valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,366 Commits 20 Branches 25 Tags 21 MiB
e5f36dd146
Commit Graph

3366 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Steven Goossens
e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00
Steven Goossens
423baafa2a Added rules for different sysmon categories and added the category definition 2020-06-10 15:02:15 +02:00
Florian Roth
565febd39d README updated 2020-06-09 23:25:09 +02:00
Florian Roth
51f28271a5
Merge pull request #824 from neu5ron/sigmacs 
Sigmacs
 2020-06-09 23:15:50 +02:00
Nate Guagenti
2b735494cd Merge branch 'master' of https://github.com/Neo23x0/sigma into sigmacs 2020-06-09 16:54:02 -04:00
Nate Guagenti
f4fe425fa7 update readme for some analyzed field and keyword field examples 2020-06-09 16:53:50 -04:00
Florian Roth
5c835cf1f2
Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth
7a334a8d8a
fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth
04913a4b95
Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth
9b8f8b7e09
Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Florian Roth
ad5c0a6cf3
Merge pull request #821 from NVISO-BE/win_mal_octopus_scanner 
Octopus Scanner malware rule
 2020-06-09 17:18:04 +02:00
Remco Hofman
a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman
4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman
d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Nate Guagenti
117ceac492 moved file to ecs-zeek-elastic-beats-implementation.yml 2020-06-09 08:56:01 -04:00
Nate Guagenti
ad9ada7a44 Merge branch 'master' of https://github.com/Neo23x0/sigma into sigmacs 
 Conflicts:
	tools/sigma/backends/mdatp.py
 2020-06-07 11:51:17 -04:00
Florian Roth
94b90adf10 docs: move Sigmac help from Wiki to repo 2020-06-07 12:18:37 +02:00
Florian Roth
0c2f2fe6df
Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth
d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth
72deaa98f5
Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth
3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth
246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth
d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Thomas Patzke
7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00
Thomas Patzke
fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke
1d211565fc Moved backend options list to --backend-help 2020-06-06 00:56:00 +02:00
Thomas Patzke
c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke
5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
Nate Guagenti
55beecac28 Squashed commit of the following: 
commit d97d2ced82
Merge: 022d73f8 84dd8c39
Author: Florian Roth <venom14@gmail.com>
Date:   Wed Jun 3 15:53:55 2020 +0200

    Merge pull request #725 from WilliamBruneau/fix_null_list

    Move null values out from list in rules

commit 84dd8c39c4
Author: William Bruneau <william.bruneau@epfedu.fr>
Date:   Tue May 5 09:04:47 2020 +0200

    Move null values out from list in rules

commit 022d73f842
Merge: 0cbc099d 4ed51201
Author: Florian Roth <venom14@gmail.com>
Date:   Wed Jun 3 10:48:05 2020 +0200

    Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename

    All Rules use 'TargetFilename' instead of 'TargetFileName'.

commit 4ed512011a
Author: Sven Scharmentke <sven@vastlimits.com>
Date:   Wed Jun 3 09:00:59 2020 +0200

    All Rules use 'TargetFilename' instead of 'TargetFileName'.

    This commit fixes the incorrect spelling.

commit 0cbc099def
Merge: 74e16fdc 3a6ac5bd
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 30 09:31:45 2020 +0200

    Merge pull request #807 from forensicanalysis/master

    Add sqlite backend

commit 3a6ac5bd5c
Author: Jonas Plum <git@cugu.eu>
Date:   Sat May 30 01:57:06 2020 +0200

    Remove unused function

commit 5cc82d0f05
Author: Jonas Plum <git@cugu.eu>
Date:   Sat May 30 00:56:06 2020 +0200

    Move testcase

commit 4a8ab88ade
Author: Jonas Plum <git@cugu.eu>
Date:   Sat May 30 00:15:38 2020 +0200

    Fix test path

commit 70935d26ce
Author: Jonas Plum <git@cugu.eu>
Date:   Fri May 29 23:56:05 2020 +0200

