valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
207 Commits 20 Branches 25 Tags 21 MiB
f9be5b99ad
Commit Graph

28 Commits

Author SHA1 Message Date
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1 
Create win_pass_the_hash.yml
 2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
Florian Roth
3507a5e644 Rule: Rare Windows Service Installs 2017-03-08 19:09:34 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00
Florian Roth
5484886932 Rule: Windows - Recon Activity (improved) 2017-03-07 13:06:38 +01:00
Florian Roth
fa6f76f276 Rule: Windows - Recon Activity 2017-03-07 12:01:39 +01:00
Florian Roth
aad892c834 Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00
Florian Roth
16c5192ee9 Windows Malicious Password Dumper Service Installs 2017-03-05 23:52:02 +01:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Thomas Patzke
a4611d6dc6 Added new rules 
From adsecurity.org:

* https://adsecurity.org/?p=1772
* https://adsecurity.org/?p=1714
 2017-02-19 22:43:27 +01:00
Florian Roth
52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Thomas Patzke
9a38d6543f Fixed type of condition 2017-02-16 23:49:34 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00
Florian Roth
04ea201817 New rules and cleanup 2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5 Moved rules to a separate directory 2017-02-07 00:44:40 +01:00