valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,628 Commits 20 Branches 25 Tags 21 MiB
e30eaa0202
Commit Graph

3628 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Ömer Günal
0c3ce445da
Delete remote_copy.yml 2020-06-29 18:51:18 +03:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Christian Clauss
9dc3940c07
Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
 2020-06-28 07:02:41 +02:00
Thomas Patzke
0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke
89ed9f3763
Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke
4309082d6b
Merge pull request #818 from cclauss/patch-1 
Undefined name: parser_print_help() --> parser.print_help()
 2020-06-28 00:34:27 +02:00
Thomas Patzke
09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke
415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke
b1e4f44c21
Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Thomas Patzke
de5e453e19
Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
555c94bd7e
Merge pull request #861 from jaegeral/patch-4 
s/straight forward/straightforward
 2020-06-26 15:40:09 +02:00
Alexander J
839e06e37a
s/straight forward/straightforward 
Fix a typo.
 2020-06-26 12:40:06 +02:00
Florian Roth
da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth
825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth
6d7f991424
Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access 
Fix quoting for AD Object WriteDAC Access
 2020-06-24 17:06:15 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Ömer Günal
4eb97ec43d
Update lnx_file_copy.yml 2020-06-22 21:35:50 +03:00
Florian Roth
e2a16087c9
Merge pull request #851 from ozirus/master 
Update for new method
 2020-06-22 20:11:39 +02:00
Furkan ÇALIŞKAN
b091e3b1c4
Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Ömer Günal
d17e0ae6eb
typo 2020-06-20 23:04:52 +03:00
Florian Roth
1ef81a36af
Merge pull request #850 from Neo23x0/rule-devel 
K3chang and IE Registry Mods
 2020-06-19 11:25:43 +02:00
Florian Roth
912ad94771 fix: missing ATT&CK id in tests 2020-06-19 10:00:44 +02:00
Florian Roth
e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth
62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth
5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth
b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth
da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth
b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Ömer Günal
93719d8a01
Merge pull request #1 from omergunal/omergunal-patch-1 
Remote file copy
 2020-06-18 23:56:29 +03:00
Ömer Günal
40a07a2d4f
Delete lnx_sudo_enumeration.yml 2020-06-18 23:55:24 +03:00
Ömer Günal
d87b0c95a4
Delete lnx_trap.yml 2020-06-18 23:55:16 +03:00
Ömer Günal
8db7c3207a
Delete lnx_sudo_caching.yml 2020-06-18 23:54:43 +03:00
Ömer Günal
5bc72b6cba
Delete lnx_space_after_filename.yml 2020-06-18 23:54:28 +03:00
Ömer Günal
f10440b9fa
Delete lnx_setuid_setgid.yml 2020-06-18 23:54:20 +03:00
Ömer Günal
6c8d104e7d
Delete lnx_disabling_security_tools.yml 2020-06-18 23:54:06 +03:00
Ömer Günal
84c4683607
Delete lnx_connection_proxy.yml 2020-06-18 23:53:43 +03:00
Ömer Günal
c4a1e853bc
Remote file copy 2020-06-18 23:47:53 +03:00
Ömer Günal
c6c455a3ec
Remote file copy 2020-06-18 23:37:49 +03:00
Brad Kish
203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00