valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,216 Commits 20 Branches 25 Tags 21 MiB
fa45298474
Commit Graph

104 Commits

Author SHA1 Message Date
Florian Roth
5a3af872d8
Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth
9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth
48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Arnim Rupp
b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp
ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Steven
cce8d945a0 Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category 2021-04-15 02:30:41 +02:00
Steven
a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven
d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
BlueTeamOps
6ef5f0a0a2
Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
BlueTeamOps
8916459bab
Added additional CS signatures 2021-03-25 22:44:24 +11:00
Anton Kutepov
3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
markus-nclose
67d3d5e220
Fixed CobaltStrike typo 2021-02-25 07:25:20 +02:00
Anton Kutepov
98cc025208 Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
Jonhnathan
0ffd1ef47f
Remove additional backslash 2020-11-19 23:15:38 -03:00
Jonhnathan
351a9920ed
Update win_mal_flowcloud.yml 2020-11-19 23:14:44 -03:00
Jonhnathan
266109f3d8
Update win_mal_ryuk.yml 2020-10-27 22:47:41 -03:00
Jonhnathan
514f9ccd28
Update win_mal_ryuk.yml 2020-10-27 22:42:15 -03:00
Jonhnathan
dbad6c637f
Update av_webshell.yml 2020-10-27 22:35:45 -03:00
Jonhnathan
0afe48a0a0
Update av_relevant_files.yml 2020-10-27 22:34:57 -03:00
Jonhnathan
95da1ec500
Update av_relevant_files.yml 2020-10-27 22:32:16 -03:00
Jonhnathan
d3c6d9df31
Update win_mal_ryuk.yml 2020-10-27 22:21:16 -03:00
Jonhnathan
98c7639db7
Update mal_azorult_reg.yml 2020-10-27 22:19:04 -03:00
Jonhnathan
8f4d6f802b
Update mal_azorult_reg.yml 2020-10-27 22:18:41 -03:00
Jonhnathan
9fd203e2a3
Update mal_azorult_reg.yml 2020-10-27 22:07:45 -03:00
Vasiliy Burov
439f88f75a
Create win_mal_lockergoga.yml 2020-10-18 20:25:37 +03:00
Jonhnathan
0dfacd1f63
Fix 2020-10-15 20:27:10 -03:00
Jonhnathan
9795c95a9b
Update av_webshell.yml 2020-10-15 20:25:34 -03:00
Jonhnathan
345c3c6451
Fix 2020-10-15 20:24:31 -03:00
Jonhnathan
86ade194a4
Fix 2020-10-15 20:22:56 -03:00
Jonhnathan
acfe0633e2
Update win_mal_ursnif.yml 2020-10-15 16:18:38 -03:00
Jonhnathan
983e9cb9ae
Update win_mal_ryuk.yml 2020-10-15 16:18:14 -03:00
Jonhnathan
8d44548a2c
Update win_mal_flowcloud.yml 2020-10-15 16:16:08 -03:00
Jonhnathan
ef646e74d8
Update mal_azorult_reg.yml 2020-10-15 16:15:25 -03:00
Jonhnathan
69c90570ec
Update av_webshell.yml 2020-10-15 16:14:08 -03:00
Jonhnathan
cdaa5ef3a6
Update av_relevant_files.yml 2020-10-15 16:13:22 -03:00
Jonhnathan
7dc720cf13
Update av_password_dumper.yml 2020-10-15 16:11:52 -03:00
Jonhnathan
dea145cd5e
Update av_exploiting.yml 2020-10-15 16:11:24 -03:00
Steven
05d2de4c26 - Cleaned up some more rules where 'service: sysmon' was combined with category 
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent

       modified:   rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
       modified:   rules/windows/malware/mal_azorult_reg.yml
       modified:   rules/windows/powershell/powershell_suspicious_profile_create.yml
       modified:   rules/windows/process_creation/sysmon_cmstp_execution.yml
       modified:   rules/windows/process_creation/win_apt_chafer_mar18.yml
       modified:   rules/windows/process_creation/win_apt_unidentified_nov_18.yml
       modified:   rules/windows/process_creation/win_hktl_createminidump.yml
       modified:   rules/windows/process_creation/win_mal_adwind.yml
       modified:   rules/windows/process_creation/win_silenttrinity_stage_use.yml
 2020-10-02 10:45:29 +02:00
Ivan Kirillov
b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Brad Kish
422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Florian Roth
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman
a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman
4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman
d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00