valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-09 02:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,272 Commits 20 Branches 25 Tags 21 MiB
cea2d5cd81
Commit Graph

6272 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
Florian Roth
321c31cb7b
Merge pull request #1540 from frack113/sysmon_amsi_bypass_remove_key 
T1562.001 Remove the AMSI Provider registry key
 2021-06-07 11:09:16 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
Florian Roth
a17bd970db
Merge pull request #1539 from frack113/basic_sysmon_modif 
Detect modification of sysmon configuration by sysmon
 2021-06-07 09:12:38 +02:00
frack113
169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
Florian Roth
b26eece20d
Merge pull request #1533 from SpeedyFireCyclone/cobaltstrike_service_install_fix 
Consistency: Service File Name to ServiceFileName
 2021-06-03 23:34:00 +02:00
Remco Hofman
12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth
bcd6d3c9ba
Merge pull request #1528 from SigmaHQ/dependabot/pip/urllib3-1.26.5 
Bump urllib3 from 1.26.4 to 1.26.5
 2021-06-03 20:50:58 +02:00
Florian Roth
2115bfcd75
Merge pull request #1519 from frack113/esrule_new_option 
Add some fun backend option for es-rule
 2021-06-03 20:50:44 +02:00
Florian Roth
42036049ec
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth
b45561c4c9
Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth
4d7b3b7afe
Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth
32bcdb5b0e
Merge pull request #1532 from frack113/rule-devel_SDelete 
Add windows T1485 SDelete
 2021-06-03 13:50:14 +02:00
Florian Roth
fa41ff3bc4
Merge pull request #1531 from ajpc500/c3_rundll_rule 
Added rule for rundll32 launch of default F-Secure C3 Relay
 2021-06-03 13:49:55 +02:00
Florian Roth
11eca86be3
Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion
9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler
e8ee6aec2f
Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
dependabot[bot]
8fd0baebef
Bump urllib3 from 1.26.4 to 1.26.5 
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-02 00:27:45 +00:00
Florian Roth
7288ae93b9
Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth
eb4300756e
Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
Florian Roth
b191efaab1
Merge pull request #1522 from SigmaHQ/rule-devel 
rule: nginx core dump
 2021-05-31 16:56:16 +02:00
Florian Roth
ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
Florian Roth
5b4742b5f9
Merge pull request #1521 from frack113/fix_some_logsource 
Fix some logsource to get more accurate
 2021-05-31 10:07:29 +02:00
frack113
0b2037ccad fix **firewall** is a category like in all other rules 2021-05-30 09:43:29 +02:00
frack113
aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
frack113
7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113
f91abf8929 Fix auditd is a service 2021-05-30 08:58:25 +02:00
frack113
a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
frack113
58436c2a02 product is lowercase 2021-05-30 08:37:48 +02:00
frack113
33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
frack113
7ec513f1d0 Fix error when use -< namefile.yml in commandline as I never use it 2021-05-28 12:47:37 +02:00
frack113
b3a608599a Add some fun backend option for es-rule 2021-05-28 10:51:08 +02:00
Florian Roth
503df46968
Merge pull request #1518 from frack113/duplicate_uuid 
Two last duplicate UUID
 2021-05-28 09:29:26 +02:00
frack113
9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d 
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
 2021-05-27 21:06:07 +02:00
frack113
179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth
06a84350ae
Merge pull request #1517 from SigmaHQ/rule-devel 
rule: suspicious programs - no DLL in command line
 2021-05-27 19:50:12 +02:00