valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,669 Commits 20 Branches 25 Tags 21 MiB
77c6b74c72
Commit Graph

438 Commits

Author SHA1 Message Date
yugoslavskiy
81f6f24155
Update lnx_remote_system_discovery.yml 2020-10-29 02:06:20 +01:00
Alejandro Ortuno
80b1a19246 Added the space at the beginning of the IP ranges. 2020-10-28 10:16:29 +01:00
Alejandro Ortuno
3a58c00feb Removing the echo detection 2020-10-28 10:07:59 +01:00
Alejandro Ortuno
e31c8f96e9 added the category 2020-10-28 09:56:01 +01:00
Alejandro Ortuno
c83d5a3d65 Added some minor tuning of ip ranges 2020-10-26 09:45:13 +01:00
Alejandro Ortuno
11df6c2566 Sigma rule 2020-10-23 10:16:59 +02:00
Alejandro Ortuno
638fd7eeab Remote system discovery sigma rules for macos and linux 2020-10-22 10:37:29 +02:00
Alejandro Ortuno
5d37c0ee1e Added some modifications to firewall disabling 2020-10-22 10:22:00 +02:00
Ömer Günal
afe97c000c
Update lnx_system_info_discovery.yml 2020-10-21 21:48:43 +03:00
Ömer Günal
9f7244f019
Update lnx_system_info_discovery.yml 2020-10-21 21:45:23 +03:00
Ömer Günal
a2a1b20335
Update lnx_process_discovery.yml 2020-10-21 21:40:46 +03:00
Mikhail Larin
c938d917f1 additional processname fix 2020-10-21 18:32:50 +03:00
Mikhail Larin
13d84ac27b rule logic fix 2020-10-21 18:32:02 +03:00
Mikhail Larin
c744a1cb47 fix rule logic 2020-10-21 18:29:06 +03:00
Mikhail Larin
7227ed0721 fix rule logic 2020-10-21 18:25:22 +03:00
Alejandro Ortuno
5e5576a91b Fix product 2020-10-21 10:13:28 +02:00
Alejandro Ortuno
aa416090e1 Initial sigma rule 2020-10-21 10:09:00 +02:00
Alejandro Ortuno
cdabf8e0e8 Sigma rules for network service scanning. 2020-10-21 09:41:40 +02:00
yugoslavskiy
81acc81d10
updated syntax a bit to re-run the test 2020-10-20 19:06:23 +02:00
yugoslavskiy
585770faa3
update syntax a bit to re-run the test 2020-10-20 17:31:00 +02:00
yugoslavskiy
462c92e522
changes a syntax a bit to re-run the test 2020-10-20 17:10:20 +02:00
Yugoslavskiy Daniil
e95749e190 fix syntax 2020-10-20 05:10:11 +02:00
Yugoslavskiy Daniil
99b40e4a6a chage list of plist to contains modifier. could be easily bypassed with endswith 2020-10-20 05:09:08 +02:00
Yugoslavskiy Daniil
cea24c9984 add macos_disable_security_tools.yml, oscd initiative issue #1012, task number 60 2020-10-20 05:06:43 +02:00
Yugoslavskiy Daniil
2890adf093 add macos_xattr_gatekeeper_bypass.yml, oscd initiative issue #1012, task number 55 2020-10-20 04:34:02 +02:00
Yugoslavskiy Daniil
5a8c7cd3f9 add missing falcond 2020-10-20 04:00:16 +02:00
Yugoslavskiy Daniil
6f3ac02cb3 add lnx_security_software_discovery.yml, oscd initiative issue #1011, task number 26 2020-10-20 03:57:41 +02:00
Yugoslavskiy Daniil
f0663c8412 add macos_security_software_discovery.yml, oscd initiative issue #1012, task number 41 2020-10-20 03:46:41 +02:00
Yugoslavskiy Daniil