    Add license header

commit 74e16fdccd
Merge: e20b58c4 537bda44
Author: Florian Roth <venom14@gmail.com>
Date:   Fri May 29 17:32:43 2020 +0200

    Merge pull request #803 from gamma37/clear_cmd_history

    Edit Clear Command History

commit e20b58c421
Merge: 7f2fa05e a00f7f19
Author: Florian Roth <venom14@gmail.com>
Date:   Fri May 29 17:32:27 2020 +0200

    Merge pull request #806 from SanWieb/sysmon_creation_system_file

    Fixed wrong field & Improve rule

commit a00f7f19a1
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Fri May 29 16:25:54 2020 +0200

    Add tagg Endswith

    Prevent the trigger of {}.exe.log

commit 38afd8b5de
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Thu May 28 21:52:17 2020 +0200

    Fixed wrong field

commit 7f2fa05ed3
Merge: ec313b6c 39b41b55
Author: Florian Roth <venom14@gmail.com>
Date:   Thu May 28 11:16:44 2020 +0200

    Merge pull request #802 from Neo23x0/rule-devel

    ComRAT and KazuarRAT

commit 537bda4417
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Thu May 28 10:56:35 2020 +0200

    Update lnx_shell_clear_cmd_history.yml

commit 5a48934822
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Thu May 28 10:52:17 2020 +0200

    Edit Clear Command History

    I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.

commit 39b41b5582
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Thu May 28 10:13:38 2020 +0200

    rule: moved DebugView rule to process creation category

commit 76dcc1a16f
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Thu May 28 09:22:25 2020 +0200

    rule: renamed debugview

commit ec313b6c8a
Merge: 5bb6770f d44fc43c
Author: Florian Roth <venom14@gmail.com>
Date:   Wed May 27 08:49:20 2020 +0200

    Merge pull request #801 from SanWieb/sysmon_creation_system_file

    Rule: sysmon_creation_system_file

commit d44fc43c54
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 19:10:11 2020 +0200

    Add extension

commit f6ec724d51
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 18:53:54 2020 +0200

    Rule: sysmon_creation_system_file

commit 5bb6770f53
Merge: 0b398c5b 3681b8cb
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 14:28:47 2020 +0200

    Merge pull request #800 from SanWieb/win_system_exe_anomaly

    Extended Windows processes: win_system_exe_anomaly

commit 4ca81b896d
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Tue May 26 14:19:22 2020 +0200

    rule: Turla ComRAT report

commit 3681b8cb56
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 13:56:51 2020 +0200

    Extended Windows processes

commit 0b398c5bf0
Merge: c1f47875 b648998f
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 13:31:57 2020 +0200

    Merge pull request #798 from Neo23x0/rule-devel

    rule: confluence exploit CVE-2019-3398 & Turla ComRAT

commit c1f4787566
Merge: ce1f4634 48c5f2ed
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 13:21:04 2020 +0200

    Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048

    Changes to sysmon_cve-2020-1048

commit ce1f46346f
Merge: e131f347 1a598282
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 13:20:40 2020 +0200

    Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access

    Add 'Add-Content' to powershell_ntfs_ads_access

commit e131f3476e
Merge: 30861b55 7037e775
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 13:20:23 2020 +0200

    Merge pull request #796 from EccoTheFlintstone/fp

    add more false positives

commit 30861b558c
Merge: a962bd1b f9f814f3
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 26 13:20:07 2020 +0200

    Merge pull request #799 from SanWieb/susp_file_characteristics

    Susp file characteristics: Reduce FP of legitime processes

commit b648998fd0
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Tue May 26 13:18:50 2020 +0200

    rule: Turla ComRAT

commit f9f814f3b3
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 13:06:27 2020 +0200

    Shortened title

commit a241792e10
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 12:58:15 2020 +0200

    Reduce FP of legitime processes

    A lot of Windows apps does not have any file characteristics. Some examples:
    - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
    - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

    All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

    Python 2.7, 3.3 and 3.7 does not have any file characteristics.

