valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,781 Commits 20 Branches 25 Tags 21 MiB
7ddb63ec1b
Commit Graph

1892 Commits

Author SHA1 Message Date
Florian Roth
741d42ce88 fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 17:59:59 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas
04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Pushkarev Dmitry
efe720d44e Added new rule. AppLocker 2020-07-13 20:51:48 +00:00
Bart
308420bf7f
Update sysmon_dllhost_net_connections.yml 
Fix @
 2020-07-13 21:20:55 +02:00
Bart
007f62ba01
Add Dllhost WAN access 2020-07-13 21:12:37 +02:00
Florian Roth
f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth
557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
Florian Roth
7e8aa7b12b
Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth
7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Ryan Plas
25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Florian Roth
3ab5eb97d8
Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth
49aa0b4621
Merge pull request #909 from EccoTheFlintstone/fp2 
add WMI module load false positive
 2020-07-10 15:45:53 +02:00
Florian Roth
5de82628fa
Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Florian Roth
168952840b
Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth
268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
ecco
e30eaa0202 be more specific about file location 2020-07-09 13:33:59 -04:00
ecco
94e3bd9e6b add WMI module load false positive 2020-07-09 13:32:21 -04:00
ecco
905f1b3823 add WMI and powershell false positives 2020-07-09 10:26:54 -04:00
Florian Roth
7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Florian Roth
e3734aaa27
fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake
efae210556
adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke
205b584e80 Merge branch 'pr-829' 2020-07-07 23:42:57 +02:00
Thomas Patzke
3e17cc1900
Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Thomas Patzke
28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke
90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Thomas Patzke
3c760fabc1
Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke
7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke
360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke
0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Thomas Patzke
4762a59b89
Merge pull request #891 from rtkbkish/image-load-fixes 
Fix typo for rule in image_load category
 2020-07-07 22:31:32 +02:00
Thomas Patzke
2032a1e7fd
Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Thomas Patzke
9e85731253
Merge pull request #899 from rtkbkish/refix-rules 
Re-fix sysmon rules that lost changes with category refactoring.
 2020-07-07 22:28:37 +02:00
Aidan Bracher
90983dcc4b add level field to rule 2020-07-07 14:28:18 +01:00
Aidan Bracher
f549a14d9a rule: Leviathan registry key 2020-07-07 13:27:57 +01:00
Florian Roth
99ac4f1f3d fix: FPs with RedMimicry rule 2020-07-07 10:11:58 +02:00
Brad Kish
c758ca0eb9 Re-fix sysmon rules that are lost changes with category refactoring. 
Several fixes for sysmon rules got lost when the rules were refactored to use
categories.

Re-add the fixes.

38afd8b5de

422b2bffd7

dfae2a6df6
 2020-07-06 10:55:42 -04:00
Brad Kish
7e06fd80fd Proposed fix for sysmon_uac_bypass_eventvwr 
Issue: https://github.com/Neo23x0/sigma/issues/888

The rules were not merged correctly with the transition to sysmon categories.

Split the rule into separate documents: one for the registry_event and one for
the process_creation
 2020-07-06 09:20:34 -04:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Florian Roth
c51b4d0524
Merge pull request #890 from rtkbkish/file-event-fixes 
Fixes for rules in the sysmon file_event category
 2020-07-05 13:13:24 +02:00
Florian Roth
4a810dd136
Merge pull request #886 from Neo23x0/rule-devel 
Windows Curl Rules
 2020-07-05 13:12:41 +02:00
Furkan CALISKAN
8ef82e48eb ditsnap 2020-07-04 23:21:52 +03:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Brad Kish
7031d9e2b8 Fix typo for rule in image_load category 
image_load not image_loaded.
 2020-07-03 16:23:17 -04:00
Brad Kish
1e9d0e9653 Fixes for rules in the sysmon file_event category 
Fix a couple of typos

For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
 2020-07-03 16:22:29 -04:00
Brad Kish
4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth
11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth
c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth
80f15a1e50
Merge pull request #885 from Neo23x0/rule-devel 
fix: trailing whitespace
 2020-07-03 18:00:19 +02:00
Florian Roth
4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth
4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth
abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth
5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth
3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth
d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth
0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth
3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth
02dee36f4c
Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00
Florian Roth
34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth
53620a0d2f
Merge pull request #879 from Neo23x0/rule-devel 
fix: missing copy command
 2020-07-03 10:18:21 +02:00
Florian Roth
0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth
248506be93
Merge pull request #878 from Neo23x0/rule-devel 
DesktopImgDownLdr Rules and extra rule
 2020-07-03 10:14:58 +02:00
Florian Roth
1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth
01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth
33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Thomas Patzke
de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00