valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,976 Commits 20 Branches 25 Tags 21 MiB
f75ad98903
Commit Graph

291 Commits

Author SHA1 Message Date
svch0stz
d7acbb369e
Created powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:22:09 +11:00
Nikita P. Nazarov
0ad9fc61de Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00
Nikita P. Nazarov
c90d99c0f9 Accessing WinAPI in PowerShell 2020-10-06 19:57:57 +03:00
Steven
05d2de4c26 - Cleaned up some more rules where 'service: sysmon' was combined with category 
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent

       modified:   rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
       modified:   rules/windows/malware/mal_azorult_reg.yml
       modified:   rules/windows/powershell/powershell_suspicious_profile_create.yml
       modified:   rules/windows/process_creation/sysmon_cmstp_execution.yml
       modified:   rules/windows/process_creation/win_apt_chafer_mar18.yml
       modified:   rules/windows/process_creation/win_apt_unidentified_nov_18.yml
       modified:   rules/windows/process_creation/win_hktl_createminidump.yml
       modified:   rules/windows/process_creation/win_mal_adwind.yml
       modified:   rules/windows/process_creation/win_silenttrinity_stage_use.yml
 2020-10-02 10:45:29 +02:00
aw350m3
eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
aw350m3
c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3
c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
Ryan Plas
de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Ryan Plas
25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
zaphod
1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Florian Roth
4f469c0e39
Adjusted level 2020-04-14 13:37:10 +02:00
teddy-ROxPin
1501331f77
Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
Florian Roth
0ea2db8b9e
Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth
f4928e95bc
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth
c0ab9c5745
Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth
6cf0edc076
Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Remco Hofman
b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin
1a3731f7ae
Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Remco Hofman
f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Harish SEGAR
67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR
b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR
30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR
1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR
293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR
74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR
b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke
f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth
7a222920df
added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth
913c839780
added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth
848e0c90e4
Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Thomas Patzke
9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
Thomas Patzke
ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Alessio Dalla Piazza
f45587074b
Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2019-12-23 11:50:57 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke
694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Rob Rankin
e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
yugoslavskiy
d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
yugoslavskiy
cd69111522
Merge branch 'oscd' into master 2019-11-14 00:36:34 +03:00
yugoslavskiy
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Florian Roth
b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
yugoslavskiy
0db5436778 add tieto dns exfil rules 2019-11-10 20:27:21 +03:00
yugoslavskiy
bdac415fea
Merge pull request #486 from yugoslavskiy/tieto_oscd 
[OSCD] Tieto DNS exfiltration rules
 2019-11-10 19:36:02 +03:00
yugoslavskiy
4fa928866f oscd task #6 done. 
add 25 new rules:

- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml

improve 1 rule:

- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
 2019-11-10 18:43:41 +03:00
yugoslavskiy
127335a0ec
Merge pull request #482 from yugoslavskiy/master 
[OSCD][The ThreatHunter-Playbook] Task 6: DONE
 2019-11-10 17:27:54 +03:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00
yugoslavskiy
ac95d840b4
Update powershell_winlogon_helper_dll.yml 2019-11-05 04:33:07 +03:00
yugoslavskiy
c147863eb3
Update powershell_data_compressed.yml 2019-11-05 02:38:36 +03:00
zinint
2679baddcd
Delete powershell_network_sniffing.yml 2019-11-04 23:46:43 +03:00
zinint
12ef86fcbe
t1040 2019-10-30 23:18:37 +03:00
Thomas Patzke
f4e9690d6b
Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke
78d8ca2b41
Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Karneades
ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades
aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades
f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
darkquasar
cb6eb35913
adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
Yugoslavskiy Daniil
4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
hieuttmmo
0c07c5ea16
convention 2019-10-25 11:00:05 +07:00
hieuttmmo
e86ab608f2
Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00
yugoslavskiy
5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
hieuttmmo
edb698c7f7
Update powershell_suspicious_profile_create.yml 2019-10-25 00:28:11 +07:00
hieuttmmo
73b10807d8
Rename powershell_susp_profile_create.yml to powershell_suspicious_profile_create.yml 2019-10-25 00:14:39 +07:00
hieuttmmo
0e4cd397ef
Create new rules for T1502 2019-10-25 00:14:21 +07:00
yugoslavskiy
4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
zinint
aef5fa3c2b
Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml 2019-10-24 16:37:38 +03:00
zinint
5a98fdbbbd
ART t1004 2019-10-24 16:33:29 +03:00
zinint
317e9d3df9
PS Data Compressed attack.t1002 
PS Data Compressed attack.t1002
 2019-10-24 15:43:46 +03:00
4A616D6573
fdbdca003b
Create win_powershell_web_request.yml 
Broader rule for detecting web requests via various methods using Windows PowerShell, slightly crosses over the below rules but caters for different methods:

99b15edf8a/rules/windows/process_creation/win_powershell_download.yml
0fa914139c/rules/windows/powershell/powershell_suspicious_download.yml
 2019-10-24 11:57:37 +11:00
ecco
01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Tareq AlKhatib
15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Alec Costello
886de39814 Small edits 
Got trigger happy, first time doing this, please dont cruicify me.
 2019-05-17 17:40:32 +03:00
Alec Costello
d90c0ea990 Create powershell_nishang_malicious_commandlets.yml 2019-05-16 17:51:45 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth
74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Tareq AlKhatib
7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Florian Roth
90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Roberto Rodriguez
328762ed67 Update powershell_xor_commandline.yml 
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
 2018-12-05 05:51:41 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Kyle Polley
60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke
ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke
a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Florian Roth
a2c6f344ba
Lower case T 2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
megan201296
3154be82f3
Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
Lurkkeli
30fc4bd030
powershell xor commandline 
New rule to detect -bxor usage in a powershell commandline.
 2018-09-05 09:21:15 +02:00
Florian Roth
016b15a2a9
Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli
7796492c2b
Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Florian Roth
cf7f5c7473
Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
Lurkkeli
db82322d17
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli
fd8c5c5bf6
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli
ad580635ea
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim
c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Florian Roth
fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Thomas Patzke
8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth
0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth
de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Florian Roth
294df21c56 Added expression 2017-03-05 22:45:54 +01:00
Florian Roth
7fae49b183 More PowerShell rules 2017-03-05 15:01:51 +01:00
Florian Roth
1e1cf9cb9e PowerShell Rules Revision 2017-03-05 14:14:31 +01:00
Omer Yampel
97b4078d01 Update powershell_malicious_commandlets.yml 
Added https://github.com/putterpanda/mimikittenz reference
 2017-03-04 20:26:39 -05:00
Florian Roth
d397ee9f68 First PowerShell Ruleset 2017-03-05 01:47:25 +01:00