491f9d023c add lnx_file_and_directory_discovery.yml, oscd initiative issue #1011, task number 18 2020-10-20 03:05:32 +02:00
Yugoslavskiy Daniil
7c50729388 add macos_file_and_directory_discovery.yml, oscd initiative issue #1012, task number 28 2020-10-20 02:58:08 +02:00
Yugoslavskiy Daniil
34591f9f64 add lnx_system_network_connections_discovery.yml, oscd initiative issue #1011, task number 8 2020-10-20 01:17:06 +02:00
Yugoslavskiy Daniil
941fbebcdc add macos_system_network_connections_discovery.yml, oscd initiative issue #1012, task number 14 2020-10-20 01:14:56 +02:00
Yugoslavskiy Daniil
272fbcc378 fix title 2020-10-20 00:47:02 +02:00
Yugoslavskiy Daniil
f0060dec67 fix title 2020-10-20 00:44:23 +02:00
Yugoslavskiy Daniil
1ecb2c1932 add lnx_base64_decode.yml, oscd initiative issue #1011, task number 4 2020-10-20 00:39:06 +02:00
Yugoslavskiy Daniil
8b01062d17 add lnx_base64_decode.yml, oscd initiative issue #1011, task number 4 2020-10-20 00:37:53 +02:00
Yugoslavskiy Daniil
cc3ef973c0 add macos_base64_decode.yml, oscd initiative issue #1012, task number 3 2020-10-20 00:36:21 +02:00
Tim I
0323e50011 Detect credential access for macOS via Keychain 2020-10-19 23:37:46 +03:00
Mikhail Larin
f75654a3f5 fix indentation 2020-10-19 18:19:38 +03:00
Mikhail Larin
fe6459d07e commit to restart checker 2020-10-19 17:20:43 +03:00
Mikhail Larin
ddc2d2635d fix wrong tactic 2020-10-19 17:16:22 +03:00
Mikhail Larin
42cc1dc552 fix non-present binary 2020-10-19 17:01:23 +03:00
Mikhail Larin
e0e81b5c25 fix newlines 2020-10-19 16:45:42 +03:00
Mikhail Larin
a64a70f7ed fix nelwines 2020-10-19 16:44:18 +03:00
Mikhail Larin
85adbc3137 fix newlines 2020-10-19 16:42:43 +03:00
Mikhail Larin
008260b0e4 fix newlines 2020-10-19 16:41:24 +03:00
Mikhail Larin
058c77f6a6 fix newlines 2020-10-19 16:39:41 +03:00
Mikhail Larin
dc320e5be2 t1552.001 for lin/macOS 2020-10-19 16:34:13 +03:00
Mikhail Larin
c460dcf5de t1552.001 for lin/macos 2020-10-19 16:32:01 +03:00
Mikhail Larin
d7e8a802bd t1552.001 for Lin/macOS 2020-10-19 16:28:43 +03:00
Mikhail Larin
d9fba92adf t1030 for lin/macos 2020-10-19 16:25:31 +03:00
Mikhail Larin
c9ca0a79b6 t1070.006 for lin/macos 2020-10-19 16:17:04 +03:00
Alejandro Ortuno
41f5d7e876 Adding Ömer as leading author 2020-10-18 20:30:32 +02:00
Alejandro Ortuno
8a43dec5a3 Adding Ömer as the leading author 2020-10-18 20:28:55 +02:00
yugoslavskiy
cb8cbf5a17
Update lnx_schedule_task_job_cron.yml 
to trigger a test once again)
 2020-10-17 22:25:52 +02:00
yugoslavskiy
d6b64f2caf
Update lnx_schedule_task_job_cron.yml 
to trigger a test
 2020-10-17 22:22:20 +02:00
remotephone
48cabeafe5
Updated author section 2020-10-16 22:02:58 -05:00
remotephone
8f6ce25bab
Merge changes from pull 1084 with this one 
https://github.com/Neo23x0/sigma/pull/1084 includes some commands I missed. This merges both and creates an OR selection condition to match both possible conditions.
