valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,553 Commits 20 Branches 25 Tags 21 MiB
781598351d
Commit Graph

140 Commits

Author SHA1 Message Date
Kevin Dienst
98471bc53c
Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
617ece1aa2 fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00
Florian Roth
1b42f2a0e2
Merge pull request #561 from Neo23x0/devel 
Devel
 2019-12-12 13:34:58 +01:00
Florian Roth
67dfd729fd rule: extended Proxy UA suspicious rule 2019-12-12 10:42:23 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke
ffdf312932 Added Ursnif user agents 2019-11-12 08:52:37 +01:00
Florian Roth
66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth
4e7ad5c948 rule: added date to crypto miner rule 2019-10-21 13:24:33 +02:00
Florian Roth
e8963b2599 rule: crypto miner user agents in proxy logs 2019-10-21 13:21:50 +02:00
Florian Roth
9457f01c29
Update proxy_ios_implant.yml 2019-10-21 11:20:11 +02:00
Florian Roth
f8d8eb7948
Update proxy_chafer_malware.yml 2019-10-21 11:19:59 +02:00
a2tf
a2753ba5a6 rule: changed two proxy rules from uri-query to url 2019-10-18 14:15:39 +00:00
Florian Roth
7b8b1db241 rule: proxy ua unknown zero day implant 2019-09-24 18:24:48 +02:00
Florian Roth
7cc26e30b4 docs: renamed file name 2019-08-30 12:04:20 +02:00
Florian Roth
f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth
ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth
398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth
a3349823e5 rule: implant teardown 2019-08-30 11:48:51 +02:00
Florian Roth
8a078b6c86 rule: APT28 UA 2019-08-30 11:48:38 +02:00
Thomas Patzke
407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
Florian Roth
5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth
fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth
49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
Florian Roth
ae1541242c New custom suspicious TLD in rule ".pw" 2019-03-03 10:58:12 +01:00
Florian Roth
c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Unknown
22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
Florian Roth
abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
Florian Roth
27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Tareq AlKhatib
7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Florian Roth
a7fa20546a Rule: proxy user agents updated with MacControl user agent 2018-12-17 14:18:03 +01:00
Thomas Patzke
a1940c6eaa Simplified rule 2018-11-21 22:34:04 +01:00
Florian Roth
3c3b14a26b rule: new malware UA 2018-10-10 15:27:58 +02:00
Florian Roth
54678fcb36 Rule: CertUtil UA 
https://twitter.com/ItsReallyNick/status/1047151134501216258
 2018-10-06 16:47:37 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth
5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Unknown
863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
Unknown
d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown
cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00
Florian Roth
ec1bd77f2e Rule: Proxy UA rule update - from Kaspersky report 
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
 2018-09-05 20:39:19 +02:00
Florian Roth
1c87f77223 Rule: Fixed false positive in suspicious UA rule 2018-09-04 11:33:05 +02:00
Florian Roth
7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Florian Roth
48582a1c93 Bugfix in Flash Downloader Rule 2018-06-30 23:39:38 +02:00
Florian Roth
b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth
f6f718c54f
Cosmetics 2018-06-10 10:28:59 +02:00
yt0ng
3166bf5b05
Update proxy_ua_apt.yml 
user Agent seen in https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
 2018-06-10 10:17:02 +02:00
Florian Roth
bd61f223ee Sofacy Zebrocy samples 2018-06-06 23:24:18 +02:00
Florian Roth
667b3b4935 Rule: Added 2 more Sofacy User-Agents 2018-06-06 22:38:50 +02:00
Florian Roth
9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth
51c6d0a767 Rule: Proxy User-Agent VPNFilter 2018-05-24 00:34:07 +02:00
Matthew Green
16365b7793
Update_WebDAV 
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
 2018-05-16 13:05:15 +10:00
Florian Roth
ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth
8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth
6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Florian Roth
6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth
058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Florian Roth
1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Florian Roth
34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
fd801a61a5 Bronze Butler Daserf malware User Agents in Proxy Logs 2017-11-08 12:52:11 +01:00
Florian Roth
e5383be163 Rule: Proxy suspicious downloads from Dyndns hosts 2017-11-08 11:32:30 +01:00
Florian Roth
4540088aa9 Rule: Extended proxy suspicious TLD white list rule 2017-11-08 00:38:26 +01:00
Florian Roth
acc430c4b6 Rule: Proxy download from blacklisted TLDs 2017-11-07 14:03:16 +01:00
Florian Roth
58f20d3cfb Rule: Proxy download whitelist bugfix and improvements 2017-11-07 14:02:56 +01:00
Florian Roth
e680da1b50 Suspicious flash player download location / BadRabbit 2017-10-25 08:40:30 +02:00
Florian Roth
f4720d5149 APT17 malware UA 
https://twitter.com/cyb3rops/status/915135877709549568
 2017-10-03 12:47:53 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
5c465129bd Fixed rules 
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
 2017-09-11 00:35:52 +02:00
Florian Roth
433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth
4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth
eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth
cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth
cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth
a87d513efa Rule: Suspicious executable downloads 2017-03-13 16:11:43 +01:00
Florian Roth
b8db4935e0 Rule: PowerShell UserAgent in Proxy Logs 2017-03-13 13:51:32 +01:00