valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,208 Commits 20 Branches 25 Tags 21 MiB
172236e130
Commit Graph

1208 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth
b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Thomas Patzke
68866433e8 Merge branch 'juju4-devel-sumo' 2018-12-10 22:37:58 +01:00
Thomas Patzke
4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
Thomas Patzke
b520897176 Added CI testing for SumoLogic backend 2018-12-10 22:36:08 +01:00
Thomas Patzke
4e3f6c366b
Merge pull request #208 from Cyb3rWard0g/master 
Elastalert-HELK integration Updates
 2018-12-10 22:13:37 +01:00
Roberto Rodriguez
93d1d700d4 Merge remote-tracking branch 'upstream/master' 2018-12-10 07:04:30 +03:00
juju4
1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Thomas Patzke
2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Roberto Rodriguez
9567ce588d Merge remote-tracking branch 'upstream/master' 2018-12-09 09:27:43 +03:00
Roberto Rodriguez
8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Roberto Rodriguez
a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00
Florian Roth
2e5a739c6c fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:59:10 +01:00
Florian Roth
9b15b64a9a fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:44:20 +01:00
Thomas Patzke
abc941b57c
Merge pull request #204 from Cyb3rWard0g/master 
Elastalert Integration Updates to SIGMA Rules
 2018-12-05 09:33:40 +01:00
Thomas Patzke
246ad7c59a Revert "Fixed wildcards in es-qs backend" 
This reverts commit 49d464f979.

The partial fix for issue #194 broke the generation of many other rules,
see #203.
 2018-12-05 09:07:07 +01:00
Roberto Rodriguez
87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
 2018-12-05 07:58:13 +03:00
Roberto Rodriguez
bff7ec52db Update av_relevant_files.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection

This affetcs Elastalert integration
 2018-12-05 07:53:53 +03:00
Roberto Rodriguez
104ee6c33b Update win_susp_commands_recon_activity.yml 
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
 2018-12-05 05:55:36 +03:00
Roberto Rodriguez
328762ed67 Update powershell_xor_commandline.yml 
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
 2018-12-05 05:51:41 +03:00
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1 
Distinct count in aggragation function
 2018-12-04 23:42:16 +01:00
Thomas Patzke
3288f6425b Merge branch 'SherifEldeeb-master' 2018-12-04 23:38:02 +01:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
3861dd5912 Rule: APT29 campaign against US think tanks 
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 2018-12-04 17:04:03 +01:00
Florian Roth
2bf0170956
Merge pull request #202 from tuckner/master 
Fixed backslash escape
 2018-12-03 22:22:53 +01:00
tuckner
2c5c92ab0a fixed backslash escape 2018-12-03 15:09:29 -06:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
Florian Roth
7e05b2546a
Merge pull request #201 from 41thexplorer/master 
Adding new rules detecting recently active APTs
 2018-12-03 08:59:46 +01:00
AL
9f1df6164b
adding new rules detecting recently active APTs 2018-12-03 09:42:29 +02:00
Florian Roth
2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Thomas Patzke
e502550d76 Merge branch 'lsoumille-master' 2018-11-29 00:03:12 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Thomas Patzke
1118b80288 Added elastalert backend to CI testing 2018-11-29 00:00:00 +01:00
Thomas Patzke
0a5caae5df Merge branch 'master' of https://github.com/lsoumille/sigma into lsoumille-master 2018-11-28 23:53:15 +01:00
Florian Roth
99e0a4defb fix: SPARK config duplicate identifier 2018-11-27 14:05:13 +01:00
lsoumille
50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
sisecbe
c848c473a3
Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe
31eae25756
Indentation error 2018-11-23 15:20:17 +01:00
sisecbe
e43909678e
Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe
c2eb87133d
Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Florian Roth
7ba1fe4309 Turla PNG Dropper Service Name 2018-11-23 08:46:20 +01:00
Florian Roth
e7762c71ce Merge remote-tracking branch 'origin/master' 2018-11-22 19:14:12 +01:00
Florian Roth
ec83ab5e13 APT28 Zebrocy rule 
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
 2018-11-22 19:14:07 +01:00