Thomas Patzke
df6ad82770
Removed redundant attribute from rule
...
EventID 4657 already implies the modification.
2018-06-21 23:59:55 +02:00
Thomas Patzke
e72c0d5de4
SingleTextQueryBackend ignores empty components in composed queries
...
Example: one component of a AND-composition is ignored if invoked
generate* call returns None.
2018-06-21 23:59:41 +02:00
Thomas Patzke
d8a7bcad39
Reordered rule generation
...
Generation of query parts before and after main query gives access to
information possibly gathered while main query generation.
2018-06-21 23:50:13 +02:00
Thomas Patzke
f60e7e125f
Sigma tools release 0.4
...
* Various bug fixes in quoting of specific characters
* New backend es-dsl
2018-05-01 00:50:07 +02:00
Thomas Patzke
7647587a8b
Fixed quoting of backslashes in generated queries
2018-05-01 00:45:59 +02:00
Thomas Patzke
de2ed08695
Merge branch 'ci-es'
2018-05-01 00:34:11 +02:00
Thomas Patzke
a1c32123f1
Setup ES 6.2.4 in Travis CI
2018-05-01 00:23:48 +02:00
Thomas Patzke
e411039b56
Fixed escaping of \u in Elasticsearch Query String queries
2018-05-01 00:05:16 +02:00
Florian Roth
ae6df590a9
Delphi downloader https://goo.gl/rMVUSM
2018-04-24 23:23:21 +02:00
Florian Roth
49877a6ed0
Moved and renamed rule
2018-04-18 16:53:11 +02:00
Florian Roth
3c1c9d2b31
Merge pull request #81 from yt0ng/sigma-yt0ng
...
added SquiblyTwo Detection
2018-04-18 16:39:37 +02:00
Florian Roth
8420d3174a
Reordered
2018-04-18 16:34:16 +02:00
yt0ng
c637c2e590
Adding Detections for renamed wmic and format
...
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
2018-04-18 15:02:52 +02:00
Florian Roth
9b8df865b1
Extended rule
2018-04-18 12:13:45 +02:00
yt0ng
a4fb39a336
also for http
2018-04-18 08:19:47 +02:00
yt0ng
169a4404c2
added SquiblyTwo Detection
2018-04-17 21:33:26 +02:00
Florian Roth
6d293d498d
Merge pull request #80 from marvi/marvi-patch-1
...
"author" should be a string and not a list.
2018-04-17 08:27:29 +02:00
Markus Härnvi
cf237cf658
"author" should be a string and not a list, according to the specification
2018-04-16 23:42:51 +02:00
Florian Roth
d8bbf26f2c
Added msiexec to rule in order to cover new threats
...
https://twitter.com/DissectMalware/status/984252467474026497
2018-04-12 09:12:50 +02:00
Thomas Patzke
15a6c5efb5
Detailed error messages for failed queries
2018-04-12 00:20:54 +02:00
Thomas Patzke
aeda30a389
Python rewrite of es-qs query test
2018-04-11 23:59:44 +02:00
Florian Roth
58517907ad
Improved rule to provide support for for old sysmon \REGISTRY syntax
2018-04-11 20:15:17 +02:00
Florian Roth
0ffd226293
Moved new rule to sysmon folder
2018-04-11 20:11:54 +02:00
Florian Roth
52d405bb1b
Improved shell spawning rule
2018-04-11 20:09:42 +02:00
Florian Roth
ef7fb4cff1
Merge pull request #78 from Karneades/patch-1
...
Add rule for Windows registry persistence mechanisms
2018-04-11 19:35:55 +02:00
Florian Roth
b065c2c35c
Simplified rule
2018-04-11 19:03:35 +02:00
Karneades
fa6677a41d
Remove @ in author
...
Be nice to Travis: "error syntax error: found character '@' that cannot start any token"
2018-04-11 15:21:42 +02:00
Karneades
be3c27981f
Add rule for Windows registry persistence mechanisms
2018-04-11 15:13:00 +02:00
Thomas Patzke
788111f174
Fixes for Elasticsearch query correctness CI tests
...
* Quoting in rule
* Reading queries without special processing of backslashes
Unfortunately, backslashes still cause breaks caused by Bash handling of
them.
2018-04-09 22:33:29 +02:00
Florian Roth
56172ae174
Corrected CrackMapExec rule
2018-04-09 08:40:03 +02:00
Florian Roth
a9c7fe202e
Rule: Windows shell spawning suspicious program
2018-04-09 08:37:30 +02:00
Florian Roth
8ddd40e18e
PowerShell Cradle - WebDAV UA
2018-04-09 08:37:30 +02:00
Florian Roth
e53826e167
Extended Sysmon Office Shell rule
2018-04-09 08:37:30 +02:00
Florian Roth
6eb8cdfeab
TSCookie UA
2018-04-09 08:37:30 +02:00
Thomas Patzke
05928d4f8f
Merge pull request #76 from HacknowledgeCH/es-dsl
...
es-dsl backend
2018-04-08 23:39:23 +02:00
Thomas Patzke
f113832c04
Merge pull request #69 from jmallette/rules
...
Create cmdkey recon rule
2018-04-08 23:23:30 +02:00
Thomas Patzke
35d43c5ed9
Merge pull request #77 from yt0ng/sigma-yt0ng
...
added NCSC CrackMapExecWin Description in apt_dragonfly.yml
2018-04-08 23:21:49 +02:00
root
69671733a8
added NCSC CrackMapExecWin Description in apt_dragonfly.yml
2018-04-08 17:10:00 +02:00
milkmix
0b3b0c3aaf
imported es-dsl code from repo
2018-04-06 17:36:11 +02:00
Thomas Patzke
24d94d39b8
CI: Testing backend es-qs against Elasticsearch
2018-04-04 00:32:48 +02:00
Thomas Patzke
4183b1b59e
Sigma tools release 0.3.3
2018-03-29 11:17:03 +02:00
Thomas Patzke
22ee6f4521
sigmac: escaped wildcards (\* and \?) are passed in generated query
2018-03-29 11:15:20 +02:00
Thomas Patzke
17c1c1adff
Added field name mappings to HELK configuration
2018-03-27 14:41:02 +02:00
Thomas Patzke
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
b1bfa64231
Removed redundant 'EventLog' conditions
2018-03-26 00:36:40 +02:00
Thomas Patzke
f68af2a5da
Added reference to Kerberos RC4 rule
2018-03-25 23:19:01 +02:00
Thomas Patzke
dacc6ae3d3
Fieldname case: Commandline -> CommandLine
2018-03-25 23:08:28 +02:00
Florian Roth
e141a834ff
Rule: Ping hex IP address
...
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
2018-03-23 17:00:00 +01:00
Florian Roth
c10da5b734
Improved Chafer activity rule
2018-03-23 10:50:40 +01:00
Florian Roth
a797a281ac
Rule: Chafer / OilRig activity Mar 18
...
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
2018-03-23 08:59:16 +01:00