valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,194 Commits 20 Branches 25 Tags 21 MiB
5513687e63
Commit Graph

2194 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
40df0d4534
Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke
6eb49fc1ce
Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke
b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
zinint
4a560e9375
T1002 2019-10-29 22:56:45 +03:00
zinint
583980f8ec
Delete win_data_compressed.yml 2019-10-29 22:56:30 +03:00
zinint
4eb7965662
T1002 2019-10-29 22:54:42 +03:00
zinint
950796f71f
Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:39 +03:00
zinint
c5599399b5
Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:00 +03:00
zinint
47f7d648a3
T1036 2019-10-29 22:33:03 +03:00
Karneades
ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades
aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades
f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades
cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
zinint
c243c4e210
T1035 2019-10-29 20:58:52 +03:00
Thomas Patzke
632c45843b
Merge pull request #500 from refractionPOINT/master 
Adding LimaCharlie to the README's supported targets.
 2019-10-28 21:17:30 +01:00
Maxime Lamothe-Brassard
f01913c996 Adding LimaCharlie to the README's supported targets. 2019-10-28 14:48:04 -05:00
Thomas Patzke
6a76f5950b
Merge pull request #499 from refractionPOINT/master 
Adding Backend for LimaCharlie D&R rules
 2019-10-28 20:38:33 +01:00
Maxime Lamothe-Brassard
f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Florian Roth
8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth
1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
zinint
d1cf80d9b6
Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint
68b4541274
t1033 2019-10-27 23:59:16 +03:00
Maxime Lamothe-Brassard
a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
zinint
87c8326133
T1033 2019-10-27 23:49:07 +03:00
Maxime Lamothe-Brassard
d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard
a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
zinint
55eaae1cea
Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml 2019-10-27 23:15:10 +03:00
zinint
93b867024c
T1012 2019-10-27 23:13:03 +03:00
Maxime Lamothe-Brassard
60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard
0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard
f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard
91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard
8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard
bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard
8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard
4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard
30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard
77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
root
717e40e8ed modified win_susp_dxcap.yml 2019-10-26 20:27:32 +02:00
root
9bf0150100 modified win_susp_dnx.yml 2019-10-26 20:20:21 +02:00
root
3b70f2edd6 modified win_susp_dnx.yml 2019-10-26 20:16:40 +02:00
root
3528afeef7 modified win_susp_dnx.yml 2019-10-26 20:13:53 +02:00
root
1dca0456ee modified win_susp_dxcap.yml 2019-10-26 20:09:25 +02:00
root
cbe0d73ce8 add win_susp_dxcap.yml 2019-10-26 20:06:02 +02:00
root
aaf63d2238 add win_susp_dxcap.yml 2019-10-26 20:02:25 +02:00
root
0616c2c39d add win_susp_dnx.yml 2019-10-26 19:58:45 +02:00
root
ee21888e67 add win_susp_cdb.yml 2019-10-26 19:49:45 +02:00