valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,000 Commits 20 Branches 25 Tags 21 MiB
099843470e
Commit Graph

4000 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
aw350m3
5af0f1392d att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:35 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
Yugoslavskiy Daniil
5026438524 fix modified field 2020-08-25 01:29:57 +02:00
aw350m3
1999fb609e Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-24 23:14:13 +00:00
Yugoslavskiy Daniil
f274f39b54 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-25 01:09:24 +02:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth
5a9ed1da15
Merge pull request #988 from defensivedepth/master 
Zeek RDP rule
 2020-08-24 12:39:49 +02:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
aw350m3
08170bbcca fix tags for suspicious outbound kerberos activity rule 2020-08-23 21:10:29 +00:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
aw350m3
4cdd8be354 Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:20:58 +00:00
aw350m3
3aa1ad68fb windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00
aw350m3
80deaf84ca windows/network_connection folder reviewed 2020-08-22 23:36:30 +00:00
Florian Roth
437a807a1d
Merge pull request #985 from architect00/master 
added troubleshooting links to root README.md
 2020-08-20 14:56:27 +02:00
David Straßegger
1e8a5b64d9 added troubleshooting links to root README.md 2020-08-20 14:02:26 +02:00
Florian Roth
79adaceffa
Merge pull request #979 from barvhaim/patch-3 
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
 2020-08-18 15:08:15 +02:00
Florian Roth
bc74ac1f8a
Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
Florian Roth
fd23a18241
Merge pull request #982 from tungn12/master 
Carbon black mapping wrong and fix wild card
 2020-08-18 14:33:22 +02:00
Florian Roth
0ba9383774
Merge pull request #984 from EccoTheFlintstone/fix_fp3 
SIGMA ASEP: remove some false positives
 2020-08-18 14:29:35 +02:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
tung12
1921e9dd89 Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
SOC Prime
d3ba1e4fb8
Add sysmon backend 2020-08-18 11:20:22 +03:00
SOC Prime
8fead9f864
Merge pull request #4 from Neo23x0/master 
Repositories synchronization
 2020-08-18 11:12:15 +03:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
tung12
172f7b371e Change mapped Image to path 2020-08-17 15:05:44 +07:00
Bar Haim
bd96b1c5ad
Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Bar Haim
c7dc9df87e
Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim
4168f1e430
Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Thomas Patzke
3d9855dd06
Merge pull request #975 from scottdermott/master 
+ Adding Mitre Sub-Techniques and python update script to fetch latest from Mitre CTI
 2020-08-13 13:18:57 +02:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley
6fa5a6c93d
Delete win_mouse_lock.yml 2020-08-13 12:08:04 +01:00
Cian Heasley
b8b4ab5a2a
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:07:34 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Dermott, Scott J
7e6828dd40 + Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI 2020-08-13 10:24:44 +01:00
Florian Roth
2e29c07e83
Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth
61a05ee054
reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke
01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
Thomas Patzke
d73447c111
Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke
f827a557f2
Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Thomas Patzke
9b2f8ce1f9
Merge pull request #953 from barvhaim/master 
STIX Backend added and updated fields mapping
 2020-08-05 23:25:17 +02:00
Florian Roth
98ca8b4ce9
Merge pull request #968 from zinint/master 
ATT&CK mapping update suggestions for \linux\
 2020-08-05 00:37:36 +02:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth
4529e4cd52
Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth
052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
Florian Roth
fa36adfe6d
Merge pull request #965 from IPv777/patch-2 
.002 	= 	SMB/Windows Admin Shares
 2020-08-03 18:05:12 +02:00
IPv777
a52583dc68
.002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00