SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
Thomas Patzke	d17cc5c07d	Merge pull request #157 from yt0ng/development Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 22:37:00 +02:00
Unknown	75d72344ca	Added Detection of Sysinternals Tools via eulaaccepted registry key	2018-08-28 17:36:22 +02:00
Thomas Patzke	a722fcd2b0	Merge pull request #156 from yt0ng/yt0ng-devel Adding LSASS Access Detected via Attack Surface Reduction	2018-08-27 23:50:42 +02:00
Thomas Patzke	ee15b451b4	Fixed log source name	2018-08-27 23:45:30 +02:00
Thomas Patzke	f2fd3b9443	Merge branch 'master' of https://github.com/Neo23x0/sigma	2018-08-27 23:41:41 +02:00
Thomas Patzke	6e7208553a	Revert "removing for new pull request" This reverts commit `ca7e8d6468`.	2018-08-27 23:39:29 +02:00
Unknown	2f256aa1ef	Adding LSASS Access Detected via Attack Surface Reduction	2018-08-27 10:38:45 +02:00
Thomas Patzke	8308cd6c1a	Rule fix	2018-08-26 22:35:35 +02:00
Thomas Patzke	87e39b8768	Fixed rules	2018-08-26 22:30:47 +02:00
Thomas Patzke	60a5922582	Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master	2018-08-26 22:12:19 +02:00
Florian Roth	5b3175d1d6	Rule: Suspicious procdump use on lsass process	2018-08-26 19:53:57 +02:00
yt0ng	df9f6688eb	Added Deskop Location, RunOnce and ATTCK Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7	2018-08-25 17:32:34 +02:00
yt0ng	eda6f3b9ca	rules/windows/sysmon/sysmon_powershell_DLL_execution.yml	2018-08-25 16:33:54 +02:00
Florian Roth	6bde2cd08f	Update lnx_buffer_overflows.yml	2018-08-25 00:20:34 +02:00
Florian Roth	234a48af19	rule: Linux SSHD exploit CVE-2018-15473 https://github.com/Rhynorater/CVE-2018-15473-Exploit	2018-08-24 16:40:41 +02:00
yt0ng	c7d4b4853d	removing sysmon_powershell_AMSI_bypass.yml	2018-08-23 10:17:19 +02:00
Florian Roth	f47a5c2206	fix: Author list to string	2018-08-23 09:40:28 +02:00
Thomas Patzke	49af499353	Merge pull request #151 from nikseetharaman/workflow_compiler Add Microsoft Workflow Compiler Sysmon Detection	2018-08-23 08:24:35 +02:00
Thomas Patzke	9235175e26	Fixed rule * Added condition * Replaced Description wirh Image attribute and improved search pattern	2018-08-23 08:20:28 +02:00
Thomas Patzke	73535e58a5	Merge pull request #153 from megan201296/patch-10 Add ATT&CK Matrix tags	2018-08-23 08:06:58 +02:00
Thomas Patzke	d647a7de07	Merge pull request #154 from megan201296/patch-11 Add MITRE ATT&CK tagging	2018-08-23 08:06:39 +02:00
Florian Roth	5de3cd71a4	Merge pull request #149 from yt0ng/development Detects Request to amsiInitFailed that can be used to disable AMSI Scanning	2018-08-22 17:19:10 +02:00
Florian Roth	040ba0338d	fix: Added Event ID in second selection	2018-08-22 17:03:13 +02:00
Florian Roth	0c729d1eea	Already used in different rule	2018-08-22 17:02:03 +02:00
Florian Roth	6ee31f6cd1	Update win_susp_commands_recon_activity.yml Merged recon commands from @yt0ng's rule	2018-08-22 17:00:00 +02:00
megan201296	3f5c32c6da	Add MITRE ATT&CK tagging	2018-08-22 09:35:06 -05:00
megan201296	76aabe7e05	Add ATT&CK Matrix tags	2018-08-22 09:30:55 -05:00
Nik Seetharaman	e371d945ed	Add Microsoft Workflow Compiler Sysmon Detection	2018-08-18 00:53:28 -05:00
yt0ng	ca7e8d6468	removing for new pull request	2018-08-17 18:42:10 +02:00
yt0ng	5bb6f566ba	::Merge remote-tracking branch 'upstream/master'	2018-08-17 18:39:36 +02:00
yt0ng	8ecf167e85	Powershell AMSI Bypass via .NET Reflection [Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120	2018-08-17 18:26:04 +02:00
yt0ng	07e411fe6b	Oilrig Information gathering whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1	2018-08-15 14:29:59 +02:00
Florian Roth	4e91462838	fix: Bugfix in Adwind rule	2018-08-15 12:33:03 +02:00
Florian Roth	92dc08a304	rule: Added recon command	2018-08-15 12:33:03 +02:00
Florian Roth	7c05b85bcd	rule: Added malware UA	2018-08-15 12:33:03 +02:00
Thomas Patzke	2c0e76be3d	Escaped * where required	2018-08-10 13:53:08 +02:00
Lurkkeli	7cdc13ef11	Update	2018-08-08 17:05:51 +02:00
Lurkkeli	392351af25	Adding ATT&CK tag	2018-08-08 16:43:54 +02:00
Lurkkeli	4d721f1803	Updating fps	2018-08-08 16:42:26 +02:00
Lurkkeli	b9f433414d	hiding files with attrib.exe	2018-08-08 16:19:39 +02:00
Thomas Patzke	01215a645e	Merge pull request #145 from yt0ng/master DNS TXT Answer with possible execution strings	2018-08-08 15:58:34 +02:00
Thomas Patzke	58afccb2f3	Fixed ATT&CK tagging	2018-08-08 15:58:19 +02:00
yt0ng	e44b4f450e	DNS TXT Answer with possible execution strings https://twitter.com/stvemillertime/status/1024707932447854592	2018-08-08 15:51:56 +02:00
Thomas Patzke	92c0e0321a	Merge pull request #144 from samsson/patch-7 Added att&ck tags	2018-08-07 11:19:36 +02:00
Lurkkeli	a245820519	added att&ck tag	2018-08-07 08:54:53 +02:00
Lurkkeli	294677a2cc	added att&ck tag	2018-08-07 08:50:01 +02:00
Lurkkeli	a57e87b345	added att&ck tag	2018-08-07 08:49:05 +02:00
Lurkkeli	99253763af	added att&ck tag	2018-08-07 08:45:58 +02:00
Lurkkeli	0bff27ec21	added att&ck tactic added att&ck tactic, no specific techniques applicable	2018-08-07 08:37:51 +02:00
Lurkkeli	198cb63182	added att&ck tactic added att&ck tactic, no specific techniques applicable	2018-08-07 08:36:53 +02:00

1 2 3 4 5 ...

575 Commits