valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,601 Commits 20 Branches 25 Tags 21 MiB
3c760fabc1
Commit Graph

3601 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Thomas Patzke
4762a59b89
Merge pull request #891 from rtkbkish/image-load-fixes 
Fix typo for rule in image_load category
 2020-07-07 22:31:32 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Thomas Patzke
9e85731253
Merge pull request #899 from rtkbkish/refix-rules 
Re-fix sysmon rules that lost changes with category refactoring.
 2020-07-07 22:28:37 +02:00
Thomas Patzke
a11bc000fd
Merge pull request #900 from barvhaim/stix 
STIX backend added including mapping configurations for windows logs and QRadar
 2020-07-07 22:26:51 +02:00
Florian Roth
b0e59bdb40
Merge pull request #903 from Neo23x0/rule-devel 
rule: extended F5 BIG-IP exploitation detection rule
 2020-07-07 22:06:00 +02:00
Florian Roth
acfe20aa34 rule: extended F5 BIG-IP exploitation detection rule 2020-07-07 21:45:08 +02:00
bar
35bb8df0b5 updated makefile with stix coverage cmd 2020-07-07 16:39:59 +03:00
bar
acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Florian Roth
c8ca55b3e4 fix: duplicate wrong old key 2020-07-06 17:14:59 +02:00
Florian Roth
cc31ed8b84 fix: missing NTLM log source in THOR 2020-07-06 17:07:06 +02:00
Brad Kish
c758ca0eb9 Re-fix sysmon rules that are lost changes with category refactoring. 
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.

Re-add the fixes.

38afd8b5de

422b2bffd7

dfae2a6df6
 2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd Proposed fix for sysmon_uac_bypass_eventvwr 
Issue: https://github.com/Neo23x0/sigma/issues/888

The rules were not merged correctly with the transition to sysmon categories.

Split the rule into separate documents: one for the registry_event and one for
the process_creation
 2020-07-06 09:20:34 -04:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Thomas Patzke
57cb255208
Merge pull request #864 from cclauss/patch-3 
Fix undefined names in sigma2misp.py
 2020-07-05 23:16:22 +02:00
Florian Roth
4aae3a6aa5
Merge pull request #897 from Neo23x0/rule-devel 
improved F5 BIG-IP rule based on private feedback
 2020-07-05 16:38:20 +02:00
Florian Roth
13ab00f744 improved F5 BIG-IP rule based on private feedback 2020-07-05 16:21:48 +02:00
Florian Roth
ab9a988682
Merge pull request #896 from Neo23x0/rule-devel 
rule: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
 2020-07-05 13:44:36 +02:00
Florian Roth
fbe6c0e7d9 improved F5 BIG-IP rule 2020-07-05 13:29:30 +02:00
Florian Roth
f079d0f915 rule: CVE-2020-5902 F5 BIG-IP Exploitation Attempt 
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
 2020-07-05 13:18:53 +02:00
Florian Roth
c51b4d0524
Merge pull request #890 from rtkbkish/file-event-fixes 
Fixes for rules in the sysmon file_event category
 2020-07-05 13:13:24 +02:00
Florian Roth
4a810dd136
Merge pull request #886 from Neo23x0/rule-devel 
Windows Curl Rules
 2020-07-05 13:12:41 +02:00
Florian Roth
facd578324
Merge pull request #892 from rtkbkish/registry-event-fixes 
Fixes for rules in new sysmon registry_event category
 2020-07-05 13:12:04 +02:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Brad Kish
7031d9e2b8 Fix typo for rule in image_load category 
image_load not image_loaded.
 2020-07-03 16:23:17 -04:00
Brad Kish
1e9d0e9653 Fixes for rules in the sysmon file_event category 
Fix a couple of typos

For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
 2020-07-03 16:22:29 -04:00
Brad Kish
4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth
11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth
80f15a1e50
Merge pull request #885 from Neo23x0/rule-devel 
fix: trailing whitespace
 2020-07-03 18:00:19 +02:00
Florian Roth
4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth
8a0262d1a2 fix: in linux keyword expression 2020-07-03 15:08:20 +02:00
Florian Roth
4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth
5dd5b87f43 rule: guacamole exploitation detection 2020-07-03 13:20:03 +02:00
Florian Roth
abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth
fa452bf3e5
Merge pull request #849 from omergunal/ogunal-1 
Rules for detecting suspicious remote file copy
 2020-07-03 11:59:45 +02:00
Florian Roth
b9966a173c
Update lnx_file_copy.yml 2020-07-03 11:32:49 +02:00
Florian Roth
6420820eb2
Merge pull request #871 from Christopolos94/master 
Update to mdatp backend
 2020-07-03 11:29:01 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth
d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00