valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
419 Commits 20 Branches 25 Tags 21 MiB
be891b2912
Commit Graph

419 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
6f5b9e183c Merge branch 'master' into travis-test-working 2017-08-02 00:32:52 +02:00
Thomas Patzke
3148660fa3 Removed build status image description 2017-08-02 00:28:09 +02:00
Thomas Patzke
b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke
c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
Thomas Patzke
3495bac9cb sigmac: return error codes 2017-07-31 00:31:49 +02:00
Thomas Patzke
ced98e269a Changed URL for CI status in README 2017-07-31 00:24:34 +02:00
Thomas Patzke
97ec999878 Temporary removed sigmac run from Travis configuration 
* sigmac actually doesn't supports all features used in Sigma rules.
* It returns the wrong exit code on parse errors. Parse failures cause
  passed builds.
 2017-07-31 00:15:53 +02:00
juju4
86644cdc30 formatting 2017-07-30 11:48:34 -04:00
juju4
45bf3f856b travis status inside README 2017-07-30 11:46:58 -04:00
juju4
5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4
bbb730c719 yamllint starter configuration, bad path for sigmac 2017-07-30 11:36:33 -04:00
juju4
a5b2ed641a trigger travis 2017-07-30 11:30:17 -04:00
juju4
ead44ca2e4 basic travis test: lint + sigma convert 2017-07-30 11:29:24 -04:00
juju4
5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4
31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4
3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4
fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4
83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4
f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth
d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth
433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth
cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth
061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth
4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth
eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth
cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth
cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth
fc4cd4036e Linux: Suspicious VSFTPD errors 2017-07-05 18:59:51 -06:00
Florian Roth
ead63fbf75 Linux: Suspicious SSHD errors 2017-06-30 08:47:56 +02:00
Florian Roth
950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth
ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth
a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth
8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth
3f245d27f8 Eventlog cleared ID 104 2017-06-27 17:29:39 +02:00
Thomas Patzke
7fdc78c8bf Merge pull request #36 from dim0x69/master 
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
 2017-06-19 15:32:56 +02:00
Thomas Patzke
475ec20dcd Merge pull request #37 from benno001/patch-2 
Added LogPoint aggregation
 2017-06-19 15:32:27 +02:00
Ben de Haan
43c4486de0 Added LogPoint aggregation 
Added generateAggregation function for LogPoint
 2017-06-19 15:21:29 +02:00
Florian Roth
d1f1bd59da Changed level of PsExec events to 'low' 2017-06-17 08:50:16 +02:00
Thomas Patzke
a4c9e24380 File renaming while deletion with SDelete 2017-06-14 16:55:32 +02:00
Thomas Patzke
8c06a5d83f Access to wceaux.dll while WCE pass-the-hash login on source host 2017-06-14 15:59:45 +02:00
Thomas Patzke
4fcdcc3967 Added rule for PsExec 2017-06-12 23:57:06 +02:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
f85d847fa6 PlugX Detection 
https://docs.google.com/spreadsheets/d/1f5OTQpEEvbiW-NzSfVTrzhmnZJ-hrmAZhRM7JXkDBSY/edit#gid=0
https://countuponsecurity.files.wordpress.com/2017/06/acp-search.png
 2017-06-12 10:46:56 +02:00
Florian Roth
c1f5bd1540 Sigmac bugfix: showing faulty condition 2017-06-12 10:07:15 +02:00
Thomas Patzke
91b3c39c0d Amended condition 
Changed condition according to proposed syntax for related event matching (#4)
 2017-06-11 23:54:19 +02:00
dimi
ac95e372e5 clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes 2017-06-09 14:15:37 +02:00