valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,294 Commits 20 Branches 25 Tags 21 MiB
d3e261862d
Commit Graph

3294 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
ecco
0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth
b672d7aeb4
Merge pull request #759 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:25:46 +02:00
Florian Roth
cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth
8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth
beb62dc163
fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth
5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth
2282432b6f
Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth
28dc2a2267
Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
Florian Roth
d8cd396697
Merge pull request #758 from EccoTheFlintstone/fix_fp 
remove false positives with cmd as child of services.exe (not specifi…
 2020-05-15 11:28:05 +02:00
ecco
54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick
40ab1b7247
added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick
56a2747a70
Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick
fb1d8d7a76
Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick
8aff6b412e
added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth
d25b8a0492 docs: remove GPL reference, DRL in README 2020-05-14 15:56:39 +02:00
Florian Roth
ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tiago Faria
06abd6e76a added ci tests for ecs-cloudtrail 2020-05-14 14:03:23 +01:00
Tiago Faria
2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Thomas Patzke
133319c417
Merge pull request #737 from NVISO-BE/backend-ee-outliers 
ee-outliers backend
 2020-05-13 22:38:02 +02:00
Florian Roth
7652813c2c
Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod
78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth
78a8266a1b
Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
hieuttmmo
9ad3427d68
Merge pull request #1 from Neo23x0/master 
Update
 2020-05-13 18:36:52 +07:00
Florian Roth
220a14f31c
fix: typo in contains 2020-05-13 12:38:54 +02:00
Florian Roth
a1856c5743
Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
Florian Roth
904a31103d
Merge pull request #750 from zaphodef/fix/win_bootconf_mod_bad_commandline 
Fix a bad CommandLine search
 2020-05-13 11:55:16 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin
bb17fd74ee
Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
Florian Roth
e01734fda1 rule: proxy UA hidden cobra 2020-05-12 17:43:54 +02:00
zaphod
d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Florian Roth
37c33cb6d9
Merge pull request #743 from tliffick/master 
Registry entry for Azorult malware
 2020-05-11 16:37:15 +02:00
Remco Hofman
37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
Florian Roth
1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth
2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth
4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth
f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Remco Hofman
c5c5e1b79b Added ee-outliers test to Makefile 2020-05-08 17:51:35 +02:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
vh
fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Florian Roth
64a5ad0d07
Merge pull request #735 from nl5887/master 
fix incorrect use of action global
 2020-05-08 12:20:33 +02:00