valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,308 Commits 20 Branches 25 Tags 21 MiB
c25b902add
Commit Graph

2308 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
c25b902add
Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Florian Roth
611b72dba5
Merge pull request #559 from vburov/patch-8 
Added some suspicious locations
 2019-12-10 20:15:16 +01:00
Vasiliy Burov
977551c69d
Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov
0dd4324aba
Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke
2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Thomas Patzke
51e9689425 Sigmatool release 0.15.0 2019-12-06 22:13:44 +01:00
Thomas Patzke
58d8512396
Merge pull request #553 from berggren/patch-1 
Add source distribution for PyPi when building
 2019-12-06 22:10:19 +01:00
Johan Berggren
d8e1f56219
Add source distribution for PyPi when building 
Add sdist when building. This makes it easier to build packages from PyPi for example Debian PPA pkgs etc.
This will not affect anything else, just make the source distribution available in PyPi as a tar.gz archive.

If this gets merged, please bump the version and push to PyPi as well.
 2019-12-06 15:45:28 +01:00
Florian Roth
e91a79e707
Merge pull request #550 from refractionPOINT/lc-proxy-support 
LimaCharlie basic support for Proxy rule category.
 2019-12-06 08:20:14 +01:00
Florian Roth
6359223390
Merge pull request #551 from axi0m/patch-1 
Add hastebin raw URI to contains selection
 2019-12-06 08:19:44 +01:00
Kevin Dienst
865251238f
Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Florian Roth
ab2dd094a5 fix: fixed broken link in elise rule 2019-12-05 09:56:20 +01:00
Florian Roth
8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke
ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke
e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke
c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke
76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth
c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth
fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
Thomas Patzke
98be3ce069 Fixed changelog (missing title) 2019-11-30 00:34:17 +01:00
Florian Roth
00a26dff16
Merge pull request #536 from Neo23x0/devel 
Changes to CVE-2019-1388 rule
 2019-11-20 09:27:56 +01:00
Florian Roth
f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth
55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth
0b9cd47c1e
Merge pull request #535 from Neo23x0/devel 
Rule to detect CVE-2019-1388
 2019-11-20 09:19:52 +01:00
Florian Roth
4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth
158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth
a6d069c6d2 Merge branch 'master' into devel 2019-11-19 15:59:22 +01:00
Florian Roth
98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
Florian Roth
0dd583510a
Merge pull request #534 from Neo23x0/devel 
rules and fixes
 2019-11-18 16:01:26 +01:00
Florian Roth
2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth
fdc32889a7 rule: PulseSecure CVE-2019-11510 attack 2019-11-18 15:33:58 +01:00
Florian Roth
93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
Florian Roth
da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth
2c54d1afe4 rule: removed Zebrocy rule because it doesn't work that way 
reason: command line gets split up at the '&' character, which results in two command lines
 2019-11-18 11:42:38 +01:00
Florian Roth
396c506794
Merge pull request #532 from Neo23x0/devel 
rule: RottenPotato attack pattern
 2019-11-15 12:01:42 +01:00
Florian Roth
04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth
7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
Florian Roth
c99ab28834
Merge pull request #531 from Neo23x0/devel 
Devel
 2019-11-15 00:34:38 +01:00
Florian Roth
ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Florian Roth
2cf6e16024 fix: missing new MITRE tactics category in tests 2019-11-14 23:31:38 +01:00
Florian Roth
e8bfc28284 Merge branch 'devel' 2019-11-14 10:16:56 +01:00
Florian Roth
2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth
2e452d4035
Merge pull request #528 from Neo23x0/devel 
Rule: suspicious msiexec directory
 2019-11-14 10:00:12 +01:00
Florian Roth
95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
Thomas Patzke
cf22e9e576 Added hint on failed UUID check 2019-11-12 23:37:28 +01:00