valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
654 Commits 20 Branches 25 Tags 21 MiB
dacc6ae3d3
Commit Graph

132 Commits

Author SHA1 Message Date
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Thomas Patzke
2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth
a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b 
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
 2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
juju4
4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4
07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4
19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4
ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4
e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Florian Roth
e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4
b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4
012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4
f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4
d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4
21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke
0217cd5b1d Merge branch 'master' into travis-test-working 2017-08-02 23:03:03 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
6f5b9e183c Merge branch 'master' into travis-test-working 2017-08-02 00:32:52 +02:00
Thomas Patzke
b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00