valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,332 Commits 20 Branches 25 Tags 21 MiB
9ef314486e
Commit Graph

1332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Roberto Rodriguez
f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1 
Distinct count in aggragation function
 2018-12-04 23:42:16 +01:00
Thomas Patzke
3288f6425b Merge branch 'SherifEldeeb-master' 2018-12-04 23:38:02 +01:00
Thomas Patzke
900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth
3861dd5912 Rule: APT29 campaign against US think tanks 
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 2018-12-04 17:04:03 +01:00
Florian Roth
2bf0170956
Merge pull request #202 from tuckner/master 
Fixed backslash escape
 2018-12-03 22:22:53 +01:00
tuckner
2c5c92ab0a fixed backslash escape 2018-12-03 15:09:29 -06:00
Florian Roth
a805d18bba
Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
Florian Roth
7e05b2546a
Merge pull request #201 from 41thexplorer/master 
Adding new rules detecting recently active APTs
 2018-12-03 08:59:46 +01:00
AL
9f1df6164b
adding new rules detecting recently active APTs 2018-12-03 09:42:29 +02:00
Florian Roth
2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Thomas Patzke
e502550d76 Merge branch 'lsoumille-master' 2018-11-29 00:03:12 +01:00
Thomas Patzke
f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Thomas Patzke
1118b80288 Added elastalert backend to CI testing 2018-11-29 00:00:00 +01:00
Thomas Patzke
0a5caae5df Merge branch 'master' of https://github.com/lsoumille/sigma into lsoumille-master 2018-11-28 23:53:15 +01:00
Florian Roth
99e0a4defb fix: SPARK config duplicate identifier 2018-11-27 14:05:13 +01:00
lsoumille
50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
sisecbe
c848c473a3
Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe
31eae25756
Indentation error 2018-11-23 15:20:17 +01:00
sisecbe
e43909678e
Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe
c2eb87133d
Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Florian Roth
7ba1fe4309 Turla PNG Dropper Service Name 2018-11-23 08:46:20 +01:00
Florian Roth
e7762c71ce Merge remote-tracking branch 'origin/master' 2018-11-22 19:14:12 +01:00
Florian Roth
ec83ab5e13 APT28 Zebrocy rule 
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
 2018-11-22 19:14:07 +01:00
Thomas Patzke
aa1a953a65 Moved node dumping code to generic location 2018-11-21 23:22:38 +01:00
Thomas Patzke
26d888aec3 Removed "not null" handling code 
Feature was removed some time ago.
 2018-11-21 22:56:48 +01:00
Thomas Patzke
a1940c6eaa Simplified rule 2018-11-21 22:34:04 +01:00
Thomas Patzke
9e28669c33 Backend es-qs return quotes on empty or whitespace-only string 2018-11-21 22:29:12 +01:00
Kyle Polley
60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Thomas Patzke
49d464f979 Fixed wildcards in es-qs backend 2018-11-20 23:23:54 +01:00
Florian Roth
a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth
fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb
23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Sherif Eldeeb
cd5950749e revert to upstream 2018-11-15 08:45:25 +03:00
Sherif Eldeeb
742192b452
Merge pull request #4 from Neo23x0/master 
fetch updates from upstream
 2018-11-15 08:32:33 +03:00
Florian Roth
b92c032c2d Linux JexBoss back connect shell 2018-11-08 23:21:36 +01:00
Florian Roth
fc7a750f0f
Added RSA NetWitness to the supported targets 2018-11-07 22:56:51 +01:00
Thomas Patzke
102b56dfe3 Merge branch 'tuckner-master' 2018-11-07 22:53:15 +01:00
Thomas Patzke
396a030ed1 Removed duplicate code 2018-11-07 22:52:12 +01:00
Thomas Patzke
6b8ddd6ac0 Added CI test for NetWitness backend 2018-11-07 22:36:34 +01:00
Thomas Patzke
116a0e9f03 Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2018-11-07 22:27:41 +01:00
Thomas Patzke
fe79be894b Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-11-07 14:01:21 +01:00
Thomas Patzke
5053cc4e95 Fixed optimizing of not conditions with subexpressions 
Optimization pass traversal is cut at ConditionNOT nodes.
 2018-11-07 13:54:45 +01:00
Thomas Patzke
a88b1e81ec Optimizer debugging code cleanup 
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
 2018-11-07 13:49:08 +01:00
Florian Roth
0ee515db47
Merge pull request #192 from neu5ron/patch-2 
Update win_alert_ad_user_backdoors.yml
 2018-11-07 08:34:16 +01:00
Nate Guagenti
9bfdcba400
Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
tuckner
bd5b823725 Removed specific NetWintess config from test 2018-10-31 14:32:13 -05:00
tuckner
ca6ba4a85b Added NetWitness backend and tests 2018-10-31 14:24:14 -05:00
tuckner
26f73d60fa Added NetWitness backend and tests 2018-10-31 14:07:59 -05:00
Florian Roth
37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00