SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Simen Lybekk	bbcbed4742	Add parentheses about field list groups in CB This should address the grouping issue from #660. The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.	2020-06-11 15:33:02 +02:00
Florian Roth	97c45f9d46	Merge pull request #812 from tliffick/master added new rules for malware	2020-06-10 17:37:19 +02:00
Florian Roth	96309d247b	fix: cosmetic fault	2020-06-10 16:41:03 +02:00
Florian Roth	6e4aa01baa	Cosmetics	2020-06-10 16:36:17 +02:00
Florian Roth	13c7d40a22	Cosmetics	2020-06-10 16:35:41 +02:00
Florian Roth	f553fb2e33	Cosmetics	2020-06-10 16:35:14 +02:00
Florian Roth	48e4e31713	Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll Fax Service DLL search order hijacking detection	2020-06-10 16:33:12 +02:00
Florian Roth	1a9da23611	Merge pull request #825 from NVISO-BE/sysmon_office_persistence Office persistence by addin detection	2020-06-10 16:32:50 +02:00
Steven Goossens	e5f36dd146	Added rules files split into folders	2020-06-10 16:32:30 +02:00
Remco Hofman	8adaa2d672	Fixed bad indentation	2020-06-10 15:02:41 +02:00
Steven Goossens	423baafa2a	Added rules for different sysmon categories and added the category definition	2020-06-10 15:02:15 +02:00
Remco Hofman	83a6e25bcb	Fax Service DLL search order hijacking	2020-06-10 15:01:07 +02:00
Remco Hofman	cb8e478ac1	Sigma rule to detect Office persistence via addin.	2020-06-10 14:52:13 +02:00
Thomas Patzke	915ea1cc67	Merge branch 'script_entry_points' into master	2020-06-10 00:51:47 +02:00
Florian Roth	565febd39d	README updated	2020-06-09 23:25:09 +02:00
Florian Roth	51f28271a5	Merge pull request #824 from neu5ron/sigmacs Sigmacs	2020-06-09 23:15:50 +02:00
Nate Guagenti	2b735494cd	Merge branch 'master' of https://github.com/Neo23x0/sigma into sigmacs	2020-06-09 16:54:02 -04:00
Nate Guagenti	f4fe425fa7	update readme for some analyzed field and keyword field examples	2020-06-09 16:53:50 -04:00
Thomas G	8c61dc9248	Add more Options for XPackWatcherBackend (Elasticsearch) Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)	2020-06-09 20:57:26 +02:00
Florian Roth	5c835cf1f2	Merge pull request #813 from ozirus/patch-1 Create sysmon_apt_muddywater_dnstunnel.yml	2020-06-09 18:44:45 +02:00
Florian Roth	7a334a8d8a	fix: missed line	2020-06-09 17:30:54 +02:00
Florian Roth	04913a4b95	Aligned indentation	2020-06-09 17:20:25 +02:00
Florian Roth	9b8f8b7e09	Merge pull request #822 from NVISO-BE/win_mal_flowcloud TA410 FlowCloud malware detection	2020-06-09 17:18:39 +02:00
Florian Roth	ad5c0a6cf3	Merge pull request #821 from NVISO-BE/win_mal_octopus_scanner Octopus Scanner malware rule	2020-06-09 17:18:04 +02:00
Remco Hofman	a9bf22750a	Fixed bad indentation	2020-06-09 16:30:17 +02:00
Remco Hofman	4ce3ea735e	TA410 FlowCloud malware detection	2020-06-09 16:21:46 +02:00
Remco Hofman	d14d391761	Octopus Scanner malware rule	2020-06-09 16:12:05 +02:00
Nate Guagenti	117ceac492	moved file to `ecs-zeek-elastic-beats-implementation.yml`	2020-06-09 08:56:01 -04:00
Christian Clauss	dff7efc173	Update collection.py	2020-06-08 13:55:52 +02:00
Christian Clauss	55c0a03564	Undefined name: from .exceptions import SigmaCollectionParseError Discovered in #378. `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.	2020-06-08 13:55:16 +02:00
Christian Clauss	3fdb355f2b	Undefined name: parser_print_help() --> parser.print_help() Discovered in #378 https://docs.python.org/3.8/library/argparse.html#argparse.ArgumentParser.print_help	2020-06-08 13:49:44 +02:00
Florian Roth	6e349030d9	rule: suspicious camera and mic access	2020-06-08 10:18:44 +02:00
Nate Guagenti	ad9ada7a44	Merge branch 'master' of https://github.com/Neo23x0/sigma into sigmacs Conflicts: tools/sigma/backends/mdatp.py	2020-06-07 11:51:17 -04:00
Florian Roth	94b90adf10	docs: move Sigmac help from Wiki to repo	2020-06-07 12:18:37 +02:00
Thomas Patzke	36a7077648	Moved tool executables to new location	2020-06-07 01:14:04 +02:00
Thomas Patzke	a7d18c7ed9	Converted sigma2attack and added to entry points	2020-06-07 01:03:09 +02:00
Thomas Patzke	8688e8a2a1	Script entrypoint stubs	2020-06-07 00:22:59 +02:00
Florian Roth	0c2f2fe6df	Merge pull request #816 from Neo23x0/rule-devel merged Cyb3rWarD0g's rules	2020-06-06 16:27:59 +02:00