    So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml

commit cdf1ade625
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Tue May 26 12:27:16 2020 +0200

    fix: typo in selection

commit 91b4ee8d56
Merge: 4cd7c39e a962bd1b
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Tue May 26 12:24:21 2020 +0200

    Merge pull request #2 from Neo23x0/master

    Update repository

commit 828484d7c6
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Tue May 26 12:09:41 2020 +0200

    rule: confluence exploit CVE-2019-3398

commit 48c5f2ed09
Author: Remco Hofman <rhofman@nviso.be>
Date:   Tue May 26 11:20:21 2020 +0200

    Update to  sysmon_cve-2020-1048
    Added .com executables to detection
    Second TargetObject should have been Details

commit abf1a2c6d7
Author: Jonas Hagg <joy.hagg@web.de>
Date:   Mon May 25 10:54:16 2020 +0200

    Adjusted Makefile

commit dedfb65d63
Author: Jonas Hagg <joy.hagg@web.de>
Date:   Mon May 25 10:44:14 2020 +0200

    Implemented Aggregation for SQL, Added SQLite FullTextSearch

commit 7037e77569
Author: ecco <none@none.com>
Date:   Mon May 25 04:50:22 2020 -0400

    add more FP

commit a962bd1bc1
Merge: 0afe0623 d510e1aa
Author: Florian Roth <venom14@gmail.com>
Date:   Mon May 25 10:48:36 2020 +0200

    Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source

    Fix 'source' value for win_susp_backup_delete

commit 0afe0623af
Merge: 92d0aa86 beb62dc1
Author: Florian Roth <venom14@gmail.com>
Date:   Mon May 25 10:47:23 2020 +0200

    Merge pull request #757 from tliffick/master

    added rule for Blue Mockingbird (cryptominer)

commit 92d0aa8654
Merge: 0dda757c 6fcf3f9e
Author: Florian Roth <venom14@gmail.com>
Date:   Mon May 25 10:46:39 2020 +0200

    Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed

    Rule improvement: netsh Application or Port allowed

commit 6fcf3f9ebf
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Mon May 25 10:13:26 2020 +0200

    Update win_netsh_fw_add.yml

commit 28652e4648
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Mon May 25 10:02:13 2020 +0200

    Add Windows Server 2008 and Windows Vista support

    It did not support the command `netsh advfirewall firewall add`

commit 2678cd1d3e
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Mon May 25 09:50:47 2020 +0200

    Create win_netsh_fw_add_susp_image.yml

    More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.

    Combined the following rules for the suspicious locations:
    https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
    https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
    https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml

commit 4cd7c39e9d
Merge: 6fbfa9df 0dda757c
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Mon May 25 08:48:16 2020 +0200

    Merge pull request #1 from Neo23x0/master

    Update repository

commit 0dda757ca5
Merge: 40f0beb5 daf7ab5f
Author: Thomas Patzke <thomas@patzke.org>
Date:   Sun May 24 22:58:58 2020 +0200

    Merge branch 'socprime-master'

commit daf7ab5ff7
Author: Thomas Patzke <thomas@patzke.org>
Date:   Sun May 24 22:41:38 2020 +0200

    Cleanup: removal of corelight_* backends

commit d45f8e19fe
Author: Thomas Patzke <thomas@patzke.org>
Date:   Sun May 24 21:46:55 2020 +0200

    Fixes

commit 32e4998c49
Author: Thomas Patzke <thomas@patzke.org>
Date:   Sun May 24 21:45:37 2020 +0200

    Removed dead code from ALA backend.

commit 24b08bbf30
Merge: 96fae4be e8b956f5
Author: Thomas Patzke <thomas@patzke.org>
Date:   Sun May 24 17:06:32 2020 +0200

    Merge branch 'master' of https://github.com/socprime/sigma into socprime-master

commit 40f0beb58d
Merge: 6fbfa9df b8ee736f
Author: Florian Roth <venom14@gmail.com>
Date:   Sun May 24 16:30:10 2020 +0200

