03:00
yugoslavskiy	19396fd274	Update sysmon_webshell_creation_detect.yml	2019-11-04 19:23:52 +03:00
Karneades	0117dac1db	fix: bound sysmon logon script rule to field Fixed rule: - rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml	2019-11-02 11:47:20 +01:00
Yugoslavskiy Daniil	fd606cb376	spaces fix	2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil	4251d9f490	ilyas ochkov contribution	2019-10-29 03:44:22 +03:00
Yugoslavskiy Daniil	3376cf4dd8	fix some typos and remove redundand references	2019-10-29 01:40:06 +03:00
Florian Roth	8ff85499c8	rule: svchost dll search order hijack	2019-10-28 12:03:03 +01:00
Teimur Kheirkhabarov	2fb40acfe6	Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness	2019-10-28 09:30:26 +03:00
Teimur Kheirkhabarov	fde949174d	OSCD Task 1 - Privilege Escalation	2019-10-27 20:54:07 +03:00
alexpetrov12	7aa804fe90	added new rules Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking	2019-10-25 18:01:36 +03:00
Mikhail Larin	334301c185	OSCD event rules from Jet CSIRT team	2019-10-25 17:57:56 +03:00
stvetro	dcaacd07bf	4 rules to cover ART	2019-10-25 15:38:47 +04:00
yugoslavskiy	5eb484a062	add tieto dns exfiltration rules	2019-10-25 04:30:55 +02:00
yugoslavskiy	4fb9821b49	added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml	2019-10-24 15:48:38 +02:00
yugoslavskiy	3934f6c756	add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml	2019-10-24 14:34:16 +02:00
alexpetrov12	cc998aa667	fix	2019-10-24 00:48:43 +03:00
alexpetrov12	f1ccf296f4	fix	2019-10-24 00:40:58 +03:00
alexpetrov12	d3715a508b	fix	2019-10-23 18:15:46 +03:00

1 2 3 4 5 ...

452 Commits