megan201296
440b0ddffe
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
megan201296
b0983047eb
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
megan201296
2f533c54b3
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
megan201296
1b92a158b5
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
megan201296
ffbb968fcd
Update sysmon_cmstp_com_object_access.yml
...
Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
Florian Roth
182781229c
Merge pull request #184 from megan201296/patch-14
...
Remove duplicate value
2018-10-09 09:37:54 +02:00
megan201296
7997cb3001
Remove duplicate value
2018-10-08 13:00:59 -05:00
Michael H
bbb67fbba4
Adding support for reading sigma rule from stdin in sigmac
2018-10-07 10:11:47 -05:00
Michael H
aabaa0257b
Merge branch 'master' of https://github.com/Neo23x0/sigma
2018-10-06 20:12:15 -05:00
Michael H
4b85a34b34
Added CSV option to powershell backend
2018-10-06 20:08:20 -05:00
Florian Roth
54678fcb36
Rule: CertUtil UA
...
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
Thomas Patzke
4eeb07a736
Merge pull request #181 from droe/optimizer-comments
...
Improve the comments on the optimizer
2018-10-03 23:11:10 +02:00
Daniel Roethlisberger
fc45df144c
Improve the comments on the optimizer
2018-10-03 13:44:03 +02:00
Thomas Patzke
143f8644c6
Merge pull request #180 from droe/refactor-optimizer
...
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:34:14 +02:00
Daniel Roethlisberger
87aa1b5521
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:24:31 +02:00
Thomas Patzke
2ac19d32a1
Merge pull request #178 from droe/ast_optimizer
...
Optimize the boolean expressions in the AST before generating output
2018-10-02 23:06:55 +02:00
Daniel Roethlisberger
cd3661b60c
Fix optimization of NOT corner cases
2018-10-02 22:48:33 +02:00
Thomas Patzke
14c5dcf413
Merge pull request #179 from droe/tempfile-mktemp
...
Use mktemp if tempfile is not available, fixes `make` for macOS
2018-10-02 22:44:48 +02:00
Daniel Roethlisberger
85ad10d558
Use mktemp if tempfile is not available, fixes make
for macOS
2018-10-02 22:17:03 +02:00
Daniel Roethlisberger
bed88cf813
Make uniq work for lists within definitions
2018-10-02 22:12:54 +02:00
Daniel Roethlisberger
7165128fa5
Remove None from AST - fixes None-related test failures
2018-10-02 21:44:37 +02:00
Daniel Roethlisberger
2242fc5ac8
Optimize the boolean expressions in the AST before generating output
...
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.
The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance. This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.
The following optimizations are currently performed:
- Removal of empty OR(), AND()
- OR(X), AND(X) => X
- OR(X, X, ...), AND(X, X, ...) => OR(X, ...), AND(X, ...)
- OR(X, OR(Y)) => OR(X, Y)
- OR(AND(X, ...), AND(X, ...)) => AND(X, OR(AND(...), AND(...)))
- NOT(NOT(X)) => X
A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.
This implementation is not optimized for performance and will perform
poorly on very large expressions.
2018-10-02 21:14:25 +02:00
Florian Roth
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
Florian Roth
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
Florian Roth
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
Florian Roth
f29ffc0697
Merge pull request #174 from esebese/patch-1
...
sysmon_susp_run_key_img_folder.yml - Rule simplification
2018-10-01 14:24:54 +02:00
Florian Roth
bbddcd0f9a
Merge pull request #176 from Karneades/fix-missing-list-handling
...
Add missing event id list handling in PowerShell backend
2018-10-01 14:23:48 +02:00
Karneades
468af42de5
Add missing event id list handling in PowerShell backend
2018-09-29 14:43:28 +02:00
Florian Roth
f2d83a5a00
Merge pull request #175 from Karneades/fix-powershell-backend
...
Improve default field handling in PowerShell backend
2018-09-29 14:08:30 +02:00
Karneades
c289484c5c
Improve default field handling in PowerShell backend
2018-09-29 12:29:44 +02:00
Ensar Şamil
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
Florian Roth
1c2431f33b
Merge pull request #169 from Karneades/fix-aggregation-exeption
...
Add rule filename to "not implemented" exception output
2018-09-26 11:50:25 +02:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
Florian Roth
38d17e5169
Merge pull request #173 from b2az/patch-1
...
Missing Character
2018-09-26 11:49:17 +02:00
Florian Roth
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
Florian Roth
815236449b
Added PowerShell as target, updated project list
2018-09-24 13:44:14 +02:00
Florian Roth
d0a527af5e
Merge pull request #172 from Karneades/powershell-backend
...
Add initial version of the PowerShell backend
2018-09-24 13:30:24 +02:00
Florian Roth
14337a2aac
Tests: PowerShell backend tests
2018-09-24 13:23:38 +02:00
Florian Roth
2766d8f881
Merge pull request #171 from Karneades/fix-certutil
...
Fix CommandLine in rule sysmon_susp_certutil_command
2018-09-24 07:51:07 +02:00
Karneades
c66b00356d
Add initial version of PowerShell backend
...
* Add PowerShell backend
* Add PowerShell config file
State: Work in progress :)
See https://github.com/Neo23x0/sigma/issues/94
2018-09-23 21:41:48 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
Karneades
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
Karneades
fe6f4c7475
Add rule filename to exception output for unsupported aggregation
2018-09-23 19:12:50 +02:00
Thomas Patzke
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
Thomas Patzke
1d12fc290c
Added Winlogbeat configuration
2018-09-20 12:08:11 +02:00
Florian Roth
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00