    Merge pull request #794 from SanWieb/update_susp_run_key

    Remove AppData folder as suspicious folder

commit b8ee736f44
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Sun May 24 15:16:07 2020 +0200

    Remove AppData folder as suspicious folder

    A lot of software is using the AppData folder for startup keys. Some examples:
    - Microsoft Teams (\AppData\Local\Microsoft\Teams)
    - Resilio (\AppData\Roaming\Resilio Sync\)
    - Discord ( (\AppData\Local\Discord\)
    - Spotify ( (\AppData\Roaming\Spotify\)

    Too many to whitelist them all

commit 6fbfa9dfdd
Merge: d0da2810 3028a270
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 23:47:12 2020 +0200

    Merge pull request #793 from Neo23x0/rule-devel

    Esentutl rule and StrongPity Loader UA

commit f970d28f10
Author: ecco <none@none.com>
Date:   Sat May 23 15:06:15 2020 -0400

    add more false positives

commit 3028a27055
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Sat May 23 18:32:02 2020 +0200

    fix: buggy rule

commit df715386b6
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Sat May 23 18:27:36 2020 +0200

    rule: suspicious esentutl use

commit d0da2810c1
Merge: 8321cc7e 67faf4bd
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 18:13:16 2020 +0200

    Merge pull request #792 from EccoTheFlintstone/fff

    fix FP + remove powershell rule redundant with sysmon_in_memory_power…

commit 8321cc7ee1
Merge: 9cd9a301 e1a05dfc
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 18:11:32 2020 +0200

    Merge pull request #772 from gamma37/suspicious_activities

    Create a rule for "suspicious activities"

commit d1a5471d21
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Sat May 23 17:38:10 2020 +0200

    rule: Strong Pity loader UA

commit 67faf4bd41
Author: ecco <none@none.com>
Date:   Sat May 23 10:56:23 2020 -0400

    fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml

commit 9cd9a301c2
Merge: ee1ca77f d310805e
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 16:50:31 2020 +0200

    Merge pull request #791 from SanWieb/master

    added rule for Netsh RDP port opening

commit e1a05dfc1c
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 16:49:03 2020 +0200

    Update lnx_auditd_susp_C2_commands.yml

commit ee1ca77fad
Merge: 895c8470 cbf06b1e
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 16:47:46 2020 +0200

    Merge pull request #771 from gamma37/new_rules

    Create a new rule to detect "Create Account"

commit 895c84703f
Merge: 12e1aeaf 327a53c1
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 16:47:01 2020 +0200

    Merge pull request #790 from EccoTheFlintstone/fp_fix

    fix false positive matching on every powershell process not run by SY…

commit 327a53c120
Author: ecco <none@none.com>
Date:   Sat May 23 10:25:37 2020 -0400

    add new test for sysmon rules without eventid

commit 10ca3006f5
Author: ecco <none@none.com>
Date:   Sat May 23 10:07:55 2020 -0400

    move rule where needed

commit 2b89e56054
Author: ecco <none@none.com>
Date:   Sat May 23 10:03:13 2020 -0400

    fix test

commit d9bc09c38c
Author: ecco <none@none.com>
Date:   Sat May 23 10:02:58 2020 -0400

    fix test

commit 78a7852a43
Author: ecco <none@none.com>
Date:   Sat May 23 09:16:40 2020 -0400

    renamed dbghelp rule with new ID and comment and removed a false positive

commit d310805ed9
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date:   Sat May 23 14:19:52 2020 +0200

    rule: Netsh RDP port opening

commit 75ba5f989c
Author: ecco <none@none.com>
Date:   Sat May 23 07:44:45 2020 -0400

    add 1 more FP to wmi load

commit 9a7f462d79
Author: ecco <none@none.com>
Date:   Sat May 23 07:17:56 2020 -0400

    move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)

commit cfde0625f5
Author: ecco <none@none.com>
Date:   Sat May 23 07:05:09 2020 -0400

    fix false positive matching on every powershell process not run by SYSTEM account

commit 12e1aeaf9f
Merge: 46f3a70a 34006d07
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 09:54:43 2020 +0200

