valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,195 Commits 20 Branches 25 Tags 21 MiB
ae12f1f328
Commit Graph

7195 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Ben de Haan
d18751a0ea Added LogPoint backend 2017-03-18 11:12:06 +01:00
Thomas Patzke
17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke
824f26c51c Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-03-17 23:34:19 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Thomas Patzke
b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
789b3899df Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00
Thomas Patzke
d2a9a91175 Log source conditions are integrated in generated expressions 
Indices not yet included
 2017-03-14 23:22:32 +01:00
Thomas Patzke
9f4d7c7934 Merge branch 'devel-sigmac' into devel-sigmac-config 2017-03-14 22:48:32 +01:00
Thomas Patzke
4d3756259e Merge branch 'master' into devel-sigmac 2017-03-14 22:48:15 +01:00
Florian Roth
9afa12f4a3 Further shell commands from MSF repo 2017-03-14 16:33:51 +01:00
Florian Roth
daeb7c3693 Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00
Florian Roth
546a587df7 Rule: Shellshock Regex detection 
http://rubular.com/r/zxBfjWfFYs
 2017-03-14 14:53:29 +01:00
Florian Roth
dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
3f95615a9b IDE settings file 2017-03-14 12:52:11 +01:00
Florian Roth
2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth
ff8e3fe584 Merge pull request #9 from iliaselmatani/patch-1 
Create win_pass_the_hash.yml
 2017-03-13 16:16:55 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
Florian Roth
a87d513efa Rule: Suspicious executable downloads 2017-03-13 16:11:43 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
Florian Roth
85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth
b8db4935e0 Rule: PowerShell UserAgent in Proxy Logs 2017-03-13 13:51:32 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Thomas Patzke
52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Florian Roth
9fd375c130 Bugfix: Added time frame to correlation rule 2017-03-12 17:11:29 +01:00
Florian Roth
4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth
de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Thomas Patzke
e262b574b2 Merge branch 'master' into devel-sigmac 2017-03-11 23:53:58 +01:00
Thomas Patzke
12e825783b Merge branch 'master' into devel-sigmac 2017-03-11 23:49:56 +01:00
Thomas Patzke
63e23af63c Merge branch 'devel-sigmac-config' into devel-sigmac 2017-03-11 23:49:41 +01:00
Michael Haag
359ae18989 Merge remote-tracking branch 'Neo23x0/master' 2017-03-08 23:05:57 -08:00