valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,921 Commits 20 Branches 25 Tags 21 MiB
a6212a4490
Commit Graph

105 Commits

Author SHA1 Message Date
aw350m3
bd5026f6b9 fixed typos in tags 2020-09-03 14:29:05 +00:00
aw350m3
b00047a4e8 att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:54 +00:00
Florian Roth
437a567e4f
Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth
557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
Thomas Patzke
90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Florian Roth
b648998fd0 rule: Turla ComRAT 2020-05-26 13:18:50 +02:00
Florian Roth
d1a5471d21 rule: Strong Pity loader UA 2020-05-23 17:38:10 +02:00
Florian Roth
e01734fda1 rule: proxy UA hidden cobra 2020-05-12 17:43:54 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth
e67dddcc35 rule: PwnDrp access 2020-04-17 08:55:54 +02:00
Florian Roth
60279c7501
Merge pull request #610 from axi0m/patch-1 
Update proxy_raw_paste_service_access.yml
 2020-03-07 10:39:56 +01:00
Florian Roth
ca2cc87f0c
fixed regex syntax to wildcard syntax 2020-02-26 09:43:29 +01:00
Florian Roth
eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth
d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Kevin Dienst
98471bc53c
Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
617ece1aa2 fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00
Florian Roth
1b42f2a0e2
Merge pull request #561 from Neo23x0/devel 
Devel
 2019-12-12 13:34:58 +01:00
Florian Roth
67dfd729fd rule: extended Proxy UA suspicious rule 2019-12-12 10:42:23 +01:00
Florian Roth
9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth
065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke
ffdf312932 Added Ursnif user agents 2019-11-12 08:52:37 +01:00
Florian Roth
66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth
4e7ad5c948 rule: added date to crypto miner rule 2019-10-21 13:24:33 +02:00
Florian Roth
e8963b2599 rule: crypto miner user agents in proxy logs 2019-10-21 13:21:50 +02:00
Florian Roth
9457f01c29
Update proxy_ios_implant.yml 2019-10-21 11:20:11 +02:00
Florian Roth
f8d8eb7948
Update proxy_chafer_malware.yml 2019-10-21 11:19:59 +02:00
a2tf
a2753ba5a6 rule: changed two proxy rules from uri-query to url 2019-10-18 14:15:39 +00:00
Florian Roth
7b8b1db241 rule: proxy ua unknown zero day implant 2019-09-24 18:24:48 +02:00
Florian Roth
7cc26e30b4 docs: renamed file name 2019-08-30 12:04:20 +02:00
Florian Roth
f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth
ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth
398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth
a3349823e5 rule: implant teardown 2019-08-30 11:48:51 +02:00
Florian Roth
8a078b6c86 rule: APT28 UA 2019-08-30 11:48:38 +02:00
Thomas Patzke
407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
Florian Roth
5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth
fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth
49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
Florian Roth
ae1541242c New custom suspicious TLD in rule ".pw" 2019-03-03 10:58:12 +01:00
Florian Roth
c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00