valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
701 Commits 20 Branches 25 Tags 21 MiB
df6ad82770
Commit Graph

701 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
ad53cc7cc2 Rule: Sysmon Turla Commands 2017-11-08 00:33:17 +01:00
Florian Roth
acc430c4b6 Rule: Proxy download from blacklisted TLDs 2017-11-07 14:03:16 +01:00
Florian Roth
58f20d3cfb Rule: Proxy download whitelist bugfix and improvements 2017-11-07 14:02:56 +01:00
Florian Roth
59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth
ea840632f3 Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 14:22:09 +01:00
Florian Roth
37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke
b03f9359ec sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
Thomas Patzke
5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke
f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke
0055eedb83
Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke
613f922976
Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke
e90ff2d991 Improved testing 
* Added collection test case
* Test of file output
 2017-11-01 21:14:11 +01:00
Thomas Patzke
118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke
5743e25931 Added logging framework 2017-10-31 22:13:20 +01:00
Thomas Patzke
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b 
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
 2017-10-30 00:27:56 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
25ba2c81ad Merge branch 'juju4-CAR-2013-04-002b' 2017-10-30 00:15:43 +01:00
Thomas Patzke
c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
Thomas Patzke
0df60fe004 Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b 2017-10-30 00:13:21 +01:00
Thomas Patzke
27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
juju4
4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4
07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4
f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4
19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4
ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4
9d968de337 Merge remote-tracking branch 'upstream/master' 2017-10-29 14:14:47 -04:00
Florian Roth
b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Florian Roth
e680da1b50 Suspicious flash player download location / BadRabbit 2017-10-25 08:40:30 +02:00
Thomas Patzke
5fa9e685b1 Splitted parts of generate to generateQuery in backend code 2017-10-25 00:03:03 +02:00
Thomas Patzke
ace1bf94ea Merge branch 'devel-sigmac' 2017-10-24 23:49:04 +02:00
Thomas Patzke
6d0e85fcfa Fixed Splunk backend (#50) 2017-10-24 23:48:47 +02:00
Thomas Patzke
65e1f8ec2b Increased test coverage 
* more tests
* removed unneeded code
* increased coverage fail threshold
 2017-10-23 23:30:44 +02:00
Thomas Patzke
c6f26978c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-10-23 00:46:41 +02:00
Thomas Patzke
3389656a5b Added ELK default index config 2017-10-23 00:45:33 +02:00
Thomas Patzke
7f93d3ca47 Kibana backend throws exception when multiple indices appear 
* Introduced backend errors with handling in sigmac
 2017-10-23 00:45:01 +02:00
Thomas Patzke
cb9aeac7d9 Added default index handling 
* Removed default index handling from backend code
* Added default indices to config templates
 2017-10-23 00:08:39 +02:00
Florian Roth
801d739a3b US CERT TA17-293A report - renamed PsExec execution 2017-10-22 12:55:26 +02:00
Thomas Patzke
ec996e7353 Improved test coverage 2017-10-19 17:42:56 +02:00
Thomas Patzke
1a8cfae6ac Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-10-19 11:42:09 +02:00
Thomas Patzke
a4a127e869 Measurement of test coverage 2017-10-19 11:40:53 +02:00
Florian Roth
d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth
0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke
0895ea88ed Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-10-18 19:05:59 +02:00
Thomas Patzke
5449a12a14 Added GrepBackend 
Moved field quoting/filtering into QuoteCharMixin
 2017-10-18 19:03:38 +02:00
Florian Roth
440bf29607 Added Thomas' hack.lu talk 2017-10-18 15:51:58 +02:00
Thomas Patzke
54cf9af0c9 Removed ELK Sysmon config 
It's contained in ELK Windows config
 2017-10-18 15:23:55 +02:00
Thomas Patzke
3418b949f3 Enhanced integration testing by configurations 2017-10-18 15:23:10 +02:00