    Merge pull request #788 from Neo23x0/rule-devel

    refactor: split up rule for CVE-2020-1048 into 2 rules

commit 46f3a70a7d
Merge: 96fae4be ec17c2ab
Author: Florian Roth <venom14@gmail.com>
Date:   Sat May 23 09:54:28 2020 +0200

    Merge pull request #786 from EccoTheFlintstone/perf_fix

    various rules cleaning (slight perf improvements)

commit 34006d0794
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Sat May 23 09:16:19 2020 +0200

    refactor: simplified and extended expression in CVE-2020-1048 rule

commit 57c8e63acd
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Sat May 23 09:09:58 2020 +0200

    refactore: split up rule for CVE-2020-1048 into 2 rules

commit ec17c2ab56
Author: ecco <none@none.com>
Date:   Fri May 22 10:37:00 2020 -0400

    filter on createkey only when needed

commit 96fae4be68
Author: Thomas Patzke <thomas@patzke.org>
Date:   Fri May 22 00:50:37 2020 +0200

    Added CrachMapExec rules

commit 64e0e7ca72
Merge: bbf78374 91c4c4ec
Author: Florian Roth <venom14@gmail.com>
Date:   Thu May 21 14:19:09 2020 +0200

    Merge pull request #784 from Neo23x0/rule-devel

    refactor: slightly improved Greenbug rule

commit 91c4c4ecc5
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Thu May 21 13:38:11 2020 +0200

    refactor: slightly improved Greenbug rule

commit bbf78374b6
Merge: 8d9b706d 9a3b6c1c
Author: Florian Roth <venom14@gmail.com>
Date:   Thu May 21 09:55:46 2020 +0200

    Merge pull request #783 from Neo23x0/rule-devel

    Greenbug Rule

commit 9a3b6c1c77
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Thu May 21 09:44:11 2020 +0200

    docs: added MITRE ATT&CK group tag

commit 344eb713c5
Author: Florian Roth <florian.roth@nextron-systems.com>
Date:   Thu May 21 09:39:57 2020 +0200

    rule: Greenbug campaign

commit 8d9b706d6a
Merge: e7980bb4 06abd6e7
Author: Thomas Patzke <thomas@patzke.org>
Date:   Wed May 20 19:11:56 2020 +0200

    Merge pull request #727 from 3CORESec/master

    Override Features

commit e7980bb434
Merge: af92a5bd 8963c0a6
Author: Florian Roth <venom14@gmail.com>
Date:   Wed May 20 12:55:41 2020 +0200

    Merge pull request #782 from ZikyHD/patch-1

    Remove duplicate 'CommandLine' in fields

commit af92a5bd2c
Merge: 04dfe6c5 9ab65cd1
Author: Florian Roth <venom14@gmail.com>
Date:   Wed May 20 12:55:29 2020 +0200

    Merge pull request #780 from tatsu-i/master

    Null field check to eliminate false positives

commit 8963c0a65e
Author: ZikyHD <ZikyHD@users.noreply.github.com>
Date:   Wed May 20 11:54:47 2020 +0200

    Remove duplicate 'CommandLine' in fields

commit e8b956f575
Author: vh <vh@socprime.com>
Date:   Wed May 20 12:35:00 2020 +0300

    Updated config

commit 9ab65cd1c7
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 19 14:50:22 2020 +0200

    Update win_alert_ad_user_backdoors.yml

commit 04dfe6c5fc
Merge: df75bdd3 9e272d37
Author: Thomas Patzke <thomas@patzke.org>
Date:   Tue May 19 13:18:40 2020 +0200

