valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,077 Commits 20 Branches 25 Tags 21 MiB
aafe9c6dae
Commit Graph

1077 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
aafe9c6dae
Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Florian Roth
f29ffc0697
Merge pull request #174 from esebese/patch-1 
sysmon_susp_run_key_img_folder.yml - Rule simplification
 2018-10-01 14:24:54 +02:00
Florian Roth
bbddcd0f9a
Merge pull request #176 from Karneades/fix-missing-list-handling 
Add missing event id list handling in PowerShell backend
 2018-10-01 14:23:48 +02:00
Karneades
468af42de5 Add missing event id list handling in PowerShell backend 2018-09-29 14:43:28 +02:00
Florian Roth
f2d83a5a00
Merge pull request #175 from Karneades/fix-powershell-backend 
Improve default field handling in PowerShell backend
 2018-09-29 14:08:30 +02:00
Karneades
c289484c5c Improve default field handling in PowerShell backend 2018-09-29 12:29:44 +02:00
Ensar Şamil
dec7568d4c
Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth
1c2431f33b
Merge pull request #169 from Karneades/fix-aggregation-exeption 
Add rule filename to "not implemented" exception output
 2018-09-26 11:50:25 +02:00
Florian Roth
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli 
Add group by to windows multiple suspicious cli rule
 2018-09-26 11:49:57 +02:00
Florian Roth
38d17e5169
Merge pull request #173 from b2az/patch-1 
Missing Character
 2018-09-26 11:49:17 +02:00
Florian Roth
a2c6f344ba
Lower case T 2018-09-26 11:44:12 +02:00
Braz
f35308a4d3
Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Florian Roth
815236449b
Added PowerShell as target, updated project list 2018-09-24 13:44:14 +02:00
Florian Roth
d0a527af5e
Merge pull request #172 from Karneades/powershell-backend 
Add initial version of the PowerShell backend
 2018-09-24 13:30:24 +02:00
Florian Roth
14337a2aac Tests: PowerShell backend tests 2018-09-24 13:23:38 +02:00
Florian Roth
2766d8f881
Merge pull request #171 from Karneades/fix-certutil 
Fix CommandLine in rule sysmon_susp_certutil_command
 2018-09-24 07:51:07 +02:00
Karneades
c66b00356d Add initial version of PowerShell backend 
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
 2018-09-23 21:41:48 +02:00
Florian Roth
edf8dde958
Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades
c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Karneades
cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Karneades
fe6f4c7475 Add rule filename to exception output for unsupported aggregation 2018-09-23 19:12:50 +02:00
Thomas Patzke
81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Thomas Patzke
1d12fc290c Added Winlogbeat configuration 2018-09-20 12:08:11 +02:00
Florian Roth
13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth
e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth
7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth
84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth
82916f0cff
Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth
1294af4a71
Merge pull request #166 from yt0ng/master 
Malleable Amazon Profile
 2018-09-08 15:56:22 +02:00
yt0ng
48254f7a7e
Merge pull request #1 from yt0ng/apt/rules 
Malleable Amazon Profile
 2018-09-08 11:54:29 +02:00
Florian Roth
6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth
68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
Florian Roth
788678feb8
Merge pull request #165 from JohnLaTwC/patch-1 
Create win_susp_powershell_hidden_b64_cmd.yml
 2018-09-08 10:23:05 +02:00
Florian Roth
5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Florian Roth
d0f2fbb6d6
Merge pull request #161 from megan201296/patch-12 
Fix typo
 2018-09-08 10:21:20 +02:00
Florian Roth
3f444b5fc2
Merge pull request #162 from megan201296/patch-13 
Added .yml extension and fix typo
 2018-09-08 10:21:00 +02:00
Florian Roth
69e65c0bdc
Merge pull request #164 from yt0ng/apt/rules 
Adding CMStar user-agent "O/9.27 (W; U; Z)"
 2018-09-08 10:19:41 +02:00
Unknown
7a74e86819 Merge remote-tracking branch 'origin/apt/rules' into apt/rules 2018-09-08 09:35:57 +02:00
Unknown
863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
Unknown
4bb01a8c24 ATTCK Tags 2018-09-08 09:29:54 +02:00
John Lambert
7ce5b3515b
Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Unknown
d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown
cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00
megan201296
3154be82f3
Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
megan201296
525326d15f
Fix typo 2018-09-06 20:20:11 -05:00
Thomas Patzke
13e41f29d6 Added CI test for tag filtering 2018-09-06 01:05:31 +02:00
Thomas Patzke
f3c60a6309 Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00
Thomas Patzke
7f875af1ca Fixed WDATP backend 
It never generated any output due to missing return in generate()
method.
 2018-09-06 00:31:40 +02:00
Florian Roth
ec1bd77f2e Rule: Proxy UA rule update - from Kaspersky report 
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
 2018-09-05 20:39:19 +02:00
Florian Roth
49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00