Florian Roth	d3e261862d	merged Cyb3rWarD0g's rules	2020-06-06 15:42:22 +02:00
Florian Roth	72deaa98f5	Merge pull request #815 from Neo23x0/rule-devel Rule devel	2020-06-06 14:19:37 +02:00
Florian Roth	3697186281	fix: fixed title	2020-06-06 14:04:40 +02:00
Florian Roth	246a95557b	fix: description over multiple lines	2020-06-06 13:56:48 +02:00
Florian Roth	d54209dcc5	rule: ETW disabled	2020-06-06 13:56:19 +02:00
Thomas Patzke	7d70cd95a4	Deduplicated backend list	2020-06-06 01:03:02 +02:00
Thomas Patzke	fb9855bd3b	Added description to es-rule backend	2020-06-06 01:02:44 +02:00
Thomas Patzke	1d211565fc	Moved backend options list to --backend-help	2020-06-06 00:56:00 +02:00
Thomas Patzke	c992dc5215	Improved test coverage	2020-06-05 23:33:51 +02:00
Thomas Patzke	5d88d97c73	Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings	2020-06-05 23:03:52 +02:00
Nate Guagenti	55beecac28	Squashed commit of the following: commit `d97d2ced82` Merge: `022d73f8` `84dd8c39` Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 15:53:55 2020 +0200 Merge pull request #725 from WilliamBruneau/fix_null_list Move null values out from list in rules commit `84dd8c39c4` Author: William Bruneau <william.bruneau@epfedu.fr> Date: Tue May 5 09:04:47 2020 +0200 Move null values out from list in rules commit `022d73f842` Merge: `0cbc099d` `4ed51201` Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 10:48:05 2020 +0200 Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename All Rules use 'TargetFilename' instead of 'TargetFileName'. commit `4ed512011a` Author: Sven Scharmentke <sven@vastlimits.com> Date: Wed Jun 3 09:00:59 2020 +0200 All Rules use 'TargetFilename' instead of 'TargetFileName'. This commit fixes the incorrect spelling. commit `0cbc099def` Merge: `74e16fdc` `3a6ac5bd` Author: Florian Roth <venom14@gmail.com> Date: Sat May 30 09:31:45 2020 +0200 Merge pull request #807 from forensicanalysis/master Add sqlite backend commit `3a6ac5bd5c` Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 01:57:06 2020 +0200 Remove unused function commit `5cc82d0f05` Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:56:06 2020 +0200 Move testcase commit `4a8ab88ade` Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:15:38 2020 +0200 Fix test path commit `70935d26ce` Author: Jonas Plum <git@cugu.eu> Date: Fri May 29 23:56:05 2020 +0200 Add license header commit `74e16fdccd` Merge: `e20b58c4` `537bda44` Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:43 2020 +0200 Merge pull request #803 from gamma37/clear_cmd_history Edit Clear Command History commit `e20b58c421` Merge: `7f2fa05e` `a00f7f19` Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:27 2020 +0200 Merge pull request #806 from SanWieb/sysmon_creation_system_file Fixed wrong field & Improve rule commit `a00f7f19a1` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Fri May 29 16:25:54 2020 +0200 Add tagg Endswith Prevent the trigger of {}.exe.log commit `38afd8b5de` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Thu May 28 21:52:17 2020 +0200 Fixed wrong field commit `7f2fa05ed3` Merge: `ec313b6c` `39b41b55` Author: Florian Roth <venom14@gmail.com> Date: Thu May 28 11:16:44 2020 +0200 Merge pull request #802 from Neo23x0/rule-devel ComRAT and KazuarRAT commit `537bda4417` Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:56:35 2020 +0200 Update lnx_shell_clear_cmd_history.yml commit `5a48934822` Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:52:17 2020 +0200 Edit Clear Command History I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line. commit `39b41b5582` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 10:13:38 2020 +0200 rule: moved DebugView rule to process creation category commit `76dcc1a16f` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 09:22:25 2020 +0200 rule: renamed debugview commit `ec313b6c8a` Merge: `5bb6770f` `d44fc43c` Author: Florian Roth <venom14@gmail.com> Date: Wed May 27 08:49:20 2020 +0200 Merge pull request #801 from SanWieb/sysmon_creation_system_file Rule: sysmon_creation_system_file commit `d44fc43c54` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 19:10:11 2020 +0200 Add extension commit `f6ec724d51` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 18:53:54 2020 +0200 Rule: sysmon_creation_system_file