CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/addruletype to sigma rule#230 (#235)

Browse Source 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
This commit is contained in:
DustInDark
2021-11-28 18:14:51 +09:00
committed by GitHub
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml
View File

@@ -70,3 +70,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1106
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml
View File

@@ -27,3 +27,4 @@ tags:
- attack.discovery
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_automated_collection.yml
View File

@@ -38,3 +38,4 @@ status: experimental
tags:
- attack.collection
- attack.t1119
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml
View File

@@ -29,3 +29,4 @@ tags:
- attack.t1069.001
- attack.t1069.002
- attack.t1069
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
View File

@@ -25,3 +25,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1216
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
View File

@@ -25,3 +25,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1216
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1216
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1216
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_create_local_user.yml
View File

@@ -26,3 +26,4 @@ tags:
- attack.persistence
- attack.t1136.001
- attack.t1136
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_data_compressed.yml
View File

@@ -29,3 +29,4 @@ tags:
- attack.exfiltration
- attack.t1560
- attack.t1002
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml
View File

@@ -30,3 +30,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml
View File

@@ -23,3 +23,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml
View File

@@ -28,3 +28,4 @@ status: experimental
tags:
- attack.exfiltration
- attack.t1048.003
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml
View File

@@ -22,3 +22,4 @@ status: test
tags:
- attack.privilege_escalation
- attack.t1548
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
View File

@@ -37,3 +37,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
View File

@@ -24,3 +24,4 @@ tags:
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_keylogging.yml
View File

@@ -28,3 +28,4 @@ status: experimental
tags:
- attack.collection
- attack.t1056.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml
View File

@@ -121,3 +121,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml
View File

@@ -44,3 +44,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
View File

@@ -24,3 +24,4 @@ references:
status: experimental
tags:
- attack.t1003
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
View File

@@ -94,3 +94,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml
View File

@@ -33,3 +33,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
View File

@@ -147,3 +147,4 @@ status: experimental
tags:
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml
View File

@@ -25,3 +25,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_psattack.yml
View File

@@ -23,3 +23,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml
View File

@@ -27,3 +27,4 @@ status: experimental
tags:
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml
View File

@@ -30,3 +30,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.execution
- attack.t1059.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_software_discovery.yml
View File

@@ -31,3 +31,4 @@ status: experimental
tags:
- attack.discovery
- attack.t1518
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
View File

@@ -28,3 +28,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml
View File

@@ -29,3 +29,4 @@ status: experimental
tags:
- attack.collection
- attack.t1074.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml
View File

@@ -27,3 +27,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.credential_access
- attack.t1552.004
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
View File

@@ -24,3 +24,4 @@ status: experimental
tags:
- attack.credential_access
- attack.t1003.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
View File

@@ -35,3 +35,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml
View File

@@ -92,3 +92,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml
View File

@@ -37,3 +37,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml
View File

@@ -28,3 +28,4 @@ status: experimental
tags:
- attack.collection
- attack.t1114.001
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1070.005
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml
View File

@@ -28,3 +28,4 @@ status: experimental
tags:
- attack.collection
- attack.t1119
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
View File

@@ -23,3 +23,4 @@ status: experimental
tags:
- attack.discovery
- attack.t1120
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml
View File

@@ -26,3 +26,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1564.003
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
View File

@@ -27,3 +27,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1218
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_timestomp.yml
View File

@@ -32,3 +32,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1070.006
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml
View File

@@ -31,3 +31,4 @@ status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.013
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_web_request.yml
View File

@@ -34,3 +34,4 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
View File

@@ -31,3 +31,4 @@ status: experimental
tags:
- attack.defense_evasion
- attack.t1562.004
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml
View File

@@ -33,3 +33,4 @@ tags:
- attack.persistence
- attack.t1547.004
- attack.t1004
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml
View File

@@ -33,3 +33,4 @@ status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.003
ruletype: SIGMA

1
rules/sigma/powershell/powershell_script/powershell_wmimplant.yml
View File

@@ -42,3 +42,4 @@ tags:
- attack.t1047
- attack.t1059.001
- attack.t1086
ruletype: SIGMA