SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00

Author	SHA1	Message	Date
neu5ron	61c9c9fb20	Zeek detection for OMIGOD HTTP RCE Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>	2021-09-20 12:26:01 -04:00
$frack113$ frack113	92999468ee	Merge pull request #2012 from frack113/upgrade_test Upgrade test_rules.py	2021-09-11 15:29:19 +02:00
$frack113$ frack113	8d3a77d1f5	Update net_susp_ipify.yml	2021-09-11 08:31:24 +02:00
neonprimetime security (Justin C Miller)	033494c8f7	Propose making rule more generic than just ipify Propose making this detection more generic, cover more lookup services than just ipify https://twitter.com/neonprimetime/status/1436376497980428318	2021-09-10 12:14:43 -05:00
$frack113$ frack113	0288f5b626	fix condition operator case	2021-09-10 13:51:52 +02:00
Thomas Patzke	143744bc12	Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors	2021-09-07 23:38:07 +02:00
$frack113$ frack113	086a15fc45	Update global ID	2021-09-02 20:07:03 +02:00
$frack113$ frack113	5ad29cf0c2	fix Base backend doesn't support multiple conditions (29)	2021-08-29 09:03:50 +02:00
$frack113$ frack113	5b869a3f42	Update cve tags	2021-08-24 10:50:01 +02:00
$frack113$ frack113	679651bdf9	Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install Zeek DCE_RPC PrintNightmare	2021-08-24 08:37:02 +02:00
$frack113$ frack113	e76c11da7f	Merge pull request #1908 from neu5ron/patch-7 improve rule logic zeek_default_cobalt_strike_certificate.yml	2021-08-24 08:36:33 +02:00
$frack113$ frack113	293f422243	Merge pull request #1906 from neu5ron/patch-5 improve zeek_dce_rpc_smb_spoolss_named_pipe	2021-08-24 08:36:18 +02:00
$frack113$ frack113	81ec546e42	Merge pull request #1905 from neu5ron/patch-4 improve rule	2021-08-24 08:36:04 +02:00
$frack113$ frack113	15aa0cb70e	add modified	2021-08-24 08:02:24 +02:00
$frack113$ frack113	4ee4f12f30	add modified	2021-08-24 08:01:01 +02:00
$frack113$ frack113	8ab90d8012	add modified	2021-08-24 07:59:36 +02:00
$frack113$ frack113	be43ecd70d	Remove empty element in list Otherwise get a `null` when convert to some backend (es-rule,...)	2021-08-24 07:57:16 +02:00
neu5ron	9e588fdcf6	Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups.	2021-08-24 00:58:36 -04:00
Nate Guagenti	b255586117	condition fix and add fields should be `operation` not `endpoint` for the detection logic. added various fields useful for investigation	2021-08-23 14:59:06 -04:00
Nate Guagenti	064d7b7b9f	improve rule logic zeek_default_cobalt_strike_certificate.yml zeek logging for `certificate.serial` is all letters are capitalized	2021-08-23 14:23:41 -04:00
Nate Guagenti	cfc32e5950	correct fields for zeek_rdp_public_listener.yml correct zeek fields for `fields` section. improve false positives information	2021-08-23 14:16:55 -04:00
Nate Guagenti	1819e4b02b	improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)	2021-08-23 14:12:50 -04:00
Nate Guagenti	feb7d0e187	Update zeek_dns_mining_pools.yml	2021-08-23 14:11:04 -04:00
Nate Guagenti	b00e1772b3	added logic and usage rule logic should be endswith. match zeek fields for `fields` section add false positive information	2021-08-23 14:03:38 -04:00
$frack113$ frack113	9d3a13b13e	cleanup	2021-08-23 19:04:01 +02:00
Nate Guagenti	4f8bd4a5a2	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml try new uuid to pass check...	2021-08-23 11:24:22 -04:00
Nate Guagenti	6aea58b4d2	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	2021-08-23 11:18:51 -04:00
Nate Guagenti	78c667fda1	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml shorten title	2021-08-23 11:15:30 -04:00
Nate Guagenti	96e77eb8db	Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	2021-08-23 11:06:44 -04:00
SomeOne	295054dcbe	Replace old mitre techniques by new one	2021-08-22 13:57:56 +02:00
$frack113$ frack113	07a87aa7f8	Merge pull request #1858 from frack113/fix_pr718 Replace pr718	2021-08-21 18:02:30 +02:00
$frack113$ frack113	3283664154	Update remove useless rules	2021-08-19 18:28:44 +02:00
$frack113$ frack113	f1a84536c3	update fix	2021-08-19 17:55:41 +02:00
Austin Songer	c9128687ee	Spelling Errors on Rules	2021-08-18 18:58:20 +00:00
$frack113$ frack113	c3457c9911	fix titles	2021-08-15 19:05:00 +02:00
$frack113$ frack113	245cb6d510	fix more errors	2021-08-15 18:55:44 +02:00
$frack113$ frack113	12396f615c	remove duplicate rule and fix errors	2021-08-15 16:52:24 +02:00
$frack113$ frack113	a75859a976	First commit	2021-08-15 16:00:14 +02:00
$frack113$ frack113	db0de126a5	test author for Detection Rule License 1.1	2021-08-14 19:16:36 +02:00
$frack113$ frack113	fc64b8b937	Split PR 1802 fix net rules	2021-08-09 17:23:15 +02:00
Thomas Patzke	6d41d538b2	Title fixed	2021-07-11 09:25:33 +02:00
Thomas Patzke	8e010ec60c	Added rule From https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon which weren't already covered by other rules and can be expressed in Sigma.	2021-07-08 07:59:40 +02:00
Florian Roth	685bd490f5	Merge pull request #1573 from d4rk-d4nph3/master Added rule for default cobalt strike certificate	2021-06-25 12:16:31 +02:00
Bhabesh Rai	91cc97d099	Fixed the taxonomy	2021-06-24 21:07:52 +05:45
Bhabesh Rai	1ebbc6c1a3	Added rule for default cobalt strike certificate	2021-06-23 10:17:27 +05:45
$frack113$ frack113	a1bddf51e7	fix typo of falsepositives	2021-05-24 10:31:28 +02:00
Nate Guagenti	0bee1b006f	fix - add date	2021-05-08 21:37:25 -04:00
Nate Guagenti	4152199073	add netbios port exclusion netbios - every defenders nightmare and reality of FPs	2021-05-04 18:27:05 -04:00
Nate Guagenti	d4bd69dd77	Suspicious DNS Z Flag Set The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tools.ietf.org/html/rfc2929#section-2.1' - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'	2021-05-04 18:13:08 -04:00
Florian Roth	4abebd98d9	Merge pull request #1418 from SigmaHQ/rule-devel Fixing false positives with newest OSCD rules	2021-04-09 17:26:02 +02:00

1 2 3

139 Commits