valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,921 Commits 20 Branches 25 Tags 21 MiB
a6212a4490
Commit Graph

62 Commits

Author SHA1 Message Date
Alexey Lednyov
1eb675f693 att&ck tags review: web, network/zeek 2020-09-03 17:06:37 +03:00
Yugoslavskiy Daniil
71fec94417 review network/cisco/aaa 2020-09-03 00:34:41 +02:00
Alexey Lednyov
880b10cce1 att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
Florian Roth
80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Florian Roth
58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Florian Roth
781667ef22 fix: zeek rule references isn't a list 2020-07-14 00:33:47 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
neu5ron
7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron
602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
neu5ron
858ebcd3d3 author typo update 2020-05-19 04:35:47 -04:00
neu5ron
2fc8d513d6 zeek, swap path and name 2020-05-19 04:35:30 -04:00
neu5ron
a01a85cf9b CI/CD check fixes (missing ID's) 2020-05-04 15:22:18 -04:00
neu5ron
a61b1da47a fixed yaml space causing condition to not be found 2020-05-04 15:17:43 -04:00
neu5ron
d300027848 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar] which are Zeek (sensor) scripts.
 2020-05-02 07:27:51 -04:00
neu5ron
c66540c029 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
create `zeek` folder to store Zeek rules
 2020-05-02 07:25:21 -04:00
Florian Roth
35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Florian Roth
94bb7dd77f
fix: issues 2020-02-13 09:17:21 +01:00
james dickenson
21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson
93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Florian Roth
aa8a0f5e1f
Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
82cae6d63c
Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Florian Roth
4ad71c44bc chore: moved network device rules to the 'network' folder 2020-01-30 14:30:26 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
yugoslavskiy
f2caf366cb moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml 2019-11-14 00:24:53 +03:00
yugoslavskiy
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Yugoslavskiy Daniil
4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
yugoslavskiy
5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke
f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Florian Roth
a85acdfd02
Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth
0713360443
Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
patrick
51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick
4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Thomas Patzke
58afccb2f3
Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng
e44b4f450e
DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Florian Roth
9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth
1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth
62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00