SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00

Author	SHA1	Message	Date
David Vassallo	d7443d71a4	Create win_pass_the_hash_2.yml alternative detection methods	2019-06-14 18:08:36 +03:00
Thomas Patzke	a23f15d42b	Converted rule to generic log source	2019-06-11 13:20:15 +02:00
Thomas Patzke	5715413da9	Usage of Channel field name in ELK Windows config	2019-06-11 13:15:43 +02:00
Florian Roth	a0c9f1594e	Rule: renamed file - name was too generic	2019-06-02 10:57:44 +02:00
Florian Roth	491c519d1f	Rule: added wmic SHADOWCOPY DELETE	2019-06-02 10:56:13 +02:00
Florian Roth	80560dc12f	Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln	2019-06-02 09:52:18 +02:00
Florian Roth	5e7ae0590c	Rule: Split up WanaCry rule into two separate rules	2019-06-02 09:52:18 +02:00
Nate Guagenti	2163208e9c	update correct process name incorrect process name. accidentally had fsutil, should be bcdedit. thanks to https://twitter.com/INIT_3 for pointing this out	2019-06-01 09:50:50 -04:00
Sarkis Nanyan	60bc5253cf	win_disable_event_logging.yml: typo in audit policy name;	2019-05-29 15:43:44 +03:00
Florian Roth	7c1e856095	Merge pull request #353 from lprat/master Add rule for CVE-2019-0708	2019-05-27 09:11:17 +02:00
Florian Roth	323a7313fd	FP adjustments We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.	2019-05-27 08:54:18 +02:00
Thomas Patzke	241d814221	Merged WannaCry rules	2019-05-24 22:17:36 +02:00
Lionel PRAT	f65f693a88	Add rule for CVE-2019-0708	2019-05-24 10:01:19 +02:00
Florian Roth	7b63c92fc0	Rule: applying recommendation https://twitter.com/SwiftOnSecurity/status/1131464234901094400	2019-05-23 09:44:25 +02:00
Olaf Hartong	b60cfbe244	Added password flag	2019-05-22 13:20:26 +02:00
Florian Roth	346022cfe8	Transformed to process creation rule	2019-05-22 12:50:49 +02:00
Olaf Hartong	4a775650a2	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:36:03 +02:00
Olaf Hartong	e675cdf9c4	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:32:07 +02:00
Olaf Hartong	544dfe3704	Rule Windows 10 scheduled task SandboxEscaper 0-day	2019-05-22 12:28:42 +02:00
Florian Roth	c937fe3c1b	Rule: Terminal Service Process Spawn	2019-05-22 10:38:27 +02:00
Florian Roth	74ca0eeb88	Rule: Renamed PsExec	2019-05-21 09:49:40 +02:00
Thomas Patzke	2d0c08cc8b	Added wildcards to rule values These values appear somewhere in a log message, therefore wildcards are required.	2019-05-21 01:03:20 +02:00
Florian Roth	694fa567b6	Reformatted	2019-05-15 20:22:53 +02:00
Florian Roth	1c36bfde79	Bugfix - Swisscom in Newline	2019-05-15 15:03:55 +02:00
Florian Roth	d5f49c5777	Fixed syntax	2019-05-15 14:50:57 +02:00
Florian Roth	508d1cdae0	Removed double back slashes	2019-05-15 14:46:45 +02:00
Unknown	13522b97a7	Adjusting Newline	2019-05-15 12:15:41 +02:00
Unknown	275896dbe6	Suspicious Outbound RDP Rule likely identifying CVE-2019-0708	2019-05-15 11:47:12 +02:00
Codehardt	1ca57719b0	fix: fixed reference list, otherwise it's not valid string list	2019-05-10 10:37:12 +02:00
Codehardt	6585c83077	fix: fixed reference list, otherwise it's not valid string list	2019-05-10 10:13:35 +02:00
Thomas Patzke	25c0330dca	Added filter	2019-05-10 00:20:56 +02:00
Thomas Patzke	995c03eef9	Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1	2019-05-10 00:15:51 +02:00
Thomas Patzke	15a4c7e477	Fixed rule	2019-05-10 00:02:20 +02:00
Thomas Patzke	666e859d14	Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3	2019-05-10 00:00:14 +02:00
Thomas Patzke	f01fbd6b79	Merge branch	2019-05-09 23:51:15 +02:00
Thomas Patzke	e60fe1f46d	Changed rule * Adapted false positive notice to observation * Decreased level	2019-05-09 23:49:39 +02:00
Florian Roth	3dd76a9c5e	Converted to generic process creation rule Previous rule was prone to FPs; more generic form	2019-05-09 23:48:42 +02:00
Vasiliy Burov	792095734d	Update win_proc_wrong_parent.yml changes accordingly this documents: https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf	2019-05-09 23:48:36 +02:00
Florian Roth	378ba5b38f	Transformed rule I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs Fixed Typo Changes to title and description	2019-05-09 23:48:36 +02:00
Vasiliy Burov	8e6295e402	Windows processes with wrong parent Detect scenarios when malicious program is disguised as legitimate process	2019-05-09 23:48:36 +02:00
Thomas Patzke	121e21960e	Rule changes * Replaced variables with usual path names * Removed Temp directories due to many false positives * Matching on Image field, CommandLines often contain these paths	2019-05-09 23:09:22 +02:00
Thomas Patzke	9b67705799	Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2	2019-05-09 22:55:07 +02:00
Thomas Patzke	f0b0f54500	Merge improved pull request #322	2019-04-21 23:56:36 +02:00
Thomas Patzke	765fe9dcd9	Further improved Windows user creation rule * Decreased level * Fixed field names * Added false positive possibility	2019-04-21 23:54:18 +02:00
Karneades	b47900fbee	Add default path to filter for explorer in exe anomaly rule	2019-04-21 17:42:47 +02:00
Florian Roth	dd9648b31e	Revert "New Sigma rule detecting local user creation"	2019-04-21 09:09:25 +02:00
Thomas Patzke	49beb5d1a8	Integrated PR from @P4T12ICK in existing rule PR #321	2019-04-21 00:28:40 +02:00
Thomas Patzke	bdd184a24c	Merge pull request #322 from P4T12ICK/feature/win_user_creation New Sigma rule detecting local user creation	2019-04-21 00:20:15 +02:00
Thomas Patzke	80f45349ed	Modified rule * Adjusted ATT&CK tagging * Set status	2019-04-21 00:14:57 +02:00
Florian Roth	aab3dbee4f	Rule: Detect Empire PowerShell Default Cmdline Params	2019-04-20 09:38:41 +02:00

1 2 3 4 5 ...

760 Commits