 2020-10-16 22:01:44 -05:00
remotephone
ffde8b0208
Update to handle different file locations 2020-10-16 21:54:41 -05:00
Mikhail Larin
29f2f1acfe added fish to macos rule 2020-10-17 02:37:21 +03:00
Mikhail Larin
65854752a9 additional shells for both rules fix 2020-10-17 02:33:32 +03:00
Mikhail Larin
fb3bee0cad title fix 2020-10-17 02:17:40 +03:00
Mikhail Larin
9b568df527 Lin/Mac T1552.003 2020-10-17 02:06:01 +03:00
Ömer Günal
26bb43eaf6
Update lnx_system_info_discovery.yml 2020-10-16 23:00:44 +03:00
Ömer Günal
a01c04018c
Update lnx_password_policy_discovery.yml 2020-10-16 22:52:15 +03:00
Ömer Günal
bf12c73118
Update at_command.yml 2020-10-16 22:49:40 +03:00
Ömer Günal
723df2f15b
Update lnx_system_info_discovery.yml 2020-10-16 21:08:01 +03:00
Ömer Günal
f7fbfda794
Update lnx_system_info_discovery.yml 2020-10-16 20:53:00 +03:00
Ömer Günal
2fa7008363
change reference 2020-10-16 20:42:12 +03:00
Ömer Günal
bca3c80f43
Update lnx_clear_logs.yml 2020-10-16 20:39:26 +03:00
Ömer Günal
5c34e69fc9
Update lnx_process_discovery.yml 2020-10-16 10:58:51 +03:00
Ömer Günal
0b30835b7b
Update at_command.yml 2020-10-16 10:56:06 +03:00
Ömer Günal
373c637e66
Update lnx_install_root_certificate.yml 2020-10-16 10:55:31 +03:00
Ömer Günal
27dcad8ffe
Update lnx_process_discovery.yml 2020-10-16 10:52:54 +03:00
Ömer Günal
68e843f0d3
Update lnx_system_info_discovery.yml 2020-10-16 10:48:36 +03:00
Ömer Günal
38c7cb7406
Update lnx_password_policy_discovery.yml 2020-10-16 10:38:36 +03:00
Ömer Günal
f1a6e980e5
added category 2020-10-16 10:33:50 +03:00
Ömer Günal
46e887ef38
Update lnx_clear_logs.yml 2020-10-16 10:32:25 +03:00
Jonhnathan
3361b62cc2
Update lnx_auditd_susp_exe_folders.yml 2020-10-15 23:09:06 -03:00
Jonhnathan
d655ebf092
Update lnx_auditd_masquerading_crond.yml 2020-10-15 23:08:08 -03:00
Jonhnathan
e26e5a1e7e
Update lnx_auditd_create_account.yml 2020-10-15 23:07:39 -03:00
Jonhnathan
8fd768aa66
Update lnx_susp_ssh.yml 2020-10-15 23:05:53 -03:00
Jonhnathan
d4284e60f9
Update lnx_susp_named.yml 2020-10-15 23:04:16 -03:00
Jonhnathan
83bad3de98
Update lnx_sudo_cve_2019_14287.yml 2020-10-15 23:03:40 -03:00
Jonhnathan
0ca17e88f6
Update lnx_setgid_setuid.yml 2020-10-15 22:55:41 -03:00
Jonhnathan
68ad66f390
Update lnx_proxy_connection.yml 2020-10-15 22:54:27 -03:00
Jonhnathan
41396636f9
Update lnx_file_copy.yml 2020-10-15 22:53:20 -03:00
Jonhnathan
6185640442
Update lnx_clamav.yml 2020-10-15 22:49:42 -03:00
Yugoslavskiy Daniil
d8a6048492 update /macos_create_hidden_account.yml 2020-10-16 02:05:22 +02:00
Alejandro Ortuno
2ef52dbfd8 Initial Sigma Rule 2020-10-14 10:24:59 +02:00
Alejandro Ortuno
bf8426d71b Initial commit of sigma rule 2020-10-14 10:14:00 +02:00
Alejandro Ortuno
75a05db446 Add slash to bypass testing 2020-10-14 08:50:15 +02:00
remotephone@gmail.com
8e7fbbd147 fixing UUID and description 2020-10-14 00:54:51 -05:00
remotephone@gmail.com
ed22c8e0fe adding macos screencapture rule 2020-10-14 00:51:55 -05:00
remotephone@gmail.com
8bbde90328 adding line at end of file 2020-10-14 00:05:28 -05:00
remotephone@gmail.com
3cddb86b70 updating tags 2020-10-14 00:01:30 -05:00
remotephone@gmail.com
7343936653 adding gui input capture, first iteration 2020-10-13 23:59:53 -05:00
remotephone@gmail.com
df20d2a5d2 adding new line at end of file 2020-10-13 22:44:02 -05:00
remotephone@gmail.com
7e002fcb5f updating selections to make query more efficient and less prone to evasion 2020-10-13 22:17:26 -05:00
remotephone@gmail.com
56952ecdd4 updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-13 22:09:37 -05:00
Alejandro Ortuno
c03a696762 additional modifications on commands and process names 2020-10-13 11:00:06 +02:00
Alejandro Ortuno
50fde8c13f minor changes on command line 2020-10-13 10:55:29 +02:00
Alejandro Ortuno
30bd626d76 Split command line and do contains all. 2020-10-13 10:51:00 +02:00
Alejandro Ortuno
