valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,331 Commits 20 Branches 25 Tags 21 MiB
c8ee6e9631
Commit Graph

28 Commits

Author SHA1 Message Date
yugoslavskiy
c8ee6e9631
Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
Yugoslavskiy Daniil
4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
yugoslavskiy
5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke
f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Florian Roth
a85acdfd02
Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth
0713360443
Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
patrick
51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick
4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
MadsRC
41b4d800c5
Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
MadsRC
d0d51b6601
Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Thomas Patzke
58afccb2f3
Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng
e44b4f450e
DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Florian Roth
9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth
1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth
62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
5c465129bd Fixed rules 
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
 2017-09-11 00:35:52 +02:00
Thomas Patzke
27e5d0c2b4 Fixed further parse error 2017-08-02 23:32:00 +02:00
Florian Roth
37449e2c5d Fix: Search to log source in network rule 2017-04-15 11:32:38 +02:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Thomas Patzke
15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Thomas Patzke
97847a29de Moved network rules into rules directory 2017-02-08 12:43:50 +01:00