SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00

Author	SHA1	Message	Date
$frack113$ frack113	dfd316c0ce	Add web_iis_tilt_shortname_scan.yml	2021-10-06 17:46:15 +02:00
$frack113$ frack113	6d56e400d2	Merge pull request #2121 from frack113/update_test Update test adding logsource to duplicate logic test	2021-10-06 14:46:48 +02:00
Florian Roth	539756c884	Merge pull request #2124 from SigmaHQ/rule-devel rule: Apache Path Traversal - CVE-2021-41773	2021-10-06 10:55:26 +02:00
$frack113$ frack113	d0561d361b	Merge pull request #2123 from rachelrice/update_aws_rules Update AWS SAML and Lambda rules	2021-10-05 19:49:54 +02:00
Rachel Rice	d9e5da6c86	Use startswith for eventName selection Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2021-10-05 17:52:52 +01:00
Florian Roth	5576f50470	fix: title, add my name	2021-10-05 17:35:09 +02:00
Florian Roth	0fde46b602	Merge branch 'master' into rule-devel	2021-10-05 17:33:48 +02:00
Florian Roth	482df0a0ad	rule: Apache Vuln CVE-2021-41773	2021-10-05 17:33:37 +02:00
$frack113$ frack113	651d453aeb	Merge pull request #2122 from frack113/move_file Move file to correct directory	2021-10-05 16:58:26 +02:00
$frack113$ frack113	ba3356cdb0	Merge pull request #2120 from MetallicHack/master azure_ad_user_added_to_admin_role.yml	2021-10-05 16:57:58 +02:00
Rachel Rice	4ae3ece314	Update AWS SAML and Lambda rules Use correct case for `AssumeRoleWithSAML` event name. `UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.	2021-10-05 14:08:40 +01:00
MetallicHack	030fc2a03e	change title and tags in order to match sigmarules	2021-10-05 09:40:25 +02:00
MetallicHack	a4100e76b9	change title and tags in order to match sigmarules	2021-10-05 09:39:03 +02:00
$frack113$ frack113	80d09483d9	move to builtin	2021-10-05 07:33:50 +02:00
$frack113$ frack113	4f86a245f8	Order file i correct directory	2021-10-05 07:30:43 +02:00
$frack113$ frack113	201708c097	Merge pull request #2103 from webboy2015/patch-1 Create win_lolbas_execution_of_nltest.exe.yaml	2021-10-05 07:24:05 +02:00
$frack113$ frack113	654b5b4bff	Update win_lolbas_execution_of_nltest.yml	2021-10-04 22:08:47 +02:00
$frack113$ frack113	fd329f4f9b	Remove unneeded EventID	2021-10-04 21:25:57 +02:00
$frack113$ frack113	759a715198	Add logsource to duplicate logic test	2021-10-04 20:34:45 +02:00
MetallicHack	fe439e1998	Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml	2021-10-04 15:26:58 +02:00
MetallicHack	96f05f7f19	Update azure_ad_user_added_to_sensitive_role.yml	2021-10-04 15:25:55 +02:00
$frack113$ frack113	dc030e0128	Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-10-03 08:24:52 +02:00
Austin Songer	81d1bb0e2b	Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-10-02 13:32:20 -05:00
$frack113$ frack113	e666b7e1db	Merge pull request #2116 from zakibro/master New Rule - Linux - Auditd - Clipboard Collection of Image Data with X…	2021-10-02 11:06:24 +02:00
zakibro	c2a26923c6	Update lnx_auditd_clipboard_image_collection.yml	2021-10-02 09:59:37 +02:00
$frack113$ frack113	f652745924	Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml	2021-10-02 07:53:19 +02:00
$frack113$ frack113	e6b32b90af	Update win_lolbas_execution_of_nltest.exe	2021-10-02 07:25:11 +02:00
$frack113$ frack113	d819d726eb	Merge pull request #2112 from austinsonger/macos_suspicious_macos_firmware_activity.yml macos_suspicious_macos_firmware_activity.yml	2021-10-02 07:09:11 +02:00
webboy2015	87df79302d	Update win_lolbas_execution_of_nltest.exe Changed condition as follows: detection: selection: EventID: 4689 ProcessName\|endswith: nltest.exe Status: "0x0" condition: selection Included field - SubjectDomainName	2021-10-01 12:55:37 -07:00
zakibro	d40b42fc2c	Update lnx_auditd_clipboard_image_collection.yml fixing a typo	2021-10-01 18:54:12 +02:00
Pawel Mazur	e67770d7ea	New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool	2021-10-01 18:43:03 +02:00
$frack113$ frack113	19a834e317	Merge pull request #2111 from TareqAlKhatib/master Corrected Technique	2021-10-01 15:17:01 +02:00
Tareq Alkhatib	0d22601112	Added Compromise Infrastructure: Web Services technique	2021-10-01 08:40:59 -04:00
$frack113$ frack113	fce5f9bed3	Merge pull request #2110 from zaicurity/patch-1 Added alternative nltest command parameter	2021-10-01 07:33:40 +02:00
Austin Songer	04acba9c77	Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-09-30 19:58:21 -05:00
Austin Songer	00513ff2c5	Create macos_suspicious_macos_firmware_activity.yml	2021-09-30 18:47:15 -05:00
Tareq Alkhatib	b0b95ce32b	Corrected Technique	2021-09-30 16:34:14 -04:00
$frack113$ frack113	e900945761	Update win_trust_discovery.yml	2021-09-30 19:26:14 +02:00
zaicurity	76224b0fb2	Added alternative nltest command parameter Same as recent change to "Recon Activity with NLTEST" (see commit `a2418e4d2c`) Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/	2021-09-30 18:12:19 +02:00
$frack113$ frack113	1c842037cf	Merge pull request #2109 from Karneades/patch-1 Add fp note to powershell winapi rule	2021-09-30 17:45:03 +02:00
$frack113$ frack113	6eea77ae38	Merge pull request #2105 from frack113/powershell powershell_susp_zip_compress add 4104	2021-09-30 17:40:13 +02:00
$frack113$ frack113	94bff8e5ea	Merge pull request #2108 from hazedav/master fix(backend): add remediation for lacework policy	2021-09-30 17:38:38 +02:00
Andreas Hunkeler	82ba266a53	Add fp note to powershell winapi rule	2021-09-30 16:38:39 +02:00
hazedav	67818f125a	fix(backend): add remediation for lacework policy	2021-09-30 09:27:18 -05:00
$frack113$ frack113	29d66a965c	add 4104	2021-09-30 10:03:11 +02:00
webboy2015	056067086c	Create win_lolbas_execution_of_nltest.exe.yaml The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".	2021-09-29 14:33:36 -07:00
$frack113$ frack113	84ec2f582a	Merge pull request #2100 from kidrek/sysmon_delete_prefetch Add new rule - sysmon_delete_prefetch - AntiForensic	2021-09-29 17:53:33 +02:00
$frack113$ frack113	159bf4bbc1	Merge pull request #2099 from frack113/sysmon_26 add EventID 26	2021-09-29 17:06:31 +02:00
$frack113$ frack113	ed1a1caa2e	Merge pull request #2098 from frack113/fix_tags fix tags in win_susp_mpcmdrun_download.yml	2021-09-29 17:06:18 +02:00
Florian Roth	05c58b4892	Merge pull request #2102 from neonprimetime/patch-1 mispelled 'mshta.exe' in selection_base	2021-09-29 16:38:04 +02:00

1 2 3 4 5 ...

8294 Commits