valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,286 Commits 20 Branches 25 Tags 21 MiB
f9f814f3b3
Commit Graph

3286 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sander Wiebing
f9f814f3b3
Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing
a241792e10
Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Sander Wiebing
91b4ee8d56
Merge pull request #2 from Neo23x0/master 
Update repository
 2020-05-26 12:24:21 +02:00
Florian Roth
a962bd1bc1
Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth
0afe0623af
Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Florian Roth
92d0aa8654
Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed 
Rule improvement: netsh Application or Port allowed
 2020-05-25 10:46:39 +02:00
Sander Wiebing
6fcf3f9ebf
Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing
28652e4648
Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing
2678cd1d3e
Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing
4cd7c39e9d
Merge pull request #1 from Neo23x0/master 
Update repository
 2020-05-25 08:48:16 +02:00
Thomas Patzke
0dda757ca5 Merge branch 'socprime-master' 2020-05-24 22:58:58 +02:00
Thomas Patzke
daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke
d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke
32e4998c49 Removed dead code from ALA backend. 2020-05-24 21:45:37 +02:00
Thomas Patzke
24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Florian Roth
40f0beb58d
Merge pull request #794 from SanWieb/update_susp_run_key 
Remove AppData folder as suspicious folder
 2020-05-24 16:30:10 +02:00
Sander Wiebing
b8ee736f44
Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth
6fbfa9dfdd
Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
Florian Roth
3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth
df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
Florian Roth
d0da2810c1
Merge pull request #792 from EccoTheFlintstone/fff 
fix FP + remove powershell rule redundant with sysmon_in_memory_power…
 2020-05-23 18:13:16 +02:00
Florian Roth
8321cc7ee1
Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth
d1a5471d21 rule: Strong Pity loader UA 2020-05-23 17:38:10 +02:00
ecco
67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth
9cd9a301c2
Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
Florian Roth
e1a05dfc1c
Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
Florian Roth
ee1ca77fad
Merge pull request #771 from gamma37/new_rules 
Create a new rule to detect "Create Account"
 2020-05-23 16:47:46 +02:00
Florian Roth
895c84703f
Merge pull request #790 from EccoTheFlintstone/fp_fix 
fix false positive matching on every powershell process not run by SY…
 2020-05-23 16:47:01 +02:00
ecco
327a53c120 add new test for sysmon rules without eventid 2020-05-23 10:25:37 -04:00
ecco
10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco
2b89e56054 fix test 2020-05-23 10:03:13 -04:00
ecco
d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco
78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing
d310805ed9
rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco
75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco
9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco
cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth
12e1aeaf9f
Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth
46f3a70a7d
Merge pull request #786 from EccoTheFlintstone/perf_fix 
various rules cleaning (slight perf improvements)
 2020-05-23 09:54:28 +02:00
Florian Roth
34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth
57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco
ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
Thomas Patzke
96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth
64e0e7ca72
Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth
91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth
bbf78374b6
Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth
9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth
344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
Thomas Patzke
8d9b706d6a
Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
Florian Roth
e7980bb434
Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00