commit `5bb6770f53` Merge: `0b398c5b` `3681b8cb` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 14:28:47 2020 +0200 Merge pull request #800 from SanWieb/win_system_exe_anomaly Extended Windows processes: win_system_exe_anomaly commit `4ca81b896d` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 14:19:22 2020 +0200 rule: Turla ComRAT report commit `3681b8cb56` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:56:51 2020 +0200 Extended Windows processes commit `0b398c5bf0` Merge: `c1f47875` `b648998f` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:31:57 2020 +0200 Merge pull request #798 from Neo23x0/rule-devel rule: confluence exploit CVE-2019-3398 & Turla ComRAT commit `c1f4787566` Merge: `ce1f4634` `48c5f2ed` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:21:04 2020 +0200 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 Changes to sysmon_cve-2020-1048 commit `ce1f46346f` Merge: `e131f347` `1a598282` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:40 2020 +0200 Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access Add 'Add-Content' to powershell_ntfs_ads_access commit `e131f3476e` Merge: `30861b55` `7037e775` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:23 2020 +0200 Merge pull request #796 from EccoTheFlintstone/fp add more false positives commit `30861b558c` Merge: `a962bd1b` `f9f814f3` Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:07 2020 +0200 Merge pull request #799 from SanWieb/susp_file_characteristics Susp file characteristics: Reduce FP of legitime processes commit `b648998fd0` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 13:18:50 2020 +0200 rule: Turla ComRAT commit `f9f814f3b3` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:06:27 2020 +0200 Shortened title commit `a241792e10` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:58:15 2020 +0200 Reduce FP of legitime processes A lot of Windows apps does not have any file characteristics. Some examples: - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company. Python 2.7, 3.3 and 3.7 does not have any file characteristics. So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml commit `cdf1ade625` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:27:16 2020 +0200 fix: typo in selection commit `91b4ee8d56` Merge: `4cd7c39e` `a962bd1b` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:24:21 2020 +0200 Merge pull request #2 from Neo23x0/master Update repository commit `828484d7c6` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:09:41 2020 +0200 rule: confluence exploit CVE-2019-3398 commit `48c5f2ed09` Author: Remco Hofman <rhofman@nviso.be> Date: Tue May 26 11:20:21 2020 +0200 Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details commit `abf1a2c6d7` Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:54:16 2020 +0200 Adjusted Makefile commit `dedfb65d63` Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:44:14 2020 +0200 Implemented Aggregation for SQL, Added SQLite FullTextSearch commit `7037e77569` Author: ecco <none@none.com> Date: Mon May 25 04:50:22 2020 -0400 add more FP commit `a962bd1bc1` Merge: `0afe0623` `d510e1aa` Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:48:36 2020 +0200 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete commit `0afe0623af` Merge: `92d0aa86` `beb62dc1` Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:47:23 2020 +0200 Merge pull request #757 from tliffick/master added rule for Blue Mockingbird (cryptominer) commit `92d0aa8654` Merge: `0dda757c` `6fcf3f9e` Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:46:39 2020 +0200 Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed Rule improvement: netsh Application or Port allowed commit `6fcf3f9ebf` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:13:26 2020 +0200 Update win_netsh_fw_add.yml commit `28652e4648` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:02:13 2020 +0200 Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` commit `2678cd1d3e` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 09:50:47 2020 +0200 Create win_netsh_fw_add_susp_image.yml More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. Combined the following rules for the suspicious locations: https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml