valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,772 Commits 20 Branches 25 Tags 21 MiB
cc8899ea62
Commit Graph

6772 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
cc8899ea62
Merge pull request #1717 from frack113/netcat 
[OSCD] sysmon_netcat_execution.yml T1095
 2021-07-23 09:51:23 +02:00
Florian Roth
d00ca03cb6
increased level to high 2021-07-23 09:51:00 +02:00
Florian Roth
edfd082754
Merge pull request #1716 from frack113/elk_keyword_rule 
powershell_nishang_malicious_commandlets Elk keywords trouble
 2021-07-22 15:01:13 +02:00
Florian Roth
cbc7a746d4
feat: some often used ncat command line strings 2021-07-22 15:00:50 +02:00
Florian Roth
7a8fcf4237
Merge pull request #1718 from frack113/powercat 
[OSCD] powershell_powercat.yml T1095
 2021-07-22 14:53:34 +02:00
Florian Roth
132bd8fdd8
Merge pull request #1720 from frack113/redcanary_t1411_001 
[OSCD] powershell_suspicious_mail_acces.yml T1114.001
 2021-07-22 14:53:21 +02:00
Florian Roth
583cae058e
Merge pull request #1723 from phantinuss/master 
Add sysmon_status and sysmon_error category to thor logsource; logical rule fix
 2021-07-22 14:53:01 +02:00
Florian Roth
9f2f6db598
Merge pull request #1721 from frack113/update_test 
Update date and modified test
 2021-07-22 11:10:25 +02:00
Florian Roth
7add93e05d
Merge pull request #1722 from frack113/clean_duplicate 
Find a duplicate rules
 2021-07-22 11:10:15 +02:00
Florian Roth
1cfb0e4689
Update win_mal_flowcloud.yml 2021-07-22 11:09:45 +02:00
phantinuss
3b5f3d8bef
fix: indentation 2021-07-22 10:18:03 +02:00
phantinuss
e4880169d3
add sysmon_status and sysmon_error category to thor logsources 2021-07-22 09:59:16 +02:00
phantinuss
3c85bba998
fix: according to the reference the condition should be or; it would never match otherwise anyways 2021-07-22 09:59:04 +02:00
frack113
985a80de96 Find duplicate rules 2021-07-22 08:33:52 +02:00
frack113
fe20158f5e Update date and modified test 2021-07-21 18:28:47 +02:00
frack113
4cc4df35d8 add powershell_suspicious_mail_acces.yml 2021-07-21 15:27:12 +02:00
frack113
72da7a3053 fix tags attack.t1095 2021-07-21 13:08:35 +02:00
frack113
41c4f1d157 add powershell_powercat.yml 2021-07-21 13:04:27 +02:00
frack113
1b537cac5d add sysmon_netcat_execution.yml 2021-07-21 10:55:54 +02:00
Florian Roth
461aac3ac5
Merge pull request #1709 from frack113/add_test 
test_rules.py check duplicate id
 2021-07-21 10:44:08 +02:00
Florian Roth
0930a933c3
Merge pull request #1713 from frack113/redcanary_t1552_004 
[OSCD] process_creation_discover_private_keys.yml T1552.004
 2021-07-21 10:43:45 +02:00
Florian Roth
78f903a2cc
Merge pull request #1714 from frack113/redcanary_t1074_001 
[OSCD] win_susp_zip_compress.yml T1074.001
 2021-07-21 10:43:32 +02:00
Florian Roth
8f0e58b6ed
Merge pull request #1715 from frack113/redcanary_t1095 
Update powershell_suspicious_download.yml
 2021-07-21 10:43:05 +02:00
frack113
44254038d3 fix human error : test-sigmac Error 4 2021-07-21 10:01:46 +02:00
frack113
b9b0ef2066 convert keywords to correct field name Payload 2021-07-21 09:44:26 +02:00
frack113
ba50a2309c fix case EventID 2021-07-20 16:26:13 +02:00
frack113
42005a07b7 update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00
frack113
b031a1b4b7 add win_susp_zip_compress.yml 2021-07-20 13:13:53 +02:00
frack113
cf8904b560 fix files_with_incorrect_mitre_tags 2021-07-20 12:22:31 +02:00
frack113
da6135ccb3 add process_creation_discover_private_keys.yml 2021-07-20 11:20:30 +02:00
Florian Roth
6fbce11094
Merge pull request #1712 from SigmaHQ/rule-devel 
fix: bug in regsvr anomaly rule
 2021-07-18 13:00:19 +02:00
Florian Roth
b7b4c4555f fix: bug in regsvr anomaly rule 2021-07-18 12:59:31 +02:00
Florian Roth
345f55bc53
Merge pull request #1711 from thegoatreich/patch-1 
Add LogRhythm to supported targets
 2021-07-17 13:47:24 +02:00
Florian Roth
c905e61f7a
Merge pull request #1705 from thegoatreich/logrhythm-support 
Logrhythm support
 2021-07-17 13:47:04 +02:00
Florian Roth
7eb873e48b
Merge pull request #1710 from SigmaHQ/rule-devel 
added more legitimate extensions to regsvr32 rule
 2021-07-17 13:46:21 +02:00
thegoatreich
dff7ad653a
Add LogRhythm to supported targets 2021-07-17 11:02:32 +01:00
Florian Roth
53c25969ab added more legitimate extensions to regsvr32 rule 2021-07-17 11:20:05 +02:00
frack113
50c47a4ed0 check duplicate id 2021-07-17 10:32:29 +02:00
Florian Roth
8a75890b51
Merge pull request #1702 from d4rk-d4nph3/master 
Added rule for ADRecon execution
 2021-07-17 09:50:29 +02:00
Florian Roth
e838a1acc4
increased level 2021-07-17 09:50:11 +02:00
Florian Roth
715bca0fd2
Merge pull request #1704 from frack113/redcanary_t1216 
Redcanary t1216
 2021-07-17 09:48:43 +02:00
Florian Roth
56ae1938af
Merge pull request #1706 from BlackB0lt/patch-12 
Create sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
 2021-07-17 09:46:35 +02:00
Florian Roth
3967240818
Merge pull request #1708 from heyibrahimkhan/patch-7 
Update ecs-suricata.yml
 2021-07-17 09:44:40 +02:00
Florian Roth
b1a00152bc
Merge pull request #1698 from SigmaHQ/rule-devel 
several new rules and fixes
 2021-07-17 09:39:47 +02:00
Florian Roth
b911175f28 Suspicious mshta patterns 2021-07-17 09:04:41 +02:00
Florian Roth
6c79115ce0 Regsvr32 Anomalies extended 2021-07-17 09:04:31 +02:00
Ibrahim Ali Khan
dbf924635d
Update ecs-suricata.yml 
metadata items tag and cve mapping added.
 2021-07-17 04:55:46 +05:00
Sittikorn S
d3a1fb8565
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 06:49:37 +07:00
Sittikorn S
5e84a603d0
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 01:04:07 +07:00
Sittikorn S
a3c4aa5dad
Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 01:02:14 +07:00