valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,825 Commits 20 Branches 25 Tags 21 MiB
a152853ac3
Commit Graph

2825 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
a152853ac3
Merge pull request #624 from Antonlovesdnb/master 
New rules for Macro Detections
 2020-02-25 15:44:31 +01:00
Antonlovesdnb
e8b861bff4
Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb
4c5d489428
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00
Antonlovesdnb
f92e2f2b18
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:23:22 -05:00
Antonlovesdnb
8141b1ae90
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-25 09:22:56 -05:00
Antonlovesdnb
45e4a585bf
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-25 09:22:37 -05:00
Antonlovesdnb
c5b42aeaed
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-25 09:19:03 -05:00
Antonlovesdnb
bb1eecfe14
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth
dd1a0e764c docs: more false positive conditions 2020-02-25 11:13:58 +01:00
Florian Roth
950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Florian Roth
5d96f81a84 fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00
Thomas Patzke
4ac6ddc8ef Merge branch 'changelog' 2020-02-24 22:35:41 +01:00
Thomas Patzke
fa717233a9 Updated changelog 2020-02-24 22:30:36 +01:00
Florian Roth
91d1586b97
Merge pull request #633 from EccoTheFlintstone/fix_fp 
rule local account discovery: fix FP on rmdir matching dir
 2020-02-24 13:41:39 +01:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix 
fix false positive on taskkill.exe not related to service stop at all
 2020-02-24 09:58:33 +01:00
Florian Roth
53ca71e7ae
Merge pull request #631 from EccoTheFlintstone/ascii_fix 
fix non ascii character in rule (probably a typo)
 2020-02-24 09:58:13 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Thomas Patzke
12be884aa5 Merge branch 'sql-backend' 2020-02-21 22:41:53 +01:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
fa4c76871f Added CI test for sql backend 2020-02-21 22:27:55 +01:00
Thomas Patzke
746f957a63 Merge branch 'patch-1' of https://github.com/fuseyjz/sigma into fuseyjz-patch-1 2020-02-21 22:24:44 +01:00
Thomas Patzke
3047571132
Merge pull request #625 from ninoseki/fix-sigma2misp 
Update sigma2misp
 2020-02-21 22:22:54 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Manabu Niseki
c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00
Antonlovesdnb
9625a94d0b
Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb
6234f72a6c
Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb
328858279f
Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb
1f01fe446f
Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb
6d0805ac13
Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb
1e461cb2d1
Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb
56ffa9ec0e
Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb
397cdecb94
5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb
f8be92dae0
Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth
a9403b70d5
Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth
f7a6ffa121
Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
5a4095f13f fix: restored GPL 2020-02-18 10:06:00 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Florian Roth
2363213fc9
add TimeSketch to list of products that use Sigma 2020-02-17 08:41:23 +01:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
yugoslavskiy
168ab7c620 Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2020-02-16 17:57:48 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00