valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,332 Commits 20 Branches 25 Tags 21 MiB
9ef314486e
Commit Graph

1332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
9ef314486e Grep backend escapes + 2019-02-19 14:49:06 +01:00
Florian Roth
eeae74e245
Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib
ae62acf3d2 Added a test for duplicate filters and a test for Source: Eventlog 2019-02-18 21:05:58 +03:00
Tareq AlKhatib
2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Florian Roth
08e00945aa
doc: SANS webcast link in README 2019-02-16 09:51:02 +01:00
Florian Roth
2e61233e31
Merge pull request #247 from TareqAlKhatib/duplicate_filters 
Unnecessary 1/all of them
 2019-02-13 20:30:53 +01:00
Tareq AlKhatib
97b28f4308 Added a test for unnecessary use of '1 of them' in condition 2019-02-13 21:27:27 +03:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth
8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth
004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
Florian Roth
c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
Florian Roth
be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth
74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke
a5af134bfe Merge branch 'neu5ron-patch-2' 2019-02-10 00:16:55 +01:00
Thomas Patzke
01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke
6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke
ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke
14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
3cd6de2864
Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke
01dfc23a26
Merge pull request #234 from juju4/devel-sumo 
Sumologic support update
 2019-02-09 23:54:23 +01:00
Thomas Patzke
d9aceeb7eb
Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Thomas Patzke
5866d8eb71
Merge pull request #238 from sisecbe/patch-1 
Adapt count function when aggfield not present
 2019-02-09 23:38:20 +01:00
juju4
4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4
a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
05424883dd
Added Info Graphic to README 2019-02-09 09:38:01 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth
d2743351e7
Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley
c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Kyle Polley
423fdca32c
Merge pull request #1 from Neo23x0/master 
Get updates from head repo
 2019-02-06 17:02:41 -08:00
Florian Roth
adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Florian Roth
7192f149a3
Merge pull request #243 from keepwatch/broadening-suspicious-certutil 
Added '/' prefix, -encode switch, better renamed certutil coverage
 2019-02-06 16:58:27 +01:00
keepwatch
e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown
2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown
a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown
4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1
150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1
21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00