valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,782 Commits 20 Branches 25 Tags 21 MiB
73bc514f60
Commit Graph

3782 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
73bc514f60 fix: 1 of them / one selection 2020-09-02 12:34:35 +02:00
Florian Roth
7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Florian Roth
7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley
6fa5a6c93d
Delete win_mouse_lock.yml 2020-08-13 12:08:04 +01:00
Cian Heasley
b8b4ab5a2a
win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:07:34 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Florian Roth
052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth
c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
Florian Roth
5625f471d7
Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth
3abc3d0a76
docs: add FP condition 2020-08-03 13:50:47 +02:00
Florian Roth
6f7aecbe06
fix: preventive change to avoid FPs 2020-08-03 13:49:52 +02:00
Cian Heasley
de33b953ba
Add files via upload 
Webshell ReGeorg Detection Via Web Logs
 2020-08-03 12:20:04 +01:00
Florian Roth
df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth
5abf101c0b
Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth
8970d03f6f
Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Florian Roth
051e2ce905 feat: detect duplicate tags 2020-07-27 11:37:58 +02:00
Thomas Patzke
481b695eff
Merge pull request #950 from barvhaim/master 
STIX Backend bug-fix and mapping updates
 2020-07-26 18:33:35 +02:00
bar
32cf352236 Merge remote-tracking branch 'upstream/master' 2020-07-26 14:56:06 +03:00
bar
9643e01b54 extension should use '..' 2020-07-26 12:16:48 +03:00
Thomas Patzke
dcb07bab2f
Merge pull request #949 from 0xballistics/powershell_backend_fix 
partial(?) fix of #762
 2020-07-25 10:18:05 +02:00
Florian Roth
a0ac6c46c7
Merge pull request #948 from IPv777/patch-1 
remove duplicate tag
 2020-07-24 20:32:40 +02:00
Simran Kaur Soin
b8b1f83ae6
Merge pull request #3 from simrankaursoin/master 
Fix bug with NOT handling
 2020-07-24 11:55:17 -04:00
IPv777
77a8ac59ef
remove duplicate 2020-07-24 16:38:08 +02:00
Florian Roth
a55630f02c
Merge pull request #947 from ryanplasma/master 
Minor fixes to two rules
 2020-07-24 09:25:55 +02:00
Ryan Plas
aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas
e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Simran Soin
c329f6412d Fix bug with NOT handling 2020-07-23 11:47:55 -04:00
Simran Kaur Soin
7e32557ffc
Merge pull request #2 from simrankaursoin/master 
Update base.py and qradar.py
 2020-07-23 11:12:17 -04:00
Florian Roth
8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Simran Soin
6c7b4cf408 Revert additional change in base.py 2020-07-23 10:47:22 -04:00
Simran Soin
ef9af3730a Remove unnecessary edits from qradar.py 2020-07-23 10:34:29 -04:00
Simran Soin
0e49a6acdf Default NOT to false for all functions 2020-07-23 10:18:16 -04:00
Simran Soin
0fac21f4a3 Remove modifications from base file and override in stix.py 2020-07-23 10:13:30 -04:00
Simran Kaur Soin
a03d1b091e
Merge pull request #1 from simrankaursoin/master 
Fix NOT bug
 2020-07-23 09:50:18 -04:00
Simran Soin
30ff22776a Fix NOT bug 2020-07-23 09:41:33 -04:00
Florian Roth
951c6fee8b
Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
bar
5019f2f160 added mapping for stix web, cloud, linux 2020-07-22 21:41:46 +03:00
Florian Roth
02a6b20f5f
Merge pull request #944 from rtkdmasse/update-rule-selections 
Add 'contains' for the ps encoded chars rule
 2020-07-22 17:48:18 +02:00
Daniel Masse
13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth
db98fe79b0 Revert "rule: update - MATA framework UserAgent" 
This reverts commit 81ef0137c5.
 2020-07-22 14:02:51 +02:00
Florian Roth
81ef0137c5 rule: update - MATA framework UserAgent 2020-07-22 14:02:13 +02:00
Florian Roth
9682d37ead
Merge pull request #941 from architect00/master 
fixed wrong function call for elastalert aggregation. fixes #940
 2020-07-22 13:13:18 +02:00
Florian Roth
769a9212a5
Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley
023bf76363
Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
bar
0543ec1ae3 mapping update, removed unused fields 2020-07-21 19:49:26 +03:00