valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,255 Commits 20 Branches 25 Tags 21 MiB
9986515b59
Commit Graph

37 Commits

Author SHA1 Message Date
frack113
db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
Florian Roth
685bd490f5
Merge pull request #1573 from d4rk-d4nph3/master 
Added rule for default cobalt strike certificate
 2021-06-25 12:16:31 +02:00
Bhabesh Rai
91cc97d099 Fixed the taxonomy 2021-06-24 21:07:52 +05:45
Bhabesh Rai
1ebbc6c1a3 Added rule for default cobalt strike certificate 2021-06-23 10:17:27 +05:45
frack113
a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Nate Guagenti
0bee1b006f
fix - add date 2021-05-08 21:37:25 -04:00
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
Thomas Patzke
3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke
a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
yugoslavskiy
e97c4b0ac5
Update zeek_smb_converted_win_susp_psexec.yml 2020-11-28 19:05:22 +01:00
yugoslavskiy
68a62a5428
Update zeek_smb_converted_win_impacket_secretdump.yml 2020-11-28 19:02:53 +01:00
Jonhnathan
05e0dd1ae6
Update zeek_susp_kerberos_rc4.yml 2020-10-15 23:15:23 -03:00
Jonhnathan
f04394467b
Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml 2020-10-15 23:14:34 -03:00
Jonhnathan
de29d778a5
Update zeek_smb_converted_win_susp_psexec.yml 2020-10-15 23:14:15 -03:00
Jonhnathan
3e600dab82
Update zeek_smb_converted_win_impacket_secretdump.yml 2020-10-15 23:13:47 -03:00
Jonhnathan
50abab7f11
Update zeek_http_executable_download_from_webdav.yml 2020-10-15 23:13:20 -03:00
Roberto Rodriguez
2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
cyb3rward0g
55d6bd8089 Update - Adding description to zeek exfiltration compressed files 2020-10-12 23:32:10 -04:00
cyb3rward0g
189e3c2605 update - GitHub Action / Test Sigma 2020-10-12 22:43:36 -04:00
cyb3rward0g
644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g
491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
cyb3rward0g
21f41eaad9 16 rules from DH APT29 day 1 - contributing soon 2020-10-12 18:13:13 -04:00
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Alexey Lednyov
1eb675f693 att&ck tags review: web, network/zeek 2020-09-03 17:06:37 +03:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
Florian Roth
781667ef22 fix: zeek rule references isn't a list 2020-07-14 00:33:47 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
neu5ron
7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron
602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
neu5ron
858ebcd3d3 author typo update 2020-05-19 04:35:47 -04:00
neu5ron
2fc8d513d6 zeek, swap path and name 2020-05-19 04:35:30 -04:00
neu5ron
a01a85cf9b CI/CD check fixes (missing ID's) 2020-05-04 15:22:18 -04:00
neu5ron
a61b1da47a fixed yaml space causing condition to not be found 2020-05-04 15:17:43 -04:00
neu5ron
d300027848 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar] which are Zeek (sensor) scripts.
 2020-05-02 07:27:51 -04:00
neu5ron
c66540c029 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
create `zeek` folder to store Zeek rules
 2020-05-02 07:25:21 -04:00