valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,907 Commits 20 Branches 25 Tags 21 MiB
c2868f6e03
Commit Graph

1907 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
ecco
c2868f6e03 remove TAB from cli escape as it's currently unsupported in sigmac 2019-09-23 04:46:10 -04:00
Thomas Patzke
9630635e25 Merge branch 'herrBez-addt push origin master-datefield-xpack-watcher' 2019-09-12 00:20:28 +02:00
Thomas Patzke
19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
herrBez
8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
Florian Roth
038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
Florian Roth
7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth
fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
Florian Roth
2ec1f710f3
Merge pull request #441 from EccoTheFlintstone/powershell_rules 
powershell false positives
 2019-09-06 10:19:45 +02:00
ecco
01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Thomas Patzke
c80cb418cd Improved QRadar regular expression support 2019-09-05 15:35:26 +02:00
Thomas Patzke
30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke
3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Thomas Patzke
afe6668fbd
Merge pull request #438 from duzvik/master 
Escaped '\*' to '\*' where required
 2019-09-05 10:57:25 +02:00
Thomas Patzke
2a60c71b9d
Merge pull request #437 from svent/qradar_regex_modifier 
QRadar backend: add support for re type modifiers
 2019-09-05 10:30:18 +02:00
Thomas Patzke
f9f5558ae1
Merge pull request #392 from TareqAlKhatib/shim 
Fixed commandline to detect any shim install from any location
 2019-09-05 10:28:50 +02:00
Thomas Patzke
de5e2045f0
Merge pull request #428 from stevengoossensB/master 
AQL field selection from signatures
 2019-09-05 10:28:02 +02:00
Thomas Patzke
37e179b6a7
Merge pull request #390 from juju4/devel-sumo2 
sumologic backend: fix index and full mapping coverage
 2019-09-05 10:27:19 +02:00
Florian Roth
7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk
774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
svent
467c8f694c QRadar backend: add support for re type modifiers 2019-09-03 22:55:48 +02:00
Florian Roth
03d45d57de rule: emissary panda activity 2019-09-03 15:35:33 +02:00
Florian Roth
3a29835221
Merge pull request #433 from EccoTheFlintstone/master 
add comcvcs.dll memdump method
 2019-09-02 14:13:24 +02:00
ecco
8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth
dca5a7a248
Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco
5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth
ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth
7cc26e30b4 docs: renamed file name 2019-08-30 12:04:20 +02:00
Florian Roth
f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth
ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth
398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth
fe8f040863
Merge pull request #429 from weev3/master 
Control Panel Item, MITRE_ID=T1196
 2019-08-27 14:24:56 +02:00
Florian Roth
ca2019b57f
fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth
6b7cd94197
Changes 2019-08-27 12:23:42 +02:00
weev3
d42a51372d
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Steven Goossens
cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens
ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
Steven Goossens
37caccd52e Includes the trial condition so generic query is generated whenever the fields are not defined 2019-08-26 11:48:40 +00:00
Steven Goossens
895682aef2 Implementing the fields to be selected 2019-08-26 10:57:43 +00:00
Thomas Patzke
59a6a0c523 Added ATT&CK technique to rule test 2019-08-25 10:13:11 +02:00
Florian Roth
70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth
c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth
b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth
87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth
5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke
68fb56f503
Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke
945f45ebd7
Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke
fc08e3c5b7
Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Thomas Patzke
9d3232cf90
Merge pull request #424 from import-au/master 
Support for Malicious cmdlets in ATP
 2019-08-23 22:57:06 +02:00
Florian Roth
cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth
c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00