Florian Roth
1bea284280
Added Windows Driver Framework log source to configs
2017-11-09 08:42:58 +01:00
Florian Roth
e83e3a0c07
Bugfixes in Splunk config
2017-11-09 08:41:07 +01:00
Florian Roth
a0ac61229c
Rule: Detect plugged USB devices
2017-11-09 08:40:46 +01:00
Florian Roth
fd801a61a5
Bronze Butler Daserf malware User Agents in Proxy Logs
2017-11-08 12:52:11 +01:00
Florian Roth
e5383be163
Rule: Proxy suspicious downloads from Dyndns hosts
2017-11-08 11:32:30 +01:00
Florian Roth
4540088aa9
Rule: Extended proxy suspicious TLD white list rule
2017-11-08 00:38:26 +01:00
Florian Roth
ad53cc7cc2
Rule: Sysmon Turla Commands
2017-11-08 00:33:17 +01:00
Florian Roth
acc430c4b6
Rule: Proxy download from blacklisted TLDs
2017-11-07 14:03:16 +01:00
Florian Roth
58f20d3cfb
Rule: Proxy download whitelist bugfix and improvements
2017-11-07 14:02:56 +01:00
Florian Roth
59e5b3b999
Sysmon: Named Pipe detection for APT malware
2017-11-06 14:24:42 +01:00
Florian Roth
ea840632f3
Sysmon: Named Pipe detection for Turla malware by @markus_neis
2017-11-06 14:22:09 +01:00
Florian Roth
37cea85072
Rundll32.exe suspicious network connections
2017-11-04 14:44:30 +01:00
Thomas Patzke
b03f9359ec
sigmac: Added rule filter
2017-11-02 00:02:15 +01:00
Thomas Patzke
5035c9c490
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections
2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00
Improved admin logon rules and removed duplicates
2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b
...
Admin user remote login
2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master
...
New rules
2017-11-01 21:21:30 +01:00
Thomas Patzke
e90ff2d991
Improved testing
...
* Added collection test case
* Test of file output
2017-11-01 21:14:11 +01:00
Thomas Patzke
118e8af738
Simplified rule collection
2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f
Sigma rule collection YAML action documents
2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875
Multiple rules per file
...
* New wrapper class SigmaCollectionParser parses all YAML documents
contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
2017-10-31 23:06:18 +01:00
Thomas Patzke
5743e25931
Added logging framework
2017-10-31 22:13:20 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b
...
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573
Dropped within keyword
...
Covered by timeframe attribute.
Fixes issue #26 .
2017-10-30 00:25:56 +01:00
Thomas Patzke
25ba2c81ad
Merge branch 'juju4-CAR-2013-04-002b'
2017-10-30 00:15:43 +01:00
Thomas Patzke
c865b0e9a8
Removed within keyword in rule
2017-10-30 00:15:01 +01:00
Thomas Patzke
0df60fe004
Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b
2017-10-30 00:13:21 +01:00
Thomas Patzke
27227855b5
Merge branch 'devel-sigmac'
2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f
Added proper handling of null/not null values
...
Fixes issue #25
2017-10-29 23:57:39 +01:00
juju4
4b64fc1704
double quotes = escape
2017-10-29 14:42:40 -04:00
juju4
07185247cb
double quotes = escape
2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75
Admin user remote login
2017-10-29 14:30:11 -04:00
juju4
19dd69140b
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-29 14:27:01 -04:00
juju4
ad27a0a117
Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002
2017-10-29 14:24:53 -04:00
juju4
9d968de337
Merge remote-tracking branch 'upstream/master'
2017-10-29 14:14:47 -04:00
Florian Roth
b7e8000ccb
Improved Office Shell rule > added 'schtasks.exe'
2017-10-25 23:53:45 +02:00
Florian Roth
e680da1b50
Suspicious flash player download location / BadRabbit
2017-10-25 08:40:30 +02:00
Thomas Patzke
5fa9e685b1
Splitted parts of generate to generateQuery in backend code
2017-10-25 00:03:03 +02:00
Thomas Patzke
ace1bf94ea
Merge branch 'devel-sigmac'
2017-10-24 23:49:04 +02:00
Thomas Patzke
6d0e85fcfa
Fixed Splunk backend ( #50 )
2017-10-24 23:48:47 +02:00
Thomas Patzke
65e1f8ec2b
Increased test coverage
...
* more tests
* removed unneeded code
* increased coverage fail threshold
2017-10-23 23:30:44 +02:00
Thomas Patzke
c6f26978c1
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-23 00:46:41 +02:00
Thomas Patzke
3389656a5b
Added ELK default index config
2017-10-23 00:45:33 +02:00
Thomas Patzke
7f93d3ca47
Kibana backend throws exception when multiple indices appear
...
* Introduced backend errors with handling in sigmac
2017-10-23 00:45:01 +02:00
Thomas Patzke
cb9aeac7d9
Added default index handling
...
* Removed default index handling from backend code
* Added default indices to config templates
2017-10-23 00:08:39 +02:00
Florian Roth
801d739a3b
US CERT TA17-293A report - renamed PsExec execution
2017-10-22 12:55:26 +02:00
Thomas Patzke
ec996e7353
Improved test coverage
2017-10-19 17:42:56 +02:00
Thomas Patzke
1a8cfae6ac
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-19 11:42:09 +02:00
Thomas Patzke
a4a127e869
Measurement of test coverage
2017-10-19 11:40:53 +02:00
Florian Roth
d9f933fec9
Fixed the fixed PSAttack rule
2017-10-19 09:52:40 +02:00