valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,535 Commits 20 Branches 25 Tags 21 MiB
8f22d418f3
Commit Graph

128 Commits

Author SHA1 Message Date
Tareq AlKhatib
879017818f More conversions to the new process_creation logsource 2019-03-05 09:46:53 +03:00
Tareq AlKhatib
b2952b9f78 Fixing failed CI build - take 2 2019-03-04 16:51:39 +03:00
Tareq AlKhatib
c8be6e649b Fixing failed CI build 2019-03-04 16:44:30 +03:00
Tareq AlKhatib
45458121c6 Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00
Tareq AlKhatib
58c61430a2 updated to use process_creation 2019-03-02 21:05:15 +03:00
Liam Sennitt
bef5f03015 fix tagging in turla png dropper service rule 2019-03-02 09:01:00 +00:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Florian Roth
af6a1ff26a
Extended rule, modified timestamp 2019-03-01 13:36:54 +01:00
Liam Sennitt
2345cbf7bd fix bug in chafer activity rule #269 2019-03-01 10:23:02 +00:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
Florian Roth
e7f5cbc22a Rule: BabyShark activity 2019-02-24 14:04:44 +01:00
Florian Roth
a60b53a7df fix: bugfix in BEAR activity rule 2019-02-24 14:04:44 +01:00
Florian Roth
8ae37f5d64 BEAR activity - CrowdStrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:54:01 +01:00
Florian Roth
3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth
5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth
aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth
c474bfcae5 Judgement Panda - Crowdstrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:20:52 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Tareq AlKhatib
7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth
2e5a739c6c fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:59:10 +01:00
Florian Roth
9b15b64a9a fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:44:20 +01:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
3861dd5912 Rule: APT29 campaign against US think tanks 
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 2018-12-04 17:04:03 +01:00
AL
9f1df6164b
adding new rules detecting recently active APTs 2018-12-03 09:42:29 +02:00
Florian Roth
7ba1fe4309 Turla PNG Dropper Service Name 2018-11-23 08:46:20 +01:00
Florian Roth
ec83ab5e13 APT28 Zebrocy rule 
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
 2018-11-22 19:14:07 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke
8308cd6c1a
Rule fix 2018-08-26 22:35:35 +02:00
Thomas Patzke
0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
David Spautz
f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth
56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
root
69671733a8 added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00
Florian Roth
c10da5b734 Improved Chafer activity rule 2018-03-23 10:50:40 +01:00
Florian Roth
a797a281ac Rule: Chafer / OilRig activity Mar 18 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:59:16 +01:00
Florian Roth
d9d27fec74 Improved EquationGroup dll load rule 2018-03-11 01:22:04 +01:00
Florian Roth
74c2f91a7d Extended the Slingshot APT rule 2018-03-10 16:44:18 +01:00
Florian Roth
66d52cfeef Rule: Defrag deactivation 2018-03-10 15:49:50 +01:00
Florian Roth
ef75f2a248 Minor adjustment in: EquationGroup dll_u load 2018-03-10 12:24:49 +01:00
Florian Roth
e9d16bfae1 Bugfix in: EquationGroup dll_u load 2018-03-10 12:22:53 +01:00
Florian Roth
6a65a7a1bf EquationGroup dll_u load 2018-03-10 09:04:11 +01:00
Thomas Patzke
3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth
1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00
Thomas Patzke
01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth
69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth
6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth
f2057f0c77 Hurricane Panda activity 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 2018-02-25 17:24:00 +01:00
Florian Roth
635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth
4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth
f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
ad53cc7cc2 Rule: Sysmon Turla Commands 2017-11-08 00:33:17 +01:00
Florian Roth
ea840632f3 Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 14:22:09 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Florian Roth
801d739a3b US CERT TA17-293A report - renamed PsExec execution 2017-10-22 12:55:26 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Florian Roth
061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
f85d847fa6 PlugX Detection 
https://docs.google.com/spreadsheets/d/1f5OTQpEEvbiW-NzSfVTrzhmnZJ-hrmAZhRM7JXkDBSY/edit#gid=0
https://countuponsecurity.files.wordpress.com/2017/06/acp-search.png
 2017-06-12 10:46:56 +02:00
Florian Roth
21108e60a6 Fixed description and title 2017-06-03 14:53:08 +02:00
Florian Roth
ff5e6e3999 Fireball Sigma Rule 2017-06-03 14:49:06 +02:00
Florian Roth
536e328540 Pandemic Implant 2017-06-01 22:48:59 +02:00
Florian Roth
30163939f3 Fix: Rule identifier in EQGRP C2 rule 2017-04-15 23:32:56 +02:00
Florian Roth
a0ee92a5c3 Equation group C2 server in firewall log rule 2017-04-15 11:32:56 +02:00
Florian Roth
a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth
44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Florian Roth
b34d1b7565 Stonedrill rule enhancement 2017-03-07 10:22:14 +01:00
Florian Roth
7113b3aed9 Rule: APT StoneDrill Service Install 2017-03-07 09:24:12 +01:00