valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,184 Commits 20 Branches 25 Tags 21 MiB
8819da51c5
Commit Graph

3184 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
8819da51c5 Merge branch 'master' into rule-devel 2020-05-18 17:05:25 +02:00
Florian Roth
08c32c9dfc rule: godmode rule v0.3 2020-05-18 17:04:59 +02:00
Florian Roth
8154ca355a
Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
Florian Roth
ad50b5f3bb
Merge pull request #769 from jaegeral/patch-2 
replace --target-list with --lists
 2020-05-18 12:50:07 +02:00
Florian Roth
f7ef96c077
Merge pull request #770 from EccoTheFlintstone/various_fix 
standardize rules with Image and CommandLine instead of NewProcessNam…
 2020-05-18 12:49:22 +02:00
Alexander J
a7176d4811
replace --target-list with --lists 
The description in the readme is outdated

````
sigmac --target-list
usage: sigmac [-h] [--recurse] [--filter FILTER]
              [--target {kibana,ala-rule,splunk,ala,splunkxml,fieldlist,graylog,es-rule,qualys,arcsight-esm,mdatp,netwitness,arcsight,elastalert-dsl,sql,carbonblack,xpack-watcher,limacharlie,qradar,logiq,powershell,grep,ee-outliers,elastalert,es-qs,es-dsl,logpoint,sumologic}]
              [--lists] [--config CONFIG] [--output OUTPUT]
              [--backend-option BACKEND_OPTION]
              [--backend-config BACKEND_CONFIG] [--defer-abort]
              [--ignore-backend-errors] [--verbose] [--debug]
              [inputs [inputs ...]]
sigmac: error: unrecognized arguments: --target-list

````
 2020-05-18 08:11:16 +02:00
Maxime Lamothe-Brassard
25d3a5a893
Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth
5d1605bba2
Merge pull request #765 from Neo23x0/rule-devel 
Rule devel
 2020-05-16 09:16:19 +02:00
Florian Roth
a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth
d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
Florian Roth
4e1991cfee
Merge pull request #761 from EccoTheFlintstone/cve-2020-1048-fix 
fix CVE 2020-1048 rule
 2020-05-16 08:58:31 +02:00
ecco
fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
Florian Roth
7b713fbe7f rule: OpenSSHd rule adjusted 2020-05-15 17:19:32 +02:00
ecco
0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth
b672d7aeb4
Merge pull request #759 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:25:46 +02:00
Florian Roth
cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth
8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth
5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth
2282432b6f
Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth
d8cd396697
Merge pull request #758 from EccoTheFlintstone/fix_fp 
remove false positives with cmd as child of services.exe (not specifi…
 2020-05-15 11:28:05 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Florian Roth
d25b8a0492 docs: remove GPL reference, DRL in README 2020-05-14 15:56:39 +02:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Thomas Patzke
133319c417
Merge pull request #737 from NVISO-BE/backend-ee-outliers 
ee-outliers backend
 2020-05-13 22:38:02 +02:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
hieuttmmo
9ad3427d68
Merge pull request #1 from Neo23x0/master 
Update
 2020-05-13 18:36:52 +07:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
Florian Roth
904a31103d
Merge pull request #750 from zaphodef/fix/win_bootconf_mod_bad_commandline 
Fix a bad CommandLine search
 2020-05-13 11:55:16 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
Florian Roth
e01734fda1 rule: proxy UA hidden cobra 2020-05-12 17:43:54 +02:00
Florian Roth
37c33cb6d9
Merge pull request #743 from tliffick/master 
Registry entry for Azorult malware
 2020-05-11 16:37:15 +02:00
Remco Hofman
37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00