valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,983 Commits 20 Branches 25 Tags 21 MiB
ab292a4029
Commit Graph

1983 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth
c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth
5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth
c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Florian Roth
1a5ae7a0e2 Merge pull request #23 from MHaggis/master 
wmic and net
 2017-03-25 17:46:17 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Michael Haag
5f6f8f3313 Merge remote-tracking branch 'Neo23x0/master' 2017-03-25 06:21:09 -07:00
Thomas Patzke
9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke
c978e19d88 Conditional field mappings 2017-03-25 00:21:44 +01:00
Thomas Patzke
a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Thomas Patzke
5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Thomas Patzke
4ff792fbcf Merge pull request #18 from benno001/patch-1 
LogPoint windows mapping
 2017-03-21 22:56:39 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Ben de Haan
c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Thomas Patzke
1bf11dc471 Merge pull request #17 from benno001/master 
Fixed LogPoint list behaviour
 2017-03-20 08:58:16 +01:00
Ben de Haan
c94b539b14 Fixed LogPoint list behaviour 2017-03-20 08:41:29 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
d0bed75eb9 Added --output/-o parameter to sigmac 2017-03-18 23:15:03 +01:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Florian Roth
f34156138f Bugfix - Index 2017-03-18 13:57:42 +01:00
Florian Roth
8403e8072c Merge pull request #14 from benno001/master 
Added LogPoint backend
 2017-03-18 13:30:35 +01:00
Florian Roth
264dab9330 Merge pull request #13 from yampelo/patch-2 
Create sysmon_sdclt_uac_bypass.yml
 2017-03-18 13:18:29 +01:00
Florian Roth
f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Ben de Haan
d18751a0ea Added LogPoint backend 2017-03-18 11:12:06 +01:00
Thomas Patzke
17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke
824f26c51c Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-03-17 23:34:19 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Thomas Patzke
b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00