    Merge pull request #778 from neu5ron/sigmacs

    SIGMACs: Winlogbeat & Zeek

commit df75bdd3b6
Merge: 4446c4cd 7c3dea22
Author: Florian Roth <venom14@gmail.com>
Date:   Tue May 19 13:10:56 2020 +0200

    Merge pull request #779 from neu5ron/rules

    Rules: Zeek

commit 7c3dea22b8
Author: neu5ron <>
Date:   Tue May 19 05:13:48 2020 -0400

    small T, big T

commit dd382848b4
Merge: 602c8917 e975d3fd
Author: neu5ron <>
Date:   Tue May 19 05:09:05 2020 -0400

    Merge remote-tracking branch 'neu5ron-sigma/rules' into rules

commit 602c8917ef
Author: neu5ron <>
Date:   Tue May 19 04:41:08 2020 -0400

    domain user enumeration via zeek rpc (dce_rpc) log.

commit c815773b1a
Author: Tatsuya Ito <t_ito@cyberdefense.jp>
Date:   Tue May 19 18:05:51 2020 +0900

    enhancement rule

commit 49f68a327a
Author: Tatsuya Ito <t_ito@cyberdefense.jp>
Date:   Tue May 19 18:00:50 2020 +0900

    enhancement rule

commit e975d3fd14
Author: neu5ron <>
Date:   Tue May 19 04:41:08 2020 -0400

    domain user enumeration via zeek rpc (dce_rpc) log.

commit effb2a8337
Author: neu5ron <>
Date:   Tue May 19 04:41:00 2020 -0400

    add exe webdav download

commit 858ebcd3d3
Author: neu5ron <>
Date:   Tue May 19 04:35:47 2020 -0400

    author typo update

commit 2fc8d513d6
Author: neu5ron <>
Date:   Tue May 19 04:35:30 2020 -0400

    zeek, swap `path` and `name`

commit 0dd089db47
Author: ecco <none@none.com>
Date:   Mon May 18 20:29:53 2020 -0400

    various rules cleaning

commit 71c507d8a9
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Mon May 18 11:34:53 2020 +0200

    remove space bedore colon

commit 55eec46932
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Mon May 18 11:25:18 2020 +0200

    Create a rule for "suspicious activities"

commit cbf06b1e43
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Mon May 18 10:11:32 2020 +0200

    lowercased tag

commit 904716771a
Author: gamma37 <marie.euler@polytechnique.edu>
Date:   Mon May 18 10:03:34 2020 +0200

    Create a new rule to detect "Create Account"

commit beb62dc163
Author: Florian Roth <venom14@gmail.com>
Date:   Fri May 15 12:06:34 2020 +0200

    fix: condition location

commit 28dc2a2267
Author: Florian Roth <venom14@gmail.com>
Date:   Fri May 15 11:33:36 2020 +0200

    Minor changes

    hints:
    - contains doesn't require wildcards in the strings
    - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
    - we can use "1 of them" to say that 1 of the conditions has to match

commit 40ab1b7247
Author: Trent Liffick <trent.liffick@outlook.com>
Date:   Thu May 14 23:33:08 2020 -0400

    added 'action: global'

commit 56a2747a70
Author: Trent Liffick <trent.liffick@outlook.com>
Date:   Thu May 14 23:18:33 2020 -0400

    Corrected missing condition

    learning! fail fast & forward

commit fb1d8d7a76
Author: Trent Liffick <trent.liffick@outlook.com>
Date:   Thu May 14 23:04:14 2020 -0400

    Corrected typo

commit 8aff6b412e
Author: Trent Liffick <trent.liffick@outlook.com>
Date:   Thu May 14 22:58:23 2020 -0400

    added rule for Blue Mockingbird (cryptominer)

commit 06abd6e76a
Author: Tiago Faria <tiago.faria.backups@gmail.com>
Date:   Thu May 14 14:03:23 2020 +0100

    added ci tests for ecs-cloudtrail

commit 2893becf8c
Merge: 31ad8187 133319c4
Author: Tiago Faria <tiago.faria.backups@gmail.com>
Date:   Thu May 14 14:02:20 2020 +0100

