SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Thomas Patzke	14b10c232e	Merge branch 'MadsRC-MadsRC-patch-1'	2019-05-09 23:58:14 +02:00
Thomas Patzke	f51e918a2e	Small rule change	2019-05-09 23:57:55 +02:00
Thomas Patzke	31946426a5	Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1	2019-05-09 23:54:18 +02:00
Thomas Patzke	f01fbd6b79	Merge branch	2019-05-09 23:51:15 +02:00
Thomas Patzke	e60fe1f46d	Changed rule * Adapted false positive notice to observation * Decreased level	2019-05-09 23:49:39 +02:00
Florian Roth	3dd76a9c5e	Converted to generic process creation rule Previous rule was prone to FPs; more generic form	2019-05-09 23:48:42 +02:00
Vasiliy Burov	792095734d	Update win_proc_wrong_parent.yml changes accordingly this documents: https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf	2019-05-09 23:48:36 +02:00
Florian Roth	378ba5b38f	Transformed rule I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs Fixed Typo Changes to title and description	2019-05-09 23:48:36 +02:00
Vasiliy Burov	8e6295e402	Windows processes with wrong parent Detect scenarios when malicious program is disguised as legitimate process	2019-05-09 23:48:36 +02:00
Thomas Patzke	1e2ef92104	Merge branch 'vburov-patch-2'	2019-05-09 23:10:52 +02:00
Thomas Patzke	121e21960e	Rule changes * Replaced variables with usual path names * Removed Temp directories due to many false positives * Matching on Image field, CommandLines often contain these paths	2019-05-09 23:09:22 +02:00
Thomas Patzke	9b67705799	Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2	2019-05-09 22:55:07 +02:00
Thomas Patzke	763939a8ca	Hide --shoot-yourself-in-the-foot	2019-04-25 23:42:13 +02:00
Thomas Patzke	eb022f3908	Conditional field mapping for null values Fixes #326	2019-04-25 23:24:05 +02:00
Thomas Patzke	cfb4f32651	Backend es-dsl tolerates rules without title and log source	2019-04-25 22:41:31 +02:00
Florian Roth	16bf5eef0f	Merge pull request #327 from Codehardt/master Added logsources for generic sigma rules to spark config, renamed spa…	2019-04-25 10:10:51 +02:00
Codehardt	17ae9ea91c	Renamed spark config in setup.py	2019-04-25 09:56:29 +02:00
Codehardt	8cf505fcb3	Accidentally removed windows-dhcp logsource in spark's config file	2019-04-25 08:23:48 +02:00
Codehardt	79f7edb6b4	Added logsources for generic sigma rules to spark config, renamed spark config to thor config	2019-04-25 08:15:50 +02:00
Thomas Patzke	6918784e87	Configuration order checking	2019-04-23 00:54:10 +02:00
Thomas Patzke	c90d3e811e	Formatted error code definitions	2019-04-23 00:53:52 +02:00
Thomas Patzke	e9af99c147	Completed error codes	2019-04-23 00:52:31 +02:00
Thomas Patzke	4559aa4e00	Fixed es-qs backend check	2019-04-23 00:05:36 +02:00
Thomas Patzke	d0bd8a2a41	Mandatory configuration for most backends	2019-04-22 23:40:21 +02:00
Thomas Patzke	87abd20c0f	Removed deprecated PyYAML API from rule test	2019-04-22 23:21:08 +02:00
Thomas Patzke	34c426a95b	Moved error codes to constants defined centrally	2019-04-22 23:15:35 +02:00
Thomas Patzke	f0b0f54500	Merge improved pull request #322	2019-04-21 23:56:36 +02:00
Thomas Patzke	765fe9dcd9	Further improved Windows user creation rule * Decreased level * Fixed field names * Added false positive possibility	2019-04-21 23:54:18 +02:00
Florian Roth	d0950bd077	fix: yaml.load() issue https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation	2019-04-21 20:30:31 +02:00
Karneades	b47900fbee	Add default path to filter for explorer in exe anomaly rule	2019-04-21 17:42:47 +02:00
Florian Roth	38d548868d	Merge pull request #324 from Neo23x0/revert-322-feature/win_user_creation Revert "New Sigma rule detecting local user creation"	2019-04-21 09:20:48 +02:00
Florian Roth	dd9648b31e	Revert "New Sigma rule detecting local user creation"	2019-04-21 09:09:25 +02:00
Florian Roth	a85acdfd02	Changed title and description	2019-04-21 08:54:56 +02:00
Florian Roth	0713360443	Fixed MITRE ATT&CK tags	2019-04-21 08:52:07 +02:00
Thomas Patzke	49beb5d1a8	Integrated PR from @P4T12ICK in existing rule PR #321	2019-04-21 00:28:40 +02:00
Thomas Patzke	bdd184a24c	Merge pull request #322 from P4T12ICK/feature/win_user_creation New Sigma rule detecting local user creation	2019-04-21 00:20:15 +02:00
Thomas Patzke	80f45349ed	Modified rule * Adjusted ATT&CK tagging * Set status	2019-04-21 00:14:57 +02:00
Florian Roth	aab3dbee4f	Rule: Detect Empire PowerShell Default Cmdline Params	2019-04-20 09:38:41 +02:00
Florian Roth	03d8184990	Rule: Extended PowerShell Susp Cmdline Enc Commands	2019-04-20 09:38:41 +02:00
Florian Roth	5249279a66	Rule: another MSF payload user agent	2019-04-20 09:38:41 +02:00
Florian Roth	d5fa51eab9	Merge pull request #305 from Karneades/patch-3 Remove too loose filter in notepad++ updater rule	2019-04-19 12:40:24 +02:00
Florian Roth	e32708154f	Merge pull request #304 from Karneades/patch-2 Remove too loose filter in mshta rule	2019-04-19 09:51:45 +02:00
Florian Roth	74dd008b10	FP note for HP software	2019-04-19 09:51:32 +02:00
Florian Roth	8a5ae01f0e	Merge pull request #323 from Karneades/filterFix Restrict filter in system exe anomaly rule	2019-04-19 09:17:16 +02:00
Karneades	d75ea35295	Restrict whitelist filter in system exe anomaly rule	2019-04-18 22:06:12 +02:00
patrick	8609fc7ece	New Sigma rule detecting local user creation	2019-04-18 19:59:43 +02:00
Florian Roth	f78413deab	Merge pull request #309 from jmlynch/master added rules for renamed wscript, cscript and paexec. Added two direct…	2019-04-17 23:59:27 +02:00
Florian Roth	4808f49e0d	More exact path	2019-04-17 23:45:15 +02:00
Florian Roth	1a4a74b64b	fix: dot mustn't be escaped	2019-04-17 23:44:36 +02:00
Florian Roth	76780ccce2	Too many different trusted cscript imphashes	2019-04-17 23:33:56 +02:00

... 6 7 8 9 10 ...

1982 Commits