SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
phantinuss	246ba0c17f	generalise amsi bypass rule to CobaltStrike BOF injection pattern generalise to CobaltStrike BOF injection pattern	2021-08-13 15:34:01 +02:00
$frack113$ frack113	1b480f2ee6	Merge pull request #1819 from frack113/split_1802_builtin Correct lists with only 1 value	2021-08-13 12:43:26 +02:00
$frack113$ frack113	5e42187062	remove change for Message rule	2021-08-13 11:01:33 +02:00
Max Altgelt	e1ef8f4055	fix: Rewrite another message rule Rewrites another message rule. This one is a bit more complex since a bitmap is used and the string representation is not available.	2021-08-13 10:28:34 +02:00
$frack113$ frack113	abcaf00aee	Merge pull request #1818 from frack113/split_1802_net Correct lists with only 1 value	2021-08-13 10:17:24 +02:00
$frack113$ frack113	f9ac934a57	Merge pull request #1816 from frack113/split_1802_a Correct lists with only 1 value	2021-08-13 10:05:32 +02:00
Thomas Patzke	e2fbe06585	Merge pull request #1833 from wagga40/master Add an option to enhance the default output by choosing more fields + JSON/YAML	2021-08-13 07:50:57 +02:00
Wagga	4d53e4b040	Merge branch 'master' into master	2021-08-12 22:49:11 +02:00
Thomas Patzke	1b215e3aaf	Merge pull request #1828 from wietze/optimisation/nesting_reduction Optimising lists/subexpressions with only one item	2021-08-12 22:41:17 +02:00
Thomas Patzke	8694afe023	Merge pull request #1779 from frack113/elastalert Fix elastalert multi output file	2021-08-12 22:40:36 +02:00
$frack113$ frack113	62e541ec7f	Merge pull request #1784 from frack113/winlogbeat-modules-enabled Update Mapping Winlogbeat modules enabled	2021-08-12 19:14:17 +02:00
Wietze	17595e2443	Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings	2021-08-12 18:07:13 +01:00
Max Altgelt	6f05e33feb	fix: Correct incorrect message / keyword usage Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.	2021-08-12 16:28:07 +02:00
wagga40	13a3e78184	Fix options : removed "raw"	2021-08-12 15:54:02 +02:00
wagga40	cbb03db2dd	Fix the way YAML is dumped	2021-08-12 15:28:45 +02:00
wagga40	c165783fff	Add an option to enhance default output by choosing fields Add an option to output in JSON or YAML	2021-08-12 15:26:46 +02:00
Florian Roth	62c9468180	Merge pull request #1832 from SigmaHQ/rule-devel Whoami Refactoring	2021-08-12 14:28:28 +02:00
Florian Roth	d9d543e545	refactor: removed OriginalFileName from rule to improve compatibilty	2021-08-12 13:28:24 +02:00
Florian Roth	34d70de084	rule: whoami anomalies	2021-08-12 13:28:00 +02:00
Florian Roth	bd0a2a1b9f	rule: renamed whoami	2021-08-12 13:27:51 +02:00
Florian Roth	80e686994c	Merge pull request #1824 from frack113/add_list_test_warning Sigma Schema add new Attribute and test	2021-08-12 12:18:29 +02:00
Florian Roth	418a0bbf7e	Merge pull request #1827 from phantinuss/master 2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")	2021-08-12 11:41:50 +02:00
Florian Roth	6ed62b431e	Merge pull request #1830 from SigmaHQ/rule-devel SystemNightmare and Typo	2021-08-12 11:41:16 +02:00
Florian Roth	852d7a8b22	fix: typo in description	2021-08-12 10:11:17 +02:00
Florian Roth	08883c8e32	refactor: removed old rule that uses Message field Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible. We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)	2021-08-12 09:27:50 +02:00
$frack113$ frack113	278edffbbd	Merge pull request #1829 from SigmaHQ/frack113-patch-1 fix duplicate id	2021-08-12 06:19:18 +02:00
$frack113$ frack113	b144523ad2	fix duplicate id	2021-08-11 22:37:01 +02:00
$frack113$ frack113	4c2159455d	Merge pull request #1821 from austinsonger/gcp_kubernetes_role_access.yml gcp_kubernetes_rolebinding.yml	2021-08-11 20:58:52 +02:00
$frack113$ frack113	b2a0d97b5e	Merge pull request #1822 from austinsonger/gcp_kubernetes_secrets_modified_or_deleted.yml gcp_kubernetes_secrets_modified_or_deleted.yml	2021-08-11 20:58:07 +02:00
Wietze	7ba375dea0	Optimising lists/subexpressions with length 1 Should reduce brackets on some output targets	2021-08-11 18:00:09 +01:00
Austin Songer	22d672187c	Update gcp_kubernetes_secrets_modified_or_deleted.yml	2021-08-11 11:26:32 -05:00
Austin Songer	ae85bf2b28	Update gcp_kubernetes_rolebinding.yml	2021-08-11 11:26:14 -05:00
Austin Songer	9b9d3c28c7	Update gcp_kubernetes_secrets_modified_or_deleted.yml	2021-08-11 11:24:40 -05:00
Austin Songer	4aec212e08	Update gcp_kubernetes_rolebinding.yml	2021-08-11 11:24:15 -05:00
phantinuss	a880663d51	fix: add missing 'all of' for 'and' conjunction of the assignment keywords	2021-08-11 17:46:10 +02:00
phantinuss	1c919c07c7	exchange mailbox export with generic keyword search (Message is not a real field)	2021-08-11 16:57:15 +02:00
$frack113$ frack113	f4268d8054	Merge pull request #1707 from heyibrahimkhan/patch-6 Create ala-suricata.yml	2021-08-11 15:55:44 +02:00
$frack113$ frack113	32fc191163	fix cs-uri-query and cs-uri-stem	2021-08-11 15:09:53 +02:00
$frack113$ frack113	5e5ac8479c	Add tlp and target Attribute	2021-08-11 14:26:20 +02:00
$frack113$ frack113	ff5c9116a4	Update to w3c-logging	2021-08-11 11:28:04 +02:00
Florian Roth	c8d481fd83	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-08-11 10:10:32 +02:00
Florian Roth	c1f9c33730	rule: SystemNightmare	2021-08-11 10:10:30 +02:00
Florian Roth	d9d1e2c578	Merge pull request #1823 from SigmaHQ/rule-devel rule: ProxyLogon rule for MS Exchange	2021-08-11 09:43:41 +02:00
phantinuss	62eca463ac	new rule LittleCorporal generated maldoc process injection	2021-08-11 09:25:23 +02:00
Thomas Patzke	3dea956812	Merge pull request #1789 from frack113/fix_issue_1771 add hash_normalise option for ElasticsearchWildcardHandlingMixin	2021-08-11 08:21:43 +02:00
$frack113$ frack113	63ead346e8	fix modified value	2021-08-10 19:09:34 +02:00
$frack113$ frack113	e43b917dab	fix space error	2021-08-10 17:35:32 +02:00
Florian Roth	73a4bd74dc	fix: FPs script exec from temp	2021-08-10 17:10:46 +02:00
$frack113$ frack113	3a3da5b376	Merge pull request #1826 from JonGalarneau/patch-1 Correcting regex in win_modif_of_services_for_via_commandline.yml	2021-08-10 16:23:29 +02:00
$frack113$ frack113	6d869feb43	update modified	2021-08-10 15:12:45 +02:00

... 6 7 8 9 10 ...

7512 Commits