    Merge remote-tracking branch 'upstream/master'

commit 1a598282f4
Author: zaphod <18658828+zaphodef@users.noreply.github.com>
Date:   Wed May 13 11:57:10 2020 +0200

    Add 'Add-Content' to powershell_ntfs_ads_access

commit d510e1aad4
Author: zaphod <18658828+zaphodef@users.noreply.github.com>
Date:   Mon May 11 18:31:59 2020 +0200

    Fix 'source' value for win_susp_backup_delete

commit fb9c5841f4
Author: vh <vh@socprime.com>
Date:   Fri May 8 13:41:52 2020 +0300

    Added Humio, Crowdstrike, Corelight

commit 31ad81874f
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Tue May 5 11:32:18 2020 +0100

    capitalized titles

    corrected capitalization of titles and removed literals from config

commit aa175a7d5b
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Mon May 4 18:02:27 2020 +0100

    wip

    wip

commit dd9e128a15
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Mon May 4 17:35:12 2020 +0100

    kibana target update

    kibana target now compatible with overrides

commit b32093e734
Merge: b3194e66 d298bb57
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Mon May 4 17:26:51 2020 +0100

    Merge remote-tracking branch 'upstream/master'
    Keeping up with the sigmas.

commit b3194e66c4
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Mon May 4 16:37:36 2020 +0100

    Update base.py

commit dd85467a27
Author: Tiago Faria <tiago.faria.backups@gmail.com>
Date:   Sat May 2 00:13:55 2020 +0100

    Update aws_ec2_vm_export_failure.yml

commit bc0a2c7ab9
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Fri May 1 19:20:05 2020 +0100

    wip

    wip

commit 98391f985a
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Thu Apr 30 15:19:38 2020 +0100

    wip

    wip

commit adcc3766e3
Merge: 81422444 dfdb5b95
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Thu Apr 30 15:08:25 2020 +0100

    Merge branch 'master' of https://github.com/3CORESec/sigma

commit 8142244449
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Thu Apr 30 15:08:20 2020 +0100

    wip

    wip

commit dfdb5b9550
Author: Tiago Faria <tiago.faria.backups@gmail.com>
Date:   Wed Apr 29 23:59:26 2020 +0100

    better description and event.outcome

commit ac4a2b1f26
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Wed Apr 29 22:55:46 2020 +0100

    wip

    wip

commit 9ce84a38e5
Author: pdr9rc <pedro.gracio@3coresec.com>
Date:   Wed Apr 29 20:36:45 2020 +0100

    overrides section support + one example rule + cloudtrail config

    ditto
 2020-06-05 13:18:03 -04:00
Florian Roth
2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN
082696ee84
Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN
e958a6a939
Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN
5e373153eb
Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN
0744107fbb
Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN
1c677aa172
Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN
bafd6bde5f
Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN
09afae1e66
Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Florian Roth
d97d2ced82
Merge pull request #725 from WilliamBruneau/fix_null_list 
Move null values out from list in rules
 2020-06-03 15:53:55 +02:00
William Bruneau
84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Florian Roth
022d73f842
Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename 
All Rules use 'TargetFilename' instead of 'TargetFileName'.
 2020-06-03 10:48:05 +02:00
Sven Scharmentke
4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Florian Roth
0cbc099def
Merge pull request #807 from forensicanalysis/master 
Add sqlite backend
 2020-05-30 09:31:45 +02:00
Jonas Plum
3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum
5cc82d0f05 Move testcase 2020-05-30 00:56:06 +02:00
Jonas Plum
4a8ab88ade Fix test path 2020-05-30 00:15:38 +02:00
Jonas Plum
70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Florian Roth
74e16fdccd
Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
Florian Roth
e20b58c421
Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing
a00f7f19a1
Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing
38afd8b5de
Fixed wrong field 2020-05-28 21:52:17 +02:00