valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,886 Commits 20 Branches 25 Tags 21 MiB
b447e6338f
Commit Graph

5886 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Florian Roth
53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Florian Roth
897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth
65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Florian Roth
00f01ea57f Merge branch 'master' into rule-devel 2021-04-07 21:17:51 +02:00
Florian Roth
99b39bb271
Merge pull request #1415 from vburov/patch-17 
Update win_hack_rubeus.yml
 2021-04-07 14:13:59 +02:00
Vasiliy Burov
e73e27e44f
Update win_hack_rubeus.yml 
Added commandline parameters for constrained delegation abuse and for hashes calculation
 2021-04-06 20:18:54 +03:00
Thomas Patzke
121c833241
Merge pull request #1031 from abhikhnvasara/master 
Update target list in readme page
 2021-04-06 00:58:48 +02:00
Thomas Patzke
21e0fde61b
Merge branch 'master' into master 2021-04-06 00:58:13 +02:00
Thomas Patzke
5118be6bf6
Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
Thomas Patzke
82fd5ca233
Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke
d789eb9c6f
Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Thomas Patzke
9606fc9c38
Merge pull request #1411 from wietze/mdatp_improvements 
Various Defender for Endpoint (mdatp) bug fixes
 2021-04-06 00:37:40 +02:00
Thomas Patzke
42cf81478b
Merge pull request #1412 from defensivedepth/patch-1 
Clean up: Webshell ReGeorg Detection
 2021-04-06 00:35:35 +02:00
Thomas Patzke
1e029b98cf Merge branch 'oscd-merge' 2021-04-06 00:22:37 +02:00
Thomas Patzke
d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Thomas Patzke
0a28a42498 CI: Install Python dependencies in virtual env 2021-04-05 22:57:50 +02:00
Josh Brower
af09dd8e3c
Clean up: Webshell ReGeorg Detection 2021-04-05 13:01:10 -04:00
Thomas Patzke
b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke
3d519a874b Added dev dependencies from requirements 2021-04-03 23:12:36 +02:00
Thomas Patzke
5f2ff99eea Replaced pip requirements with pipenv 2021-04-03 01:00:22 +02:00
Thomas Patzke
90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Florian Roth
a9879670c8
Merge pull request #1410 from phantinuss/fp-tuning 
FP Tunings, fixes and value modifier refactoring
 2021-04-01 17:44:23 +02:00
Wietze
30c6d753fd
Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze
fb1bb91c3c
Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
JohnConnorRF
477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF
1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
phantinuss
4934f80601
fix: FP tuning for IIS Express and making use of value modifiers 2021-04-01 14:37:20 +02:00
phantinuss
8b4234de3b
refactor: make use of value modifiers 2021-04-01 14:37:17 +02:00
phantinuss
794865c79d
fix: adding filter to condition and reintroducing the users folder constraint 2021-04-01 14:37:17 +02:00
phantinuss
43be8c8cba
refactor: make use of value modifiers 2021-04-01 14:37:16 +02:00
phantinuss
bd5ba2ae01
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 14:37:15 +02:00
phantinuss
65bc62d401
fix: adding filter out for CamMute.exe 2021-04-01 14:37:14 +02:00
phantinuss
2cab121c71
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-04-01 14:37:13 +02:00
phantinuss
109b7890db
fix: taking windows security 4688 events into account for filter out 2021-04-01 14:36:57 +02:00
Florian Roth
2560f40e06
Merge pull request #1406 from roysjosh/winlogbeat-mapping 
Map CommandLine appropriately
 2021-04-01 09:16:28 +02:00
Joshua Roys
7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys
0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
JohnConnorRF
3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys
30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Thomas Patzke
eb98f0ba28
Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth
ac1f82f7ca
Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Florian Roth
428db0c74a
Merge pull request #1382 from d4rk-d4nph3/master 
Added rule for CVE-2021-21978 in VMware View Planner
 2021-03-29 11:22:56 +02:00
Florian Roth
b296c643de
Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
Florian Roth
8262b01e1a
Merge pull request #1404 from blueteam0ps/patch-5 
Added detection for Dumpert
 2021-03-29 11:19:57 +02:00
BlueTeamOps
6ef5f0a0a2
Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
Florian Roth
14a872faac
Merge pull request #1403 from blueteam0ps/patch-4 
Added  additional CS signatures
 2021-03-25 17:18:22 +01:00
BlueTeamOps
8916459bab
Added additional CS signatures 2021-03-25 22:44:24 +11:00
Maxime Lamothe-Brassard
e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
Florian Roth
6b0f66e876 refactor: change level 2021-03-24 12:38:00 +01:00