SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
$frack113$ frack113	cccfb3e59e	file_event is a category	2021-05-12 09:05:52 +02:00
Florian Roth	7d7f8c90ec	Merge pull request #1443 from icthieves/patch-3 Update win_scm_database_privileged_operation.yml	2021-05-11 15:00:20 +02:00
Florian Roth	980ea97217	Merge pull request #1444 from icthieves/patch-2 Update win_scm_database_handle_failure.yml	2021-05-11 15:00:09 +02:00
Florian Roth	384f40aa5b	Merge pull request #1464 from d4rk-d4nph3/master Added rule for Moriya rootkit	2021-05-06 18:15:53 +02:00
Florian Roth	453fa0f299	Update win_moriya_rootkit.yml	2021-05-06 15:24:21 +02:00
Florian Roth	79c11a5cba	Update win_moriya_rootkit.yml	2021-05-06 14:59:28 +02:00
Bhabesh Rai	e5f95cac0c	Added rule for Moriya rootkit	2021-05-06 17:29:20 +05:45
phantinuss	254a3bb122	new rules detecting the creation of a local hidden user	2021-05-05 15:12:07 +02:00
Ian Thieves	65294d97c4	Update win_scm_database_handle_failure.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4"	2021-04-26 11:28:16 -07:00
Ian Thieves	8efa10465e	Update win_scm_database_privileged_operation.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4"	2021-04-26 11:25:16 -07:00
Florian Roth	c7ce9154d1	Merge pull request #1030 from stevengoossensB/master Updated sysmon config and rewrite rules to use categories	2021-04-23 16:52:25 +02:00
Josh Brower	dfc1218e6a	false positive - added Azure AD Connect	2021-04-20 08:24:38 -04:00
Josh Brower	2486a85a1f	Added MS Threat Docs for 4616 to references	2021-04-19 08:15:42 -04:00
Florian Roth	7039209a7a	Merge pull request #1425 from SigmaHQ/rule-devel refactor: tightened filter	2021-04-19 11:32:02 +02:00
Florian Roth	53c6a7c54e	refactor: tightened filter	2021-04-19 09:30:32 +02:00
Florian Roth	941d47bc28	Merge pull request #1416 from sycophantic/master Remove extra spaces	2021-04-15 13:20:49 +02:00
Steven	a8d8165541	Yet another syntax fix	2021-04-15 09:25:04 +02:00
Steven	9f5e8a02a4	Fix parse errors	2021-04-15 02:46:41 +02:00
Steven	8301b9c221	Fix selection vs selection_1 in rule files	2021-04-15 02:41:04 +02:00
Steven	ecbd730dad	Fix syntax errors in some rules	2021-04-15 02:07:43 +02:00
Steven	d263b937b4	Clean-up service: sysmon as it will be replaced by filling the category	2021-04-15 02:02:25 +02:00
Steven	850a002840	Merge branch 'master' of https://github.com/SigmaHQ/sigma	2021-04-15 01:25:48 +02:00
Roberto Rodriguez	db0e969121	HybridConnectionMgr Service Activity	2021-04-12 16:26:15 -04:00
Florian Roth	4abebd98d9	Merge pull request #1418 from SigmaHQ/rule-devel Fixing false positives with newest OSCD rules	2021-04-09 17:26:02 +02:00
Florian Roth	65a11dde52	fix: rules causing too many false positives	2021-04-09 15:55:14 +02:00
Thomas Patzke	3fef2a10b8	Merge branch 'pr-1158'	2021-04-08 23:01:54 +02:00
sycophantic	86b9652086	Remove extra spaces	2021-04-08 13:57:21 -04:00
Thomas Patzke	a10db2df89	Fixes&improvements	2021-04-08 01:06:40 +02:00
Thomas Patzke	d1de168295	Merge branch 'oscd'	2021-04-06 00:05:35 +02:00
Florian Roth	48265ad71a	Merge pull request #1398 from SigmaHQ/rule-devel MSExchange Management log mapping, some fixes	2021-03-20 17:21:31 +01:00
Florian Roth	525f4b6a6b	Merge pull request #1388 from Cyb3rPandaH/master CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property	2021-03-20 08:53:04 +01:00
Florian Roth	334dd9a058	Update win_set_oabvirtualdirectory_externalurl.yml	2021-03-20 08:34:02 +01:00
Florian Roth	dd4a1ac393	fix: prone to FPs - use is unclear https://regex101.com/r/tss5TZ/1	2021-03-18 16:44:49 +01:00
Florian Roth	d30e87d543	fix: lsass access - FPs with AV / EDR software	2021-03-18 09:04:03 +01:00
Cyb3rPandaH	f138a27426	CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property Rule to detect an adversary setting OabVirtualDirectory External URL property to a script	2021-03-15 00:33:47 -04:00
Florian Roth	78004cc29c	fix: condition contains - values without 0x	2021-03-10 18:56:05 +01:00
Florian Roth	29dec7dd8b	fix: FPs with LSASS Access from Non System Account	2021-03-10 18:51:27 +01:00
Anton Kutepov	f461becc58	Added missed changes in win_net_ntlm_downgrade and merged duplicate rules	2021-03-02 23:34:34 +03:00
Anton Kutepov	3f45269296	Merge branch 'oscd' B B B B A	2021-03-02 22:58:41 +03:00
Florian Roth	40710fe89a	Merge pull request #1357 from Neo23x0/rule-devel Rule FP fixes	2021-02-26 11:05:00 +01:00
jaegeral	e1f43f17c2	fixed various spelling errors all over rules and source code	2021-02-24 14:43:13 +00:00
Florian Roth	0489d4bfa4	fix: rule	2021-02-24 13:44:13 +01:00
Florian Roth	028ce2a548	fix: Sysmon NTLM downgrade attack - too many fps	2021-02-24 13:22:25 +01:00
Florian Roth	f834862833	Merge pull request #1107 from vburov/patch-10 Update win_susp_eventlog_cleared.yml	2021-02-18 11:19:53 +01:00
Florian Roth	a6684c66d6	Merge pull request #1110 from vburov/patch-11 Update win_disable_event_logging.yml	2021-02-18 11:18:32 +01:00
Florian Roth	76e6f38215	Merge pull request #1348 from bartlomiej-czyz/patch-1 Create win_metasploit_or_impacket_smb_psexec_service_install.yaml	2021-02-18 11:14:40 +01:00
bartlomiej-czyz	b771fb0c55	Change win_metasploit_or_impacket_smb_psexec_service_install.yml severity level	2021-02-08 12:45:59 +01:00
bartlomiej-czyz	ae15cef5e7	Rename .yaml to .yml	2021-02-03 22:20:48 +01:00
bartlomiej-czyz	3e9c177c65	Create win_metasploit_or_impacket_smb_psexec_service_install.yaml	2021-02-03 22:16:21 +01:00
David Straßegger	6a6929cfb6	implemented rule for scheduled task deletion	2021-01-22 08:09:56 +01:00

1 2 3 4 5 ...

651 Commits