valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,848 Commits 20 Branches 25 Tags 21 MiB
cc01f76e99
Commit Graph

809 Commits

Author SHA1 Message Date
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
ecco
d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Karneades
18bbec4bcd
improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth
4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth
f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth
a8b738e346
Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Karneades
42e6c9149b
Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades
0e3cc042f4
Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades
5caa951b8f
Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
Karneades
cfe44ad17d
Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth
6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth
d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth
0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Florian Roth
9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth
f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth
2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth
de74eb4eb7
Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
yugoslavskiy
e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy
a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
Nate Guagenti
e2050404bc
prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Christophe Tafani-Dereeper
5bc10a4855
Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth
0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth
ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Vasiliy Burov
2f123f64a7
Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov
3813d277a6
Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth
ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth
708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth
41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth
39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth
26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke
ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke
0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke
f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke
429c29ed5a
Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke
960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke
dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke
d14f5c3436
Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
mgreen27
07e2ee474c sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00
mgreen27
1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo
d7443d71a4
Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade
f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb
2d22a3fe02
Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00