Commit Graph

715 Commits

Author SHA1 Message Date
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
bd23946f06 Merge of Graylog backend pull request 2018-05-18 15:55:02 +02:00
Thomas Patzke
21040f04cc Added CI test for Graylog backend 2018-05-18 15:53:25 +02:00
Thomas Patzke
b28480495e Merge branch 'master' of https://github.com/DefenceLogic/sigma into DefenceLogic-master 2018-05-18 15:49:19 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Paul Dutot
715a88542d Graylog backend added 2018-05-17 15:51:25 +01:00
Paul Dutot
05e108a4d1
Merge pull request #1 from Neo23x0/master
Updating Fork
2018-05-17 10:49:54 +01:00
Florian Roth
1fd4172832
Merge pull request #84 from mgreen27/patch-1
Update_WebDAV
2018-05-17 09:40:32 +02:00
Florian Roth
57dc02aa9f
Merge pull request #85 from HacknowledgeCH/es-dsl-patch
patched es-dsl
2018-05-17 09:39:55 +02:00
milkmix
37ee355a77 patched es-dsl 2018-05-17 08:44:50 +02:00
Matthew Green
16365b7793
Update_WebDAV
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
2018-05-16 13:05:15 +10:00
Thomas Patzke
33ffd2683e Disabled failing pypy3 build 2018-05-13 22:52:25 +02:00
Thomas Patzke
738d03c751 Fixed position of line separation if rulecomment and verbose is active 2018-05-13 22:36:51 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
429ae0729a README Update 2018-05-12 08:33:31 +02:00
Florian Roth
1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth
62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00
Thomas Patzke
f60e7e125f Sigma tools release 0.4
* Various bug fixes in quoting of specific characters
* New backend es-dsl
2018-05-01 00:50:07 +02:00
Thomas Patzke
7647587a8b Fixed quoting of backslashes in generated queries 2018-05-01 00:45:59 +02:00
Thomas Patzke
de2ed08695 Merge branch 'ci-es' 2018-05-01 00:34:11 +02:00
Thomas Patzke
a1c32123f1 Setup ES 6.2.4 in Travis CI 2018-05-01 00:23:48 +02:00
Thomas Patzke
e411039b56 Fixed escaping of \u in Elasticsearch Query String queries 2018-05-01 00:05:16 +02:00
Florian Roth
ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
3c1c9d2b31
Merge pull request #81 from yt0ng/sigma-yt0ng
added SquiblyTwo Detection
2018-04-18 16:39:37 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Florian Roth
6d293d498d
Merge pull request #80 from marvi/marvi-patch-1
"author" should be a string and not a list.
2018-04-17 08:27:29 +02:00
Markus Härnvi
cf237cf658
"author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth
d8bbf26f2c Added msiexec to rule in order to cover new threats
https://twitter.com/DissectMalware/status/984252467474026497
2018-04-12 09:12:50 +02:00
Thomas Patzke
15a6c5efb5 Detailed error messages for failed queries 2018-04-12 00:20:54 +02:00
Thomas Patzke
aeda30a389 Python rewrite of es-qs query test 2018-04-11 23:59:44 +02:00
Florian Roth
58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth
0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth
52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth
ef7fb4cff1
Merge pull request #78 from Karneades/patch-1
Add rule for Windows registry persistence mechanisms
2018-04-11 19:35:55 +02:00
Florian Roth
b065c2c35c
Simplified rule 2018-04-11 19:03:35 +02:00
Karneades
fa6677a41d
Remove @ in author
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
2018-04-11 15:21:42 +02:00
Karneades
be3c27981f
Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Thomas Patzke
788111f174 Fixes for Elasticsearch query correctness CI tests
* Quoting in rule
* Reading queries without special processing of backslashes

Unfortunately, backslashes still cause breaks caused by Bash handling of
them.
2018-04-09 22:33:29 +02:00
Florian Roth
56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
Florian Roth
a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth
8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth
e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Florian Roth
6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Thomas Patzke
05928d4f8f
Merge pull request #76 from HacknowledgeCH/es-dsl
es-dsl backend
2018-04-08 23:39:23 +02:00
Thomas Patzke
f113832c04
Merge pull request #69 from jmallette/rules
Create cmdkey recon rule
2018-04-08 23:23:30 +02:00