valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,587 Commits 20 Branches 25 Tags 21 MiB
bdd184a24c
Commit Graph

1587 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth
05424883dd
Added Info Graphic to README 2019-02-09 09:38:01 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth
d2743351e7
Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley
c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti
d151deaa29
Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti
91862f284b
Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than 3288f6425b/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Kyle Polley
423fdca32c
Merge pull request #1 from Neo23x0/master 
Get updates from head repo
 2019-02-06 17:02:41 -08:00
Florian Roth
adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth
f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Florian Roth
7192f149a3
Merge pull request #243 from keepwatch/broadening-suspicious-certutil 
Added '/' prefix, -encode switch, better renamed certutil coverage
 2019-02-06 16:58:27 +01:00
keepwatch
e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown
2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown
a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown
4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown
a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1
04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown
22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown
353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1
150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown
c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1
21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron
35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron
65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch
bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth
cc8a89b679
Merge pull request #239 from neu5ron/master 
update helk config
 2019-02-05 20:01:28 +01:00
neu5ron
046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00
sisecbe
5d94b9f0bc
Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
Florian Roth
5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth
8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
sisecbe
2f5eb08b41
Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
Florian Roth
a276d3083d DHCP log source in sigmac configs 2019-02-05 14:35:23 +01:00
Florian Roth
dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth
5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth
abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
juju4
98a18fd4a2 add sigma2sumologic.py as test/example script 2019-02-03 12:54:03 -05:00
juju4
7d159fb980 sumologic backend: review with inspiration from arcsight 2019-02-03 12:53:58 -05:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
9c44bb04a7 Added mail address to CI fail notification 2019-02-02 23:52:54 +01:00
Thomas Patzke
9403128aef Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-02-02 23:52:06 +01:00
Thomas Patzke
6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Florian Roth
37e13c9f41
Notify me 2019-02-02 08:56:00 +01:00
Thomas Patzke
8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke
6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke
6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth
27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth
a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00