valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,965 Commits 20 Branches 25 Tags 21 MiB
312311494d
Commit Graph

322 Commits

Author SHA1 Message Date
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth
6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth
f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth
086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth
a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Florian Roth
b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Florian Roth
c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Roberto Rodriguez
a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00
Roberto Rodriguez
104ee6c33b Update win_susp_commands_recon_activity.yml 
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
 2018-12-05 05:55:36 +03:00
Roberto Rodriguez
6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of bfc7012043/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez
c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth
580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Florian Roth
3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth
9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1
afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth
d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth
9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth
b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth
2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Thomas Patzke
ee15b451b4
Fixed log source name 2018-08-27 23:45:30 +02:00
Unknown
2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Florian Roth
5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
Florian Roth
f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Florian Roth
6ee31f6cd1
Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke
0d8bc922a3
Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
David Spautz
e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson
c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
megan201296
a169723005
fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke
2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth
dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth
c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth
c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma
19ba5df207
False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth
86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth
28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke
7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke
df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth
946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth
e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth
9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth
8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth
2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke
079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke
6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth
8420d3174a
Reordered 2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule 2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http 2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Florian Roth
f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth
70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth
3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Thomas Patzke
ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth
8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth
1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Thomas Patzke
2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti
a796ff329e
Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth
a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b 
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
 2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
juju4
4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4
07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4
19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4
ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4
e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Florian Roth
e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4
b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4
012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4
f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4
d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4
21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke
0217cd5b1d Merge branch 'master' into travis-test-working 2017-08-02 23:03:03 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
6f5b9e183c Merge branch 'master' into travis-test-working 2017-08-02 00:32:52 +02:00
Thomas Patzke
b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke
c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4
5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4
5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4
31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4
3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4
fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4
83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4
f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth
d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00