valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,361 Commits 20 Branches 25 Tags 21 MiB
7e748fa91a
Commit Graph

6361 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
7e748fa91a
Merge pull request #1567 from BlackB0lt/patch-2 
Create win_script_event_consumer_spawn new rule
 2021-06-22 12:43:34 +02:00
Thomas Patzke
befdcda507
Merge pull request #1566 from eocete-devo/master 
New backend for Devo queries
 2021-06-22 12:23:36 +02:00
Sittikorn S
d9a749eec0
Update and rename win_script_event_consumer_spawn to win_script_event_consumer_spawn.yml 2021-06-22 16:35:46 +07:00
Florian Roth
cbe97206de
fix: several indentation issues, casing in tags 2021-06-22 11:03:17 +02:00
Florian Roth
a87f8d1384
Merge pull request #1569 from Karneades/PortProxy 
rule: add port proxy registry rule and further references
 2021-06-22 11:01:17 +02:00
Florian Roth
b81839e3ce
Merge pull request #1568 from frack113/lsass_endswith 
Update rule lsass.exe to endswith
 2021-06-22 11:00:46 +02:00
Andreas Hunkeler
ed41125f70 fix: remove duplicate status in portproxy reg rule 2021-06-22 08:28:17 +02:00
Andreas Hunkeler
cd0b46ab62 rule: add port proxy registry rule and add references 2021-06-22 08:16:56 +02:00
frack113
e3e0b1ec35 fix ProcessName|endswith 2021-06-21 21:28:46 +02:00
frack113
edfb67ddc7 fix TargetImage|endswith 2021-06-21 21:21:34 +02:00
frack113
6558a5b110 fix TargetImage|endswith 2021-06-21 21:19:04 +02:00
frack113
0bc04605cb fix TargetImage|endswith 2021-06-21 21:14:36 +02:00
frack113
4ff1395a1f fix category and TargetImage|endswith 2021-06-21 21:06:54 +02:00
frack113
b23423beba convert to TargetImage|endswith 2021-06-21 20:51:26 +02:00
Sittikorn S
1bcac7b04a
Create win_script_event_consumer_spawn 2021-06-21 21:20:39 +07:00
eocete
bfbd1c6487 Merge remote-tracking branch 'upstream/master' into master 2021-06-21 14:11:39 +02:00
eocete
4b92dbb90d master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases. 2021-06-21 14:06:04 +02:00
Florian Roth
e5cd850640
Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Florian Roth
5e701a2bcb
Merge pull request #1557 from SyeedHasan/master 
Rule Edits and 'TaskCache Entry' Rule
 2021-06-16 08:22:17 +02:00
Hasan
33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan
fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan
8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan
415ced0023
Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan
f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan
1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan
1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan
82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth
1650d4638d
Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth
0377a30893
fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth
59df5119c2
Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
luffynextgen
6fd7979659
Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
frack113
558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
Florian Roth
ae06ebcae0
Merge pull request #1551 from xg5-simon/xg5-simon 
Support for VMware Carbon Black Cloud EEDR
 2021-06-10 18:35:16 +02:00
Florian Roth
ff314b1220
Merge pull request #1550 from humpalum/master 
Rules: persitence by exploiting Outlook or Exchange
 2021-06-10 18:34:43 +02:00
Florian Roth
3f46d0ea28
Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113
fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113
4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113
a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski
54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski
1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113
7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski
e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth
83dddf99b4
Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth
cd0531b345
fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Florian Roth
cd2792f82c
Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Tobias Michalski
3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski
b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen
e170a4a12a
Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Simon
1d081e300d
Support for VMware Carbon Black Cloud EEDR 
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
 2021-06-10 21:45:29 +10:00
Tobias Michalski
56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00