valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
600 Commits 20 Branches 25 Tags 21 MiB
84645f4e59
Commit Graph

600 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Thomas Patzke
7141729ffc sigma/parser: Introduced new conditions 
* Any definition: 1 of them
* All definitions: all of them
* Any of selected definitions: 1 of def* (wildcard)
* All of selected definitions: all of def* (wildcard)
 2018-03-06 23:13:42 +01:00
Thomas Patzke
59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke
647fc6187a sigmac: Added proper 'Content-Type' header for xpack-watcher backend 2018-03-04 22:58:15 +01:00
Thomas Patzke
4792700726 Fixed rule 2018-03-04 22:07:01 +01:00
Thomas Patzke
01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth
6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth
69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth
6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth
f2057f0c77 Hurricane Panda activity 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 2018-02-25 17:24:00 +01:00
Florian Roth
1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth
25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth
9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth
5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth
0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth
b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth
ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
Dominik Schaudel
cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth
d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth
058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Thomas Patzke
6f6d662ae5 Dropped support for Python 3.4 
Dict unpacking in dict initialization not supported in Python 3.4.
 2018-02-11 22:48:40 +01:00
Florian Roth
fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth
0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth
443afcba0a README Update: Rule creation tutorial, smaller fixes 2018-02-10 15:24:43 +01:00
Florian Roth
a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth
1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Thomas Patzke
89aa300bbc Improved xpack-watcher actions 
* Log and mail
* Details in message
 2018-02-09 00:03:41 +01:00
Thomas Patzke
8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke
4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke
841bb65ca0 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-05 22:51:37 +01:00
Thomas Patzke
69efb05c5f First draft of Rx schema 2018-02-04 00:27:09 +01:00
Florian Roth
34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Thomas Patzke
01d6b2be3a Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-01 22:49:52 +01:00
Thomas Patzke
ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Florian Roth
635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth
4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth
f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
Thomas Patzke
f35c50049f
Merge pull request #64 from SherifEldeeb/master 
Update rules to reflect schema changes "and add consistency"
 2018-01-28 10:56:27 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Sherif Eldeeb
21bc16393b
Merge pull request #1 from Neo23x0/master 
Update
 2018-01-28 02:00:09 +03:00
Thomas Patzke
e76ef7da76 Merge branch 'devel-sigmac' 2018-01-27 23:50:00 +01:00
Thomas Patzke
76bdcba71f Added rulecomment option to all single-query output backends 
Prints comment with rule before output.
 2018-01-27 23:48:10 +01:00
Florian Roth
0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth
d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth
fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth
228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00