commit `4cd7c39e9d` Merge: `6fbfa9df` `0dda757c` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 08:48:16 2020 +0200 Merge pull request #1 from Neo23x0/master Update repository commit `0dda757ca5` Merge: `40f0beb5` `daf7ab5f` Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:58:58 2020 +0200 Merge branch 'socprime-master' commit `daf7ab5ff7` Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:41:38 2020 +0200 Cleanup: removal of corelight_* backends commit `d45f8e19fe` Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:46:55 2020 +0200 Fixes commit `32e4998c49` Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:45:37 2020 +0200 Removed dead code from ALA backend. commit `24b08bbf30` Merge: `96fae4be` `e8b956f5` Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 17:06:32 2020 +0200 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master commit `40f0beb58d` Merge: `6fbfa9df` `b8ee736f` Author: Florian Roth <venom14@gmail.com> Date: Sun May 24 16:30:10 2020 +0200 Merge pull request #794 from SanWieb/update_susp_run_key Remove AppData folder as suspicious folder commit `b8ee736f44` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sun May 24 15:16:07 2020 +0200 Remove AppData folder as suspicious folder A lot of software is using the AppData folder for startup keys. Some examples: - Microsoft Teams (\AppData\Local\Microsoft\Teams) - Resilio (\AppData\Roaming\Resilio Sync\) - Discord ( (\AppData\Local\Discord\) - Spotify ( (\AppData\Roaming\Spotify\) Too many to whitelist them all commit `6fbfa9dfdd` Merge: `d0da2810` `3028a270` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 23:47:12 2020 +0200 Merge pull request #793 from Neo23x0/rule-devel Esentutl rule and StrongPity Loader UA commit `f970d28f10` Author: ecco <none@none.com> Date: Sat May 23 15:06:15 2020 -0400 add more false positives commit `3028a27055` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:32:02 2020 +0200 fix: buggy rule commit `df715386b6` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:27:36 2020 +0200 rule: suspicious esentutl use commit `d0da2810c1` Merge: `8321cc7e` `67faf4bd` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:13:16 2020 +0200 Merge pull request #792 from EccoTheFlintstone/fff fix FP + remove powershell rule redundant with sysmon_in_memory_power… commit `8321cc7ee1` Merge: `9cd9a301` `e1a05dfc` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:11:32 2020 +0200 Merge pull request #772 from gamma37/suspicious_activities Create a rule for "suspicious activities" commit `d1a5471d21` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 17:38:10 2020 +0200 rule: Strong Pity loader UA commit `67faf4bd41` Author: ecco <none@none.com> Date: Sat May 23 10:56:23 2020 -0400 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml commit `9cd9a301c2` Merge: `ee1ca77f` `d310805e` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:50:31 2020 +0200 Merge pull request #791 from SanWieb/master added rule for Netsh RDP port opening commit `e1a05dfc1c` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:49:03 2020 +0200 Update lnx_auditd_susp_C2_commands.yml commit `ee1ca77fad` Merge: `895c8470` `cbf06b1e` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:46 2020 +0200 Merge pull request #771 from gamma37/new_rules Create a new rule to detect "Create Account" commit `895c84703f` Merge: `12e1aeaf` `327a53c1` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:01 2020 +0200 Merge pull request #790 from EccoTheFlintstone/fp_fix fix false positive matching on every powershell process not run by SY… commit `327a53c120` Author: ecco <none@none.com> Date: Sat May 23 10:25:37 2020 -0400 add new test for sysmon rules without eventid commit `10ca3006f5` Author: ecco <none@none.com> Date: Sat May 23 10:07:55 2020 -0400 move rule where needed commit `2b89e56054` Author: ecco <none@none.com> Date: Sat May 23 10:03:13 2020 -0400 fix test commit `d9bc09c38c` Author: ecco <none@none.com> Date: Sat May 23 10:02:58 2020 -0400 fix test commit `78a7852a43` Author: ecco <none@none.com> Date: Sat May 23 09:16:40 2020 -0400 renamed dbghelp rule with new ID and comment and removed a false positive commit `d310805ed9` Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sat