valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,249 Commits 20 Branches 25 Tags 21 MiB
a2eac623a6
Commit Graph

1249 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Florian Roth
c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Thomas Patzke
3c7f46a6cd Added rule test to CI testing 2019-01-23 23:31:36 +01:00
Thomas Patzke
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib
ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Tareq AlKhatib
e3d61047bb Added two tests. One for MITRE and another for file extension. 2019-01-22 21:25:13 +03:00
Florian Roth
90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Florian Roth
cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
Florian Roth
b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Florian Roth
8c4b21f063 Rule: Apache threading errors 2019-01-22 08:49:10 +01:00
Florian Roth
5645c75576 Rule: updated relevant AV signatures - exploiting 
https://twitter.com/haroldogden/status/1085556071891173376
 2019-01-16 18:43:28 +01:00
Florian Roth
f759e8b07c Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
Thomas Patzke
8336b47530 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-01-14 22:12:37 +01:00
Thomas Patzke
cc4b806b94 Sigma tools release 0.7.1 2019-01-14 00:26:03 +01:00
Thomas Patzke
5cba0b9946
Merge pull request #223 from m0jtaba/master 
extending the qradar backend to allow for timeframe query
 2019-01-13 23:55:55 +01:00
Thomas Patzke
ed1ee80f2d
Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Florian Roth
9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Florian Roth
604d88cf1e Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
Florian Roth
63f96d58b4 Rule: Renamed PowerShell.exe 2019-01-12 12:03:36 +01:00
Florian Roth
b7eb79f8da Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
Florian Roth
d4a1fe786a Rule: Dridex pattern 2019-01-12 12:03:36 +01:00
Mo Amiri
aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Adrien Vergé
b5531be4bf Really run yamllint (it wasn't checking any rule) 
Fix the yamllint config in `.yamllint` to "extend" the default rule.
Previously, it didn't extend anything and only disabled a rule, which
means no rule at all were checked.

Also disable some rules in this file, because they report many errors in
the Sigma code base.

In the future, I suggest fixing these errors and re-enabling standard
rules like `trailing-spaces` or `indentation`.

Fixes #220.
 2019-01-10 09:51:33 +01:00
Florian Roth
0c3b0e25a8
Merge pull request #217 from TareqAlKhatib/private_ips 
Corrected class B private IP range to prevent false negatives
 2019-01-04 12:11:25 +01:00
Tareq AlKhatib
8b94860ee6 Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
Florian Roth
ee417dd2ea
Merge pull request #216 from TareqAlKhatib/duplicate_outlook 
Removed Outlook detection which is a subset of the Office one
 2019-01-02 22:56:59 +01:00
Tareq AlKhatib
925ffae9b8 Removed Outlook detection which is a subset of the Office one 2019-01-02 07:47:44 +03:00
Florian Roth
55f8993a96
Merge pull request #215 from TareqAlKhatib/ole_vs_rc 
Fixed the RC section to use rc.exe instead of oleview.exe
 2019-01-01 14:01:42 +01:00
Tareq AlKhatib
0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Florian Roth
4e21289bdc
Merge pull request #214 from TareqAlKhatib/reference_vs_references 
Corrected reference to references as per Sigma's standard
 2018-12-28 10:55:30 +01:00
Tareq AlKhatib
f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Thomas Patzke
f7e53929fa Added Python 3.7 to CI testing 2018-12-21 14:17:02 +01:00
Thomas Patzke
73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Florian Roth
c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Thomas Patzke
ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Florian Roth
a7fa20546a Rule: proxy user agents updated with MacControl user agent 2018-12-17 14:18:03 +01:00
Florian Roth
99f773dcf6 Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
Florian Roth
172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth
188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth
6206692bce
Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth
49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth
b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth
b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Thomas Patzke
68866433e8 Merge branch 'juju4-devel-sumo' 2018-12-10 22:37:58 +01:00
Thomas Patzke
4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
Thomas Patzke
b520897176 Added CI testing for SumoLogic backend 2018-12-10 22:36:08 +01:00