valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,983 Commits 20 Branches 25 Tags 21 MiB
ab292a4029
Commit Graph

1983 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
004fed24e0 Linux Generic Rules 2017-05-02 20:32:38 +02:00
Florian Roth
dc4ae35be1 Schtasks frequency - minute 2017-04-28 17:03:35 +02:00
Thomas Patzke
05e9d1e1e9 Check if aggregation is present in BaseBackend 
Caused NotImplementedError in ElasticsearchQueryStringBackend.
 2017-04-17 00:11:20 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
30163939f3 Fix: Rule identifier in EQGRP C2 rule 2017-04-15 23:32:56 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
a0ee92a5c3 Equation group C2 server in firewall log rule 2017-04-15 11:32:56 +02:00
Florian Roth
37449e2c5d Fix: Search to log source in network rule 2017-04-15 11:32:38 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth
1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Florian Roth
75a0a2c4bb Merge pull request #27 from benno001/patch-1 
Added field mappings for events with logins
 2017-04-13 01:04:20 +02:00
Nate Guagenti
53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth
a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth
abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth
44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth
875c187425 Merge pull request #29 from neu5ron/patch-2 
Create win_alert_active_directory_user_control.yml
 2017-04-04 18:56:19 +02:00
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti
2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Florian Roth
c5b19d5661 Merge pull request #28 from neu5ron/patch-1 
Create win_alert_enable_weak_encryption.yml
 2017-04-03 21:27:20 +02:00
Nate Guagenti
85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti
bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Ben de Haan
dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Thomas Patzke
f174d861bf Merge pull request #26 from benno001/patch-1 
Added LogPoint conditional username mapping
 2017-03-30 10:46:18 +02:00
Ben de Haan
cb9a9bc2ff Added LogPoint conditional username mapping 
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
 2017-03-30 09:51:32 +02:00
Thomas Patzke
298f3413f0 Merge branch 'devel-sigmac' 2017-03-29 23:34:52 +02:00
Thomas Patzke
c43166d5b9 Fixed log source configuration matching 2017-03-29 23:33:26 +02:00
Thomas Patzke
a22fe58ac9 Aggregation support for Splunk backend 2017-03-29 23:18:47 +02:00
Thomas Patzke
b62de742d7 Aggregation expression parsing 2017-03-29 23:17:43 +02:00
Thomas Patzke
ae5ae8f763 Verbose mode prints tokens if parsing failed 2017-03-29 22:21:40 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth
67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth
707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth
adbeff505d Brought README up-to-date with the newest devs 2017-03-27 10:46:43 +02:00
Florian Roth
c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00