May 23 14:19:52 2020 +0200 rule: Netsh RDP port opening commit `75ba5f989c` Author: ecco <none@none.com> Date: Sat May 23 07:44:45 2020 -0400 add 1 more FP to wmi load commit `9a7f462d79` Author: ecco <none@none.com> Date: Sat May 23 07:17:56 2020 -0400 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) commit `cfde0625f5` Author: ecco <none@none.com> Date: Sat May 23 07:05:09 2020 -0400 fix false positive matching on every powershell process not run by SYSTEM account commit `12e1aeaf9f` Merge: `46f3a70a` `34006d07` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:43 2020 +0200 Merge pull request #788 from Neo23x0/rule-devel refactor: split up rule for CVE-2020-1048 into 2 rules commit `46f3a70a7d` Merge: `96fae4be` `ec17c2ab` Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:28 2020 +0200 Merge pull request #786 from EccoTheFlintstone/perf_fix various rules cleaning (slight perf improvements) commit `34006d0794` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:16:19 2020 +0200 refactor: simplified and extended expression in CVE-2020-1048 rule commit `57c8e63acd` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:09:58 2020 +0200 refactore: split up rule for CVE-2020-1048 into 2 rules commit `ec17c2ab56` Author: ecco <none@none.com> Date: Fri May 22 10:37:00 2020 -0400 filter on createkey only when needed commit `96fae4be68` Author: Thomas Patzke <thomas@patzke.org> Date: Fri May 22 00:50:37 2020 +0200 Added CrachMapExec rules commit `64e0e7ca72` Merge: `bbf78374` `91c4c4ec` Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 14:19:09 2020 +0200 Merge pull request #784 from Neo23x0/rule-devel refactor: slightly improved Greenbug rule commit `91c4c4ecc5` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 13:38:11 2020 +0200 refactor: slightly improved Greenbug rule commit `bbf78374b6` Merge: `8d9b706d` `9a3b6c1c` Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 09:55:46 2020 +0200 Merge pull request #783 from Neo23x0/rule-devel Greenbug Rule commit `9a3b6c1c77` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:44:11 2020 +0200 docs: added MITRE ATT&CK group tag commit `344eb713c5` Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:39:57 2020 +0200 rule: Greenbug campaign commit `8d9b706d6a` Merge: `e7980bb4` `06abd6e7` Author: Thomas Patzke <thomas@patzke.org> Date: Wed May 20 19:11:56 2020 +0200 Merge pull request #727 from 3CORESec/master Override Features commit `e7980bb434` Merge: `af92a5bd` `8963c0a6` Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:41 2020 +0200 Merge pull request #782 from ZikyHD/patch-1 Remove duplicate 'CommandLine' in fields commit `af92a5bd2c` Merge: `04dfe6c5` `9ab65cd1` Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:29 2020 +0200 Merge pull request #780 from tatsu-i/master Null field check to eliminate false positives commit `8963c0a65e` Author: ZikyHD <ZikyHD@users.noreply.github.com> Date: Wed May 20 11:54:47 2020 +0200 Remove duplicate 'CommandLine' in fields commit `e8b956f575` Author: vh <vh@socprime.com> Date: Wed May 20 12:35:00 2020 +0300 Updated config commit `9ab65cd1c7` Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 14:50:22 2020 +0200 Update win_alert_ad_user_backdoors.yml commit `04dfe6c5fc` Merge: `df75bdd3` `9e272d37` Author: Thomas Patzke <thomas@patzke.org> Date: Tue May 19 13:18:40 2020 +0200 Merge pull request #778 from neu5ron/sigmacs SIGMACs: Winlogbeat & Zeek commit `df75bdd3b6` Merge: `4446c4cd` `7c3dea22` Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 13:10:56 2020 +0200 Merge pull request #779 from neu5ron/rules Rules: Zeek commit `7c3dea22b8` Author: neu5ron <> Date: Tue May 19 05:13:48 2020 -0400 small T, big T commit `dd382848b4` Merge: `602c8917` `e975d3fd` Author: neu5ron <> Date: Tue May 19 05:09:05 2020 -0400 Merge remote-tracking branch 'neu5ron-sigma/rules' into rules commit `602c8917ef` Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commit `c815773b1a` Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:05:51 2020 +0900 enhancement rule commit `49f68a327a` Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:00:50 2020 +0900 enhancement rule commit `e975d3fd14` Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commit `effb2a8337` Author: neu5ron <> Date: Tue May 19 04:41:00 2020 -0400 add exe webdav download commit `858ebcd3d3` Author: neu5ron <> Date: Tue May 19 04:35:47 2020 -0400 author typo update commit `2fc8d513d6` Author: neu5ron <> Date: Tue May 19 04:35:30 2020 -0400 zeek, swap `path` and `name` commit `0dd089db47` Author: ecco <none@none.com> Date: Mon May 18 20:29:53 2020 -0400 various rules cleaning commit `71c507d8a9` Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:34:53 2020 +0200 remove space bedore colon commit `55eec46932` Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:25:18 2020 +0200 Create a rule for "suspicious activities" commit `cbf06b1e43` Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:11:32 2020 +0200 lowercased tag commit `904716771a` Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:03:34 2020 +0200 Create a new rule to detect "Create Account" commit `beb62dc163` Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 12:06:34 2020 +0200 fix: condition location commit `28dc2a2267` Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 11:33:36 2020 +0200 Minor changes hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match commit `40ab1b7247` Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:33:08 2020 -0400 added 'action: global' commit `56a2747a70` Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:18:33 2020 -0400 Corrected missing condition learning! fail fast & forward commit `fb1d8d7a76` Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:04:14 2020 -0400 Corrected typo commit `8aff6b412e` Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 22:58:23 2020 -0400 added rule for Blue Mockingbird (cryptominer) commit `06abd6e76a` Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:03:23 2020 +0100 added ci tests for ecs-cloudtrail commit `2893becf8c` Merge: `31ad8187` `133319c4` Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:02:20 2020 +0100 Merge remote-tracking branch 'upstream/master' commit `1a598282f4` Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Wed May 13 11:57:10 2020 +0200 Add 'Add-Content' to powershell_ntfs_ads_access commit `d510e1aad4` Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Mon May 11 18:31:59 2020 +0200 Fix 'source' value for win_susp_backup_delete commit `fb9c5841f4` Author: vh <vh@socprime.com> Date: Fri May 8 13:41:52 2020 +0300 Added Humio, Crowdstrike, Corelight commit `31ad81874f` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Tue May 5 11:32:18 2020 +0100 capitalized titles corrected capitalization of titles and removed literals from config commit `aa175a7d5b` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 18:02:27 2020 +0100 wip wip commit `dd9e128a15` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:35:12 2020 +0100 kibana target update kibana target now compatible with overrides commit `b32093e734` Merge: `b3194e66` `d298bb57` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:26:51 2020 +0100 Merge remote-tracking branch 'upstream/master' Keeping up with the sigmas. commit `b3194e66c4` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 16:37:36 2020 +0100 Update base.py commit `dd85467a27` Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Sat May 2 00:13:55 2020 +0100 Update aws_ec2_vm_export_failure.yml commit `bc0a2c7ab9` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Fri May 1 19:20:05 2020 +0100 wip wip commit `98391f985a` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:19:38 2020 +0100 wip wip commit `adcc3766e3` Merge: `81422444` `dfdb5b95` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:25 2020 +0100 Merge branch 'master' of https://github.com/3CORESec/sigma commit `8142244449` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:20 2020 +0100 wip wip commit `dfdb5b9550` Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Wed Apr 29 23:59:26 2020 +0100 better description and event.outcome commit `ac4a2b1f26` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 22:55:46 2020 +0100 wip wip commit `9ce84a38e5` Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 20:36:45 2020 +0100 overrides section support + one example rule + cloudtrail config ditto	2020-06-05 13:18:03 -04:00
Florian Roth	2e77e65285	rule: Covenant launchers	2020-06-05 11:03:28 +02:00

1 2 3 4 5 ...

3502 Commits