SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00

Author	SHA1	Message	Date
Florian Roth	e53826e167	Extended Sysmon Office Shell rule	2018-04-09 08:37:30 +02:00
Thomas Patzke	f113832c04	Merge pull request #69 from jmallette/rules Create cmdkey recon rule	2018-04-08 23:23:30 +02:00
Thomas Patzke	a3e02ea70f	Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename	2018-03-27 14:35:49 +02:00
Thomas Patzke	dacc6ae3d3	Fieldname case: Commandline -> CommandLine	2018-03-25 23:08:28 +02:00
Florian Roth	e141a834ff	Rule: Ping hex IP address https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna	2018-03-23 17:00:00 +01:00
Florian Roth	97204d8dc0	Renamed rule	2018-03-20 15:04:11 +01:00
Florian Roth	e9fcfcba7f	Improved NetNTLM downgrade rule	2018-03-20 15:03:55 +01:00
Florian Roth	a7eb4d3e34	Renamed rule	2018-03-20 11:12:35 +01:00
Florian Roth	b84bbd327b	Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks	2018-03-20 11:07:21 +01:00
Florian Roth	a6d293e31d	Improved tscon rule	2018-03-20 10:54:04 +01:00
Florian Roth	8fb6bc7a8a	Rule: Suspicious taskmgr as LOCAL_SYSTEM	2018-03-19 16:36:39 +01:00
Florian Roth	af8be8f064	Several rule updates	2018-03-19 16:36:15 +01:00
Florian Roth	648ac5a52e	Rules: tscon.exe anomalies http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6	2018-03-17 19:14:13 +01:00
Karneades	49c12f1df8	Add missing binaries	2018-03-16 10:52:43 +01:00
Florian Roth	a257b7d9d7	Rule: Stickykey improved	2018-03-16 09:10:07 +01:00
Florian Roth	0460e7f18a	Rule: Suspicious process started from taskmgr	2018-03-15 19:54:03 +01:00
Florian Roth	f5494c6f5f	Rule: StickyKey-ike backdoor usage	2018-03-15 19:53:34 +01:00
Florian Roth	5ae5c9de19	Rule: Outlook spawning shells to detect Turla like C&C via Outlook	2018-03-10 09:04:11 +01:00
jmallette	aff46be8a3	Create cmdkey recon rule	2018-03-08 13:25:05 -05:00
Thomas Patzke	8ee24bf150	WMI persistence rules derived from blog article https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize	2018-03-07 23:05:10 +01:00
Thomas Patzke	8041f77abd	Merged similar rules	2018-03-06 23:19:11 +01:00
Thomas Patzke	84645f4e59	Simplified rule conditions with new condition constructs	2018-03-06 23:14:43 +01:00
Florian Roth	1001afb038	Rule: CVE-2015-1641	2018-02-22 16:59:40 +01:00
Florian Roth	25dc3e78be	Lowered severity of rule - prone to false positives	2018-02-22 16:59:11 +01:00
Florian Roth	9020a9aa32	Fixed file names "vuln" > "exploit"	2018-02-22 13:29:19 +01:00
Florian Roth	5d763581fa	Adding status "experimental" to that rule	2018-02-22 13:28:01 +01:00
Florian Roth	0be687d245	Rule: Detect CVE-2017-0261 exploitation	2018-02-22 13:27:20 +01:00
Florian Roth	fa4dbc0f2e	Rule: QuarksPwDump temp dump file	2018-02-10 15:25:36 +01:00
SherifEldeeb	348728bdd9	Cleaning up empty list items	2018-01-28 02:36:39 +03:00
SherifEldeeb	48441962cc	Change All "str" references to be "list"to mach schema update	2018-01-28 02:24:16 +03:00
SherifEldeeb	112a0939d7	Change "reference" to "references" to match new schema	2018-01-28 02:12:19 +03:00
Florian Roth	aca70e57ec	Massive Title Cleanup	2018-01-27 10:57:30 +01:00
Florian Roth	285f5bab4f	Removed duplicate string	2017-12-11 09:31:54 +01:00
Florian Roth	78854b79c4	Rule: System File Execution Location Anomaly	2017-11-27 14:09:22 +01:00
Florian Roth	93fbc63691	Rule to detect droppers exploiting CVE-2017-11882	2017-11-23 00:58:31 +01:00
Florian Roth	59e5b3b999	Sysmon: Named Pipe detection for APT malware	2017-11-06 14:24:42 +01:00
Florian Roth	37cea85072	Rundll32.exe suspicious network connections	2017-11-04 14:44:30 +01:00
Thomas Patzke	720c992573	Dropped within keyword Covered by timeframe attribute. Fixes issue #26.	2017-10-30 00:25:56 +01:00
Thomas Patzke	27227855b5	Merge branch 'devel-sigmac'	2017-10-29 23:59:49 +01:00
Thomas Patzke	012cb6227f	Added proper handling of null/not null values Fixes issue #25	2017-10-29 23:57:39 +01:00
Florian Roth	b7e8000ccb	Improved Office Shell rule > added 'schtasks.exe'	2017-10-25 23:53:45 +02:00
Thomas Patzke	d7c659128c	Removed unneeded array	2017-10-18 15:12:29 +02:00
Florian Roth	deea224421	Rule: New RUN Key Pointing to Suspicious Folder	2017-10-17 16:19:56 +02:00
Florian Roth	00baa4ed40	Executables Started in Suspicious Folder	2017-10-14 23:23:04 +02:00
Florian Roth	358d1ffba0	Executables Started in Suspicious Folder	2017-10-14 23:22:20 +02:00
Florian Roth	20f9dbb31c	CVE-2017-8759 - Winword.exe > csc.exe	2017-09-15 15:49:56 +02:00
Thomas Patzke	986c9ff9b7	Added field names to first rules	2017-09-12 23:54:04 +02:00
Thomas Patzke	68cb5e8921	Merge pull request #45 from secman-pl/patch-1 Update sysmon_susp_regsvr32_anomalies to detect wscript child process	2017-09-10 22:52:37 +02:00
Florian Roth	bfe8378455	Rule: Suspicious svchost.exe process	2017-08-31 11:07:45 +02:00
secman-pl	9768f275d0	Update sysmon_susp_regsvr32_anomalies Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 SCT script code: var objShell = new ActiveXObject("WScript.shell");	2017-08-29 12:21:47 +02:00

1 2 3

141 Commits