valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,835 Commits 20 Branches 25 Tags 21 MiB
22465037ac
Commit Graph

3835 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
22465037ac
Update win_susp_mpcmdrun_download.yml 2020-09-04 16:50:57 +02:00
Florian Roth
3283e33cbc
Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml 2020-09-04 16:49:44 +02:00
Matthew Matchen
df532be142 Added ID field using UUID generated value 2020-09-04 16:38:52 +02:00
Matthew Matchen
2c69815b7b Removed empty ID field 2020-09-04 16:32:41 +02:00
Matthew Matchen
e0baa097a8 Initial creation 2020-09-04 16:00:23 +02:00
veritasr3x
3e8dda723b
Merge pull request #1 from Neo23x0/master 
Repo Update
 2020-09-04 15:46:10 +02:00
Florian Roth
4ade5bd957
Merge pull request #991 from Neo23x0/rule-devel 
Rule devel
 2020-09-03 12:15:05 +02:00
Florian Roth
720ac0d998
fix: syntax bug in rule 2020-09-03 09:18:28 +02:00
Florian Roth
198469bed3 Merge branch 'master' into rule-devel 2020-09-02 17:40:12 +02:00
Florian Roth
423f81c912
Update win_mouse_lock.yml 2020-09-02 14:49:37 +02:00
Florian Roth
73bc514f60 fix: 1 of them / one selection 2020-09-02 12:34:35 +02:00
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Florian Roth
7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
Thomas Patzke
bae09e9447 Sigmatools release 0.18.1 2020-08-26 00:06:25 +02:00
Thomas Patzke
b742e4ef08
Merge pull request #990 from neu5ron/es_backend 
ES and Readme from SOC Prime
 2020-08-25 21:34:55 +02:00
Nate Guagenti
f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:13:18 -04:00
Nate Guagenti
a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:10:25 -04:00
Nate Guagenti
474e04dfe3 add new options to readme for elasticbackend 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:00:22 -04:00
Nate Guagenti
76910eaee4 fix sub field name usage if there are 3 or more fields.. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:57 -04:00
Nate Guagenti
0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:33 -04:00
Florian Roth
5a9ed1da15
Merge pull request #988 from defensivedepth/master 
Zeek RDP rule
 2020-08-24 12:39:49 +02:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
Florian Roth
437a807a1d
Merge pull request #985 from architect00/master 
added troubleshooting links to root README.md
 2020-08-20 14:56:27 +02:00
David Straßegger
1e8a5b64d9 added troubleshooting links to root README.md 2020-08-20 14:02:26 +02:00
Florian Roth
79adaceffa
Merge pull request #979 from barvhaim/patch-3 
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
 2020-08-18 15:08:15 +02:00
Florian Roth
bc74ac1f8a
Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
Florian Roth
fd23a18241
Merge pull request #982 from tungn12/master 
Carbon black mapping wrong and fix wild card
 2020-08-18 14:33:22 +02:00
Florian Roth
0ba9383774
Merge pull request #984 from EccoTheFlintstone/fix_fp3 
SIGMA ASEP: remove some false positives
 2020-08-18 14:29:35 +02:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
tung12
1921e9dd89 Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
tung12
172f7b371e Change mapped Image to path 2020-08-17 15:05:44 +07:00
Bar Haim
bd96b1c5ad
Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Thomas Patzke
3d9855dd06
Merge pull request #975 from scottdermott/master 
+ Adding Mitre Sub-Techniques and python update script to fetch latest from Mitre CTI
 2020-08-13 13:18:57 +02:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley
6fa5a6c93d
Delete win_mouse_lock.yml 2020-08-13 12:08:04 +01:00
Cian Heasley
b8b4ab5a2a
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:07:34 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Dermott, Scott J
7e6828dd40 + Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI 2020-08-13 10:24:44 +01:00
Florian Roth
2e29c07e83
Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth
61a05ee054
reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke
01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
Thomas Patzke
d73447c111
Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke
f827a557f2
Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Thomas Patzke
9b2f8ce1f9
Merge pull request #953 from barvhaim/master 
STIX Backend added and updated fields mapping
 2020-08-05 23:25:17 +02:00
Florian Roth
98ca8b4ce9
Merge pull request #968 from zinint/master 
ATT&CK mapping update suggestions for \linux\
 2020-08-05 00:37:36 +02:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00