valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,204 Commits 20 Branches 25 Tags 21 MiB
b0cb0abc01
Commit Graph

1204 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth
43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth
2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00
Florian Roth
919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Ben de Haan
dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Thomas Patzke
f174d861bf Merge pull request #26 from benno001/patch-1 
Added LogPoint conditional username mapping
 2017-03-30 10:46:18 +02:00
Ben de Haan
cb9a9bc2ff Added LogPoint conditional username mapping 
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
 2017-03-30 09:51:32 +02:00
Thomas Patzke
298f3413f0 Merge branch 'devel-sigmac' 2017-03-29 23:34:52 +02:00
Thomas Patzke
c43166d5b9 Fixed log source configuration matching 2017-03-29 23:33:26 +02:00
Thomas Patzke
a22fe58ac9 Aggregation support for Splunk backend 2017-03-29 23:18:47 +02:00
Thomas Patzke
b62de742d7 Aggregation expression parsing 2017-03-29 23:17:43 +02:00
Thomas Patzke
ae5ae8f763 Verbose mode prints tokens if parsing failed 2017-03-29 22:21:40 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth
67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth
707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth
adbeff505d Brought README up-to-date with the newest devs 2017-03-27 10:46:43 +02:00
Florian Roth
c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00
Florian Roth
125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth
53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth
c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth
5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth
c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Florian Roth
1a5ae7a0e2 Merge pull request #23 from MHaggis/master 
wmic and net
 2017-03-25 17:46:17 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Michael Haag
5f6f8f3313 Merge remote-tracking branch 'Neo23x0/master' 2017-03-25 06:21:09 -07:00
Thomas Patzke
9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke
c978e19d88 Conditional field mappings 2017-03-25 00:21:44 +01:00
Thomas Patzke
a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Thomas Patzke
5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Thomas Patzke
4ff792fbcf Merge pull request #18 from benno001/patch-1 
LogPoint windows mapping
 2017-03-21 22:56:39 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Ben de Haan
c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Thomas Patzke
1bf11dc471 Merge pull request #17 from benno001/master 
Fixed LogPoint list behaviour
 2017-03-20 08:58:16 +01:00