valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,231 Commits 20 Branches 25 Tags 21 MiB
eb4300756e
Commit Graph

6231 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
c4ad770830
Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth
a9417b3f7b docs: better error highlighting 2021-05-05 12:59:13 +02:00
Florian Roth
7f65d5e943 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-05-05 12:56:27 +02:00
Florian Roth
8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth
615a284de3
Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth
0ca2d05247
revert changes to powershell backend 2021-05-05 12:26:59 +02:00
Florian Roth
44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth
0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth
55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
Florian Roth
29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth
15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai
4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai
1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti
4152199073
add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti
d4bd69dd77
Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
John Connor McLaughlin
3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
partyh4rd
5a98e36905
Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth
451f25910d
Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth
de8386d553
Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth
4ad3316d74
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth
8973b573bd
Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth
c877a9a68d
Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth
ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth
c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
Florian Roth
2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Florian Roth
a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
Florian Roth
1758b69e3d
Merge pull request #1452 from gliptak/patch-1 
Bump requests to 2.25
 2021-05-03 14:11:16 +02:00
Florian Roth
6605d302cd fix: trying to fix pipenv issue 2021-05-03 13:05:21 +02:00
wagga40
cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
SomeOne
4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne
80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Gábor Lipták
10fb216c9a
Bump requests to 2.25 2021-04-30 12:03:27 -04:00
Florian Roth
ff50b5b659
Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth
020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth
04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth
1bde7b3799
Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth
8af86fa97e
docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth
4b86d3f407
Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth
f2181e6779
Merge pull request #1448 from refractionPOINT/linux-platforms 
Add support for macOS rules and fix case sensitivity.
 2021-04-29 12:28:01 +02:00
Florian Roth
3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Maxime Lamothe-Brassard
11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Florian Roth
6420224c1c
Merge pull request #1447 from secDre4mer/master 
chore: Revert log file changes for THOR sigma configuration
 2021-04-28 19:26:44 +02:00
Max Altgelt
7c8cca744f
chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Florian Roth
544994dba1
Merge pull request #1446 from secDre4mer/master 
fix: Distinguish Windows and Linux logfiles by path separator
 2021-04-28 13:26:32 +02:00
Florian Roth
161180c357 refactor: extended shellshock rule 2021-04-28 11:47:24 +02:00
Florian Roth
47504fbd56 fix: shellshock expression 2021-04-28 11:46:49 +02:00
Max Altgelt
de2cedf213
fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
BlueTeamOps
59d23535ce
Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps
793504dd6b
Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps
f75ad98903
Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00