valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
447 Commits 20 Branches 25 Tags 21 MiB
0895ea88ed
Commit Graph

447 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
0895ea88ed Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-10-18 19:05:59 +02:00
Thomas Patzke
5449a12a14 Added GrepBackend 
Moved field quoting/filtering into QuoteCharMixin
 2017-10-18 19:03:38 +02:00
Florian Roth
440bf29607 Added Thomas' hack.lu talk 2017-10-18 15:51:58 +02:00
Thomas Patzke
54cf9af0c9 Removed ELK Sysmon config 
It's contained in ELK Windows config
 2017-10-18 15:23:55 +02:00
Thomas Patzke
3418b949f3 Enhanced integration testing by configurations 2017-10-18 15:23:10 +02:00
Thomas Patzke
d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth
deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
Florian Roth
00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
Florian Roth
f4720d5149 APT17 malware UA 
https://twitter.com/cyb3rops/status/915135877709549568
 2017-10-03 12:47:53 +02:00
Thomas Patzke
b8eedfe3f0 Fixes and refactoring of KibanaBackend and XPackWatcherBackend 
* Moved unnecessary code out of condition loop
* Index specific rule-name not appended to rulename variable used later
  from other rule/index.
* Merged condition loop
 2017-09-30 23:22:05 +02:00
Thomas Patzke
1d314e326e sigmac: MultiRuleOutputMixin 
* Moved rule name generation into mixin
* KibanaBackend and XPackWatcherBackend now use this mixin instead of
  doing the same thing in both classes.
 2017-09-30 01:03:08 +02:00
Thomas Patzke
b47e3e45a8 Merge branch 'devel-sigmac' 2017-09-22 00:31:22 +02:00
Thomas Patzke
d410adb397 sigmac: X-Pack Watcher backend improvements 
* Renamed backend class according to convention
* Output types: curl (default) and plain
* Prefix of rule names
* Indices from configuration
* Support for multiple conditions per rule
* Usage of parsed condition
* Support for all condition operators
* Fixed bug preventing from passing multiple options to backend
* Added to CI tests
 2017-09-22 00:28:35 +02:00
Thomas Patzke
62eb3b2923 Merge branch 'devel-sigmac' of https://github.com/megadevx/sigma into devel-sigmac-watcher 2017-09-19 23:08:04 +02:00
Thomas Patzke
545e05370f Added first config for logstash-linux project 
URL: https://github.com/thomaspatzke/logstash-linux
 2017-09-17 00:36:04 +02:00
Thomas Patzke
8ea18af5f9 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-09-17 00:33:47 +02:00
Thomas Patzke
9b65f250a8 Renamed rule file (typo) 2017-09-17 00:32:57 +02:00
Thomas Patzke
a18b8eca52 sigmac: changed backend description for kibana backend 2017-09-17 00:31:25 +02:00
Thomas Patzke
6b8a5aea4a Added vhost field to web rules 2017-09-17 00:20:17 +02:00
Thomas Patzke
270ab9ba78 Added backend options 
* generic support for backend-specific options
* kibana backend option for title prefix
 2017-09-16 23:46:40 +02:00
Thomas Patzke
c8a66e48b6 sigmac: improved Kibana backend 
* added fields from rules
* default index if none is matching
 2017-09-16 00:39:37 +02:00
Thomas Patzke
d3201229b0 sigmac: Fixed matching of log sources between rules and configuration 2017-09-16 00:32:31 +02:00
devife
9bc8e12a4f Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:49:57 -05:00
devife
135e389334 Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:46:37 -05:00
Florian Roth
20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke
fdb017f626 Merge branch 'master' into devel-sigmac 2017-09-12 23:54:48 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
be891b2912 Merge branch 'master' into devel-sigmac 2017-09-11 10:41:30 +02:00
Thomas Patzke
5c465129bd Fixed rules 
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
 2017-09-11 00:35:52 +02:00
Thomas Patzke
e5da26578d sigmac/kibana backend: index names from configuration 2017-09-11 00:30:01 +02:00
Thomas Patzke
77a3e7ed91 Code cleanup 2017-09-11 00:27:14 +02:00
Thomas Patzke
68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
Thomas Patzke
be3c0cfb89 sigmac: Kibana backend, first version 
* totally untested!
* only supports searches
* no visualizations/aggregation expressions
* some fields are filled with default values (see code comments)
 2017-09-05 00:14:13 +02:00
Thomas Patzke
c5fc74f440 Further backend changes 
* backends get complete SigmaParser objects instead of condition
* addition of finalize step for backends
* Renaming of output classes
 2017-09-04 00:56:04 +02:00
Florian Roth
bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl
9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth
f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Thomas Patzke
39381305d8 sigmac: Generic Text File Output 
Moved output logic into generic class.
 2017-08-29 00:05:59 +02:00
Florian Roth
55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Florian Roth
f46e86fbb1 WMI persistence modified 2017-08-24 18:27:40 +02:00
Thomas Patzke
783722e0b2 Merge pull request #44 from h0ng10/patch-1 
Small Typo fix
 2017-08-22 22:55:59 +02:00
Hans-Martin Münch
09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth
edf2787402 Removed some spaces and added Win 10 WMI eventlog 2017-08-22 10:04:56 +02:00
Florian Roth
59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth
332f7d27da Win WMI Persistence 
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
 2017-08-22 10:02:54 +02:00
Florian Roth
8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Florian Roth
e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
Thomas Patzke
238f27fa0d Added OperationalError to relevant Python DB exceptions 2017-08-13 00:10:00 +02:00
Thomas Patzke
33b2ff16cf Rule for generic Python SQL exceptuons 
according to PEP 249
 2017-08-12 00:44:18 +02:00