SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
BlueTeamOps	8916459bab	Added additional CS signatures	2021-03-25 22:44:24 +11:00
Florian Roth	48265ad71a	Merge pull request #1398 from SigmaHQ/rule-devel MSExchange Management log mapping, some fixes	2021-03-20 17:21:31 +01:00
Florian Roth	7d7dd4cb67	fix: missing index field in FE helix config	2021-03-20 09:09:45 +01:00
Florian Roth	8b145e20e4	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-03-20 09:04:40 +01:00
Florian Roth	58a1ab9817	fix: wrong indentation in fireeye helix mapping	2021-03-20 09:04:38 +01:00
Florian Roth	525f4b6a6b	Merge pull request #1388 from Cyb3rPandaH/master CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property	2021-03-20 08:53:04 +01:00
Florian Roth	e47ee24889	Merge branch 'master' into rule-devel	2021-03-20 08:52:55 +01:00
Florian Roth	9e287a1b89	feat: MSExchange Management log mapping	2021-03-20 08:49:59 +01:00
Florian Roth	1fc408bfaa	fix: duplicate field values in YAML configs	2021-03-20 08:49:43 +01:00
Florian Roth	334dd9a058	Update win_set_oabvirtualdirectory_externalurl.yml	2021-03-20 08:34:02 +01:00
Florian Roth	33af006479	Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt Fix ProcessCommandLine field	2021-03-20 08:29:23 +01:00
Florian Roth	01fcfd4f76	Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)	2021-03-20 08:29:09 +01:00
Florian Roth	2472926c48	Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion Fix win_etw_trace_evasion rule	2021-03-20 08:28:51 +01:00
Florian Roth	6ac6b9295b	Merge pull request #1392 from hustlibraco/patch-1 Update winlogbeat.yml	2021-03-20 08:28:35 +01:00
Florian Roth	a6cd34dbc4	Merge pull request #1396 from albchen/patch-1 Updated for use with Image Load events	2021-03-20 08:28:19 +01:00
albchen	42e82c95df	Updated for use with Image Load events Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.	2021-03-18 15:49:25 -07:00
Florian Roth	dd4a1ac393	fix: prone to FPs - use is unclear https://regex101.com/r/tss5TZ/1	2021-03-18 16:44:49 +01:00
Florian Roth	6b2bcd3d87	Merge pull request #1395 from SigmaHQ/rule-devel Rule devel	2021-03-18 10:52:02 +01:00
Florian Roth	d30e87d543	fix: lsass access - FPs with AV / EDR software	2021-03-18 09:04:03 +01:00
Florian Roth	92510e2507	extended Exchange post-exploitation rule	2021-03-17 18:01:45 +01:00
Florian Roth	6645e2b2dd	Merge pull request #1394 from Codehardt/master fix: syntax error in THOR's config file	2021-03-17 16:54:08 +01:00
Codehardt	6d626456f2	fix: syntax error in THOR's config file	2021-03-17 11:49:50 +01:00
Florian Roth	943f8513e2	Merge pull request #1393 from SigmaHQ/rule-devel Rule devel	2021-03-16 16:35:55 +01:00
Florian Roth	bfc99996b5	fix: Bug in rule condition	2021-03-16 16:35:21 +01:00
Florian Roth	32adf0c3ce	fix: prone to FPs	2021-03-16 15:52:35 +01:00
libraco	3c5624ca88	Update winlogbeat.yml add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml	2021-03-15 23:54:28 +08:00
libraco	2971a08734	Update winlogbeat.yml add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.	2021-03-15 23:01:07 +08:00
zikyhd	e91822e070	Fix win_etw_trace_evasion rule	2021-03-15 15:02:18 +01:00
Cedric HIEN	864973888e	Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)	2021-03-15 12:07:05 +01:00
Cedric HIEN	e4f24f4e1f	Fix ProcessCommandLine field	2021-03-15 11:56:19 +01:00
Florian Roth	310888bae7	Merge pull request #1386 from SigmaHQ/rule-devel Rule devel	2021-03-15 10:52:57 +01:00
Florian Roth	70f9480ec5	fix: wrong field name	2021-03-15 08:14:43 +01:00
Cyb3rPandaH	f138a27426	CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property Rule to detect an adversary setting OabVirtualDirectory External URL property to a script	2021-03-15 00:33:47 -04:00
Thomas Patzke	f4734cd5e5	Merge pull request #1309 from WuerthIT:logsourcemerging functionality for parameter logsourcemerging	2021-03-13 22:25:29 +01:00
Thomas Patzke	c13f3f1383	Merge pull request #1325 from dennispo/align-simac-stixshifter sigmac to STIX enhancements	2021-03-13 18:49:12 +01:00
Thomas Patzke	bbe41fff95	Merge pull request #1364 from SigmaHQ/dependabot/pip/aiohttp-3.7.4 build(deps): bump aiohttp from 3.6.2 to 3.7.4	2021-03-13 18:47:33 +01:00
Thomas Patzke	99c7889363	Merge pull request #1368 from roysjosh/stable-risk-scores es-rule: make risk scores stable	2021-03-13 18:46:37 +01:00
Thomas Patzke	d4aa34c0ae	Merge pull request #1385 from socprime/chronicle_security_backend Chronicle Security Backend contributed by SOC Prime.	2021-03-13 18:45:12 +01:00
Florian Roth	a0b034aa2b	fix: better exclusion	2021-03-13 09:09:43 +01:00
Florian Roth	145c3bc2ca	refactor: more hafnium indicators	2021-03-13 09:07:58 +01:00
Florian Roth	69ee1cece2	fix: FPs	2021-03-13 09:07:44 +01:00
vh	7eeed68fb4	Chronicle Security Backend contributed by SOC Prime.	2021-03-12 12:21:44 +02:00
Florian Roth	48da4e1314	Update win_apt_hafnium.yml	2021-03-11 13:55:31 +01:00
Florian Roth	9084fc4fa7	Update on HAFNIUM rule https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3	2021-03-11 13:38:07 +01:00
Florian Roth	27fef60ace	Merge pull request #1383 from SigmaHQ/rule-devel fix: FPs with LSASS Access from Non System Account	2021-03-10 18:59:29 +01:00
Florian Roth	78004cc29c	fix: condition contains - values without 0x	2021-03-10 18:56:05 +01:00
Florian Roth	29dec7dd8b	fix: FPs with LSASS Access from Non System Account	2021-03-10 18:51:27 +01:00
Florian Roth	f0051ffcf6	Merge pull request #1378 from SigmaHQ/rule-devel HAFNIUM activity	2021-03-09 15:42:32 +01:00
Florian Roth	dca5c870d7	Merge pull request #1374 from hieuttmmo/master Detect HAFNIUM operations	2021-03-09 09:16:52 +01:00
Florian Roth	ec490b40ec	fix: 1 of them condition	2021-03-09 09:15:12 +01:00

1 2 3 4 5 ...

4347 Commits