valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,360 Commits 20 Branches 25 Tags 21 MiB
eb98f0ba28
Commit Graph

4360 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
ab408750ac
Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth
9ecaeb715f
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
Florian Roth
15f5efc9c4
Merge pull request #1322 from maravedi/patch-1 
Update sumologic.yml
 2020-12-29 17:59:13 +01:00
Florian Roth
126a17a276
Merge pull request #1323 from ZikyHD/master 
Typo on field name
 2020-12-29 15:39:36 +01:00
ZikyHD
8a6b182fee
Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD
ece829bb25
Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
maravedi
fa6f75f07e
Update sumologic.yml 
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth
0a83f91386
Merge pull request #1321 from d4rk-d4nph3/master 
Fixed typo in file format
 2020-12-28 09:13:48 +01:00
Bhabesh Rai
bf77c8266a Fixed typo in file format 2020-12-28 11:46:02 +05:45
Florian Roth
896fc21911
Merge pull request #1320 from d4rk-d4nph3/master 
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
 2020-12-27 20:37:36 +01:00
Florian Roth
a6212a4490
style: some minor style changes 2020-12-27 20:06:19 +01:00
Bhabesh Rai
1cfad987b0 Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass 2020-12-27 17:34:49 +05:45
Florian Roth
43033ab874
Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu
d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu
4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse
fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse
bf539fd1fe Revert "Fix bug changing the logsource service to category" 
This reverts commit 0f51e53d0e.
 2020-12-23 15:50:49 -05:00
Daniel Masse
71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse
0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse
e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth
cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth
821af35557
Merge pull request #1313 from Neo23x0/rule-devel 
Rule devel
 2020-12-23 13:57:11 +01:00
Florian Roth
7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth
80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth
e67d17a967 rule: improved solarwinds webshell rule 2020-12-22 10:36:34 +01:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1 
Adding 2 rules - Conhost & office test registry persistence
 2020-12-21 18:28:59 +01:00
Florian Roth
f46c590d91
Merge pull request #1288 from 0xtf/patch-1 
add SIEGMA and S2AN
 2020-12-21 18:27:52 +01:00
Florian Roth
a314b54f93
docs: fix typo 2020-12-21 18:27:43 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
Florian Roth
377454cb31
Merge pull request #1299 from tjgeorgen/patch-1 
ATT&CK subtechnique tag updates
 2020-12-21 18:24:00 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master 
Added rule for Impacket's PsExec execution
 2020-12-21 18:23:41 +01:00
Florian Roth
1bb249c6ec
Merge pull request #1312 from Neo23x0/rule-devel 
rule: Solarwinds SUPERNOVA web shell access
 2020-12-21 11:30:56 +01:00
Florian Roth
9c8e1387a9 rule: Solarwinds SUPERNOVA web shell access 2020-12-17 09:05:08 +01:00
k-vdv
6744770768 functionality for parameter logsourcemerging 2020-12-15 09:23:49 +01:00
k-vdv
7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Bhabesh Rai
0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth
80e1a5e7eb
Merge pull request #1292 from toffeebr33k/master 
Create 2 new rules on AWS Privilege Escalation and AWS Enumeration
 2020-12-13 19:06:44 +01:00
Florian Roth
1b0aaf62c3
Merge pull request #1266 from omkar72/ryuk 
modifying couple of rules
 2020-12-13 19:05:54 +01:00
Florian Roth
e2ade077ed
Merge pull request #1275 from bczyz1/patch-3 
update win_apt_slingshot.yml
 2020-12-13 19:04:47 +01:00
Florian Roth
d1f7a206b9
Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00
Florian Roth
9f70bcab23
Merge pull request #1300 from shilch/master 
Add sigmac flag to delimit results by NUL instead of \n
 2020-12-13 19:03:27 +01:00
Florian Roth
5197f21ed1 fix: duplicate ID 2020-12-13 18:59:04 +01:00
Florian Roth
c6eadea9d9
Merge pull request #1304 from hieuttmmo/master 
Detects suspicious shell spawn from MSSQL process, this might be sigh…
 2020-12-11 18:40:27 +01:00
Florian Roth
612008a4d8
fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu
edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth
cfe60d180b
Merge pull request #1301 from d4rk-d4nph3/master 
Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
 2020-12-08 11:09:51 +01:00
Florian Roth
b6d62b7a21
Merge pull request #1302 from Neo23x0/rule-devel 
TA505 Dropper, minor fix in PowerShell Rule
 2020-12-08 10:40:07 +01:00