valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,231 Commits 20 Branches 25 Tags 21 MiB
eb4300756e
Commit Graph

6231 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
9166167447
Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth
3008e5b9e7
Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth
194b0af4d2
Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Ian Thieves
65294d97c4
Update win_scm_database_handle_failure.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:28:16 -07:00
Ian Thieves
8efa10465e
Update win_scm_database_privileged_operation.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:25:16 -07:00
Florian Roth
6d2acb1660
Merge pull request #1441 from SigmaHQ/rule-devel 
feat: generic registry events compatible with native audit logging
 2021-04-26 10:24:44 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth
66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth
9a14557136
Merge pull request #1437 from SigmaHQ/rule-devel 
feat: generic categories, thor config, revert splunk config
 2021-04-25 21:54:17 +02:00
Florian Roth
08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Cedric Hien
748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien
c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth
d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth
1ff5e226ad
Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth
f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth
a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth
6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth
1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth
5aed7c80db
Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth
85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth
ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth
6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth
886079ce8f
Merge pull request #1434 from phantinuss/master 
THOR: search generic *.log files for product: linux
 2021-04-23 12:35:24 +02:00
phantinuss
95fa99b4a3
search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth
6d1b9f36e8 feat: thor config - process all *.log files 2021-04-23 10:31:07 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth
13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Scoubi
23791664eb
Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml 
Gave the wrong name to the file, this is the correct one.
 2021-04-21 08:45:15 -04:00
Scoubi
0b7ed7e690
Add a space 
There was a missing space in `-attack` changed for `- attack`
 2021-04-20 20:50:20 -04:00
Scoubi
fadb889116
Create win_Outlook_C2_Macro_Creation.yml 
BEC is for Business Email Compromise (this can be changed)
 2021-04-20 20:38:20 -04:00
Scoubi
678ce5d528
Create win_Outlook_C2_Macro_Creation.yml 
Not 100% if this is the best place to put it.
 2021-04-20 20:34:19 -04:00
Bhabesh Rai
dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Florian Roth
1fea9a7c41
Merge pull request #1428 from defensivedepth/patch-3 
false positive - added Azure AD Connect
 2021-04-20 15:10:31 +02:00
Josh Brower
dfc1218e6a
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Thomas Patzke
35e6e515ba
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Florian Roth
0bf2625393
Merge pull request #1421 from ZikyHD/patch_fireeye_helix_backend 
Fix SyntaxWarning for 'is' on fireeye-helix backend
 2021-04-20 09:07:10 +02:00
Florian Roth
68c59850af
Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery 
Fix invalid logsource on lnx_system_info_discovery rule
 2021-04-20 09:06:54 +02:00
Florian Roth
20c5356c9e
Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet 
Fix typo on CommandLine
 2021-04-20 09:06:38 +02:00
Florian Roth
0b9a7c14f3
Merge pull request #1426 from defensivedepth/patch-2 
Added MS Threat Docs for 4616 to references
 2021-04-20 09:06:23 +02:00
Josh Brower
2486a85a1f
Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth
7039209a7a
Merge pull request #1425 from SigmaHQ/rule-devel 
refactor: tightened filter
 2021-04-19 11:32:02 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Cedric Hien
1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Cedric Hien
bbdbab700d Fix invalid logsource on lnx_system_info_discovery rule 2021-04-17 12:57:30 +02:00
Cedric Hien
2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
Florian Roth
941d47bc28
Merge pull request #1416 from sycophantic/master 
Remove extra spaces
 2021-04-15 13:20:49 +02:00
Steven
a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00