7459bcd08c Use process_creation for the detection 2020-10-13 10:41:50 +02:00
remotephone@gmail.com
a85c19db17 updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 00:39:53 -05:00
remotephone@gmail.com
7d49db3988 updating falsepositives documentation to remove line that's not applicable 2020-10-12 23:19:02 -05:00
remotephone@gmail.com
89c8a589a5 updating search syntax, splitting process name and cmdline and adding category 2020-10-12 22:49:19 -05:00
remotephone@gmail.com
476a3c04d9 Adding t1070_002 2020-10-12 00:01:10 -05:00
remotephone@gmail.com
781c7ce6dc Cleaning up falsepositives section of both rules 2020-10-11 23:52:47 -05:00
remotephone@gmail.com
48edc674bd updating keywords to CommandLine|contains and splitting rule into two 2020-10-11 22:43:28 -05:00
Yugoslavskiy Daniil
e52baddda2 improve descriptin 2020-10-11 22:11:03 +02:00
Yugoslavskiy Daniil
7dec19afca add macos_create_hidden_account.yml; part of the oscd initiative task number 63 of the issue #1012 2020-10-11 22:01:05 +02:00
Alejandro Ortuno
d17faf8234 Local groups discovery sigma rules 2020-10-11 18:15:53 +02:00
Alejandro Ortuno
3358dd47ea macos local account creation 2020-10-11 17:56:29 +02:00
Alejandro Ortuno
418a9d5a02 Use endswith with processname 2020-10-11 09:37:08 +02:00
Alejandro Ortuno
748dccc289 additional changes to split processname and commandline 2020-10-10 13:11:17 +02:00
Alejandro Ortuno
04f415c80b Added the sigma rules per OS 2020-10-08 13:23:11 +02:00
Alejandro Ortuno
c5605ae8b6 Scheduled Cron Task/Job sigma rule 2020-10-08 13:15:02 +02:00
remotephone@gmail.com
e967cce211 change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00
remotephone@gmail.com
9802704a2b not sure why i'm failing the tests on a line I didn't change. copying format from another file 2020-10-07 22:54:31 -05:00
remotephone@gmail.com
ff2ba5f876 double checking new line characters 2020-10-07 22:43:38 -05:00
remotephone@gmail.com
83ed39f95c adding UID, renaming 2020-10-07 22:25:54 -05:00
remotephone@gmail.com
4486c3ffc9 adding new line at end of file 2020-10-07 22:11:05 -05:00
remotephone@gmail.com
cde0020d30 T1016 detection rules 2020-10-07 22:09:15 -05:00
Ömer Günal
eac5ac9fc1
removed duplicate filter 2020-10-08 00:18:38 +03:00
Ömer Günal
e6588c08f4
Create lnx_system_info_discovery.yml 2020-10-08 00:15:46 +03:00
Ömer Günal
2cea3800de
Create lnx_password_policy_discovery.yml 2020-10-08 00:14:40 +03:00
Ömer Günal
f00e79d123
Create lnx_file_deletion.yml 2020-10-07 22:28:37 +03:00
Ömer Günal
18821d2255
Create lnx_clear_logs.yml 2020-10-07 22:27:06 +03:00
Ömer Günal
d44ef84b55
Update lnx_process_discovery.yml 2020-10-07 22:26:02 +03:00
Ömer Günal
d328f92503
Update at_command.yml 2020-10-07 22:23:48 +03:00
Ömer Günal
bdabb14483
Update at_command.yml 2020-10-07 22:22:31 +03:00
Ömer Günal
7b29e3a35f
Update lnx_install_root_certificate.yml 2020-10-07 22:20:17 +03:00
Ömer Günal
8ea054ff0b
Update at_command.yml 2020-10-07 00:07:30 +03:00
Ömer Günal
b0b72de94d
Create lnx_process_discovery.yml 2020-10-06 23:52:06 +03:00
Ömer Günal
7b39e76192
Create at_command.yml 2020-10-06 23:48:25 +03:00
Ömer Günal
759268108f
rename filename 2020-10-06 09:04:36 +03:00
Ömer Günal
0e7eb32f62
update description 2020-10-05 20:22:43 +03:00
Ömer Günal
1e7a47440f
Install Root Certificate 2020-10-05 20:21:20 +03:00
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Mike Wade
52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2 
New rules for Linux
 2020-09-07 09:41:43 +02:00
Timur Zinniatullin
8dba6ceee6 2nd review 2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf Update lnx_auditd_create_account.yml 2020-08-25 09:20:27 +03:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth
1c63a93643 fix: wrong casing in tag 2020-07-13 16:20:51 +02:00
viniciusvec
26f0d49772
Update lnx_shell_clear_cmd_history.yml 
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
 2020-07-13 14:06:14 +01:00