valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,134 Commits 20 Branches 25 Tags 21 MiB
dbdd758365
Commit Graph

3134 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
dbdd758365
Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu
d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu
c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Tran Trung Hieu
49ba107dce Fixed Title 2020-09-10 17:36:37 +07:00
Tran Trung Hieu
f7d5240d40 Added UID, fixed rule description 2020-09-10 17:20:16 +07:00
Tran Trung Hieu
1b6c6ec5bf Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender 2020-09-10 17:16:06 +07:00
Tran Trung Hieu
e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu
443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu
e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu
97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Tran Trung Hieu
d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu
3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
hieuttmmo
9ad3427d68
Merge pull request #1 from Neo23x0/master 
Update
 2020-05-13 18:36:52 +07:00
Florian Roth
904a31103d
Merge pull request #750 from zaphodef/fix/win_bootconf_mod_bad_commandline 
Fix a bad CommandLine search
 2020-05-13 11:55:16 +02:00
zaphod
a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
Florian Roth
37c33cb6d9
Merge pull request #743 from tliffick/master 
Registry entry for Azorult malware
 2020-05-11 16:37:15 +02:00
Florian Roth
09d1b00459
Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick
c98be55d21
Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick
61f061333b
Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth
fd7968d4f8
Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
Florian Roth
64a5ad0d07
Merge pull request #735 from nl5887/master 
fix incorrect use of action global
 2020-05-08 12:20:33 +02:00
Thomas Patzke
3b96b5e497
Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight 
sigmacs for Zeek and Corelight(Zeek)
 2020-05-06 23:22:14 +02:00
Remco Verhoef
2d38cb7b52
fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef
40539a0c0e
fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman
123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Thomas Patzke
1797a1e56b
Merge pull request #733 from NVISO-BE/fix-732 
Fix for broken endswith modifier
 2020-05-06 22:17:08 +02:00
Remco Hofman
24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
Florian Roth
1ce527c9be
Merge pull request #729 from Rettila/master 
Rule correction and enhancement
 2020-05-05 19:25:49 +02:00
Florian Roth
473c31232e
add additional reference 2020-05-05 19:25:33 +02:00
Rettila
0e1fa5c135
Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila
55d018255c
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila
3302c63e0c
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila
f27aa4bfee
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila
db810b342f
Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila
e3f21805f3
Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila
0f4cc9d365
Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
neu5ron
a01a85cf9b CI/CD check fixes (missing ID's) 2020-05-04 15:22:18 -04:00
neu5ron
90730508f0 Merge remote-tracking branch 'neu5ron-sigma/socprime_add_zeek_and_corelight' into socprime_add_zeek_and_corelight 2020-05-04 15:17:54 -04:00
neu5ron
a61b1da47a fixed yaml space causing condition to not be found 2020-05-04 15:17:43 -04:00
neu5ron
98f163e752 fixed yaml space causing condition to not be found 2020-05-04 15:10:48 -04:00
Florian Roth
d298bb5714
Merge pull request #480 from hillu/override-coverage 
Make coverage binary overridable
 2020-05-02 18:50:58 +02:00
Florian Roth
030898ba9c
Merge branch 'master' into override-coverage 2020-05-02 14:22:03 +02:00
Florian Roth
c71e10a7f3
Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth
b4b9b0155f
Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Florian Roth
7f8baee10d
Merge pull request #720 from 0xThiebaut/specification 
Update rules to follow the Sigma state specification
 2020-05-02 14:11:45 +02:00
neu5ron
d300027848 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar] which are Zeek (sensor) scripts.
 2020-05-02 07:27:51 -04:00
neu5ron
c66540c029 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
create `zeek` folder to store Zeek rules
 2020-05-02 07:25:21 -04:00
neu5ron
cbe5af01a1 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
 2020-05-02 07:23:11 -04:00
Thomas Patzke
2fafff3278 Fixed: escaping of backslashes before added * 
Fixes issue #722.
 2020-05-02 00:13:15 +02:00
Maxime Thiebaut
4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](a805d18bba/sigma-schema.rx.yml (L49))
 - [`sigma/tools/sigma/filter.py`](f3c60a6309/tools/sigma/filter.py (L26))
 - [`sigma/tools/sigmac`](4e42bebb34/tools/sigmac (L98))

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00