valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,281 Commits 20 Branches 25 Tags 21 MiB
cfdf3b7c08
Commit Graph

6281 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
cfdf3b7c08
Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth
07176ddb25
Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth
242b56031f
Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
Florian Roth
3a85b9073b
Merge pull request #1543 from frack113/Disable_Microsoft_Office_Security_Features 
T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features
 2021-06-08 11:00:59 +02:00
frack113
c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113
0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler
cea2d5cd81
Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler
e1ef13bb24
Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113
5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113
e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
Florian Roth
321c31cb7b
Merge pull request #1540 from frack113/sysmon_amsi_bypass_remove_key 
T1562.001 Remove the AMSI Provider registry key
 2021-06-07 11:09:16 +02:00
frack113
43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
Florian Roth
a17bd970db
Merge pull request #1539 from frack113/basic_sysmon_modif 
Detect modification of sysmon configuration by sysmon
 2021-06-07 09:12:38 +02:00
frack113
169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
Florian Roth
b26eece20d
Merge pull request #1533 from SpeedyFireCyclone/cobaltstrike_service_install_fix 
Consistency: Service File Name to ServiceFileName
 2021-06-03 23:34:00 +02:00
frack113
537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
Remco Hofman
12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth
bcd6d3c9ba
Merge pull request #1528 from SigmaHQ/dependabot/pip/urllib3-1.26.5 
Bump urllib3 from 1.26.4 to 1.26.5
 2021-06-03 20:50:58 +02:00
Florian Roth
2115bfcd75
Merge pull request #1519 from frack113/esrule_new_option 
Add some fun backend option for es-rule
 2021-06-03 20:50:44 +02:00
Florian Roth
42036049ec
Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth
b45561c4c9
Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth
d41825766a
Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth
4d7b3b7afe
Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth
32bcdb5b0e
Merge pull request #1532 from frack113/rule-devel_SDelete 
Add windows T1485 SDelete
 2021-06-03 13:50:14 +02:00
Florian Roth
fa41ff3bc4
Merge pull request #1531 from ajpc500/c3_rundll_rule 
Added rule for rundll32 launch of default F-Secure C3 Relay
 2021-06-03 13:49:55 +02:00
Florian Roth
11eca86be3
Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth
151d120a24
Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113
ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion
9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler
e8ee6aec2f
Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth
7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
dependabot[bot]
8fd0baebef
Bump urllib3 from 1.26.4 to 1.26.5 
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-02 00:27:45 +00:00
Florian Roth
7288ae93b9
Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth
eb4300756e
Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth
736eeabf9f
Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth
950b252d5c
Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki
d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki
90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki
cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth
34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
Florian Roth
b191efaab1
Merge pull request #1522 from SigmaHQ/rule-devel 
rule: nginx core dump
 2021-05-31 16:56:16 +02:00
Florian Roth
ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
Florian Roth
5b4742b5f9
Merge pull request #1521 from frack113/fix_some_logsource 
Fix some logsource to get more accurate
 2021-05-31 10:07:29 +02:00
frack113
0b2037ccad fix **firewall** is a category like in all other rules 2021-05-30 09:43:29 +02:00
frack113
aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
frack113
7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113
f91abf8929 Fix auditd is a service 2021-05-30 08:58:25 +02:00