SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00

Author	SHA1	Message	Date
Thomas Patzke	9d3232cf90	Merge pull request #424 from import-au/master Support for Malicious cmdlets in ATP	2019-08-23 22:57:06 +02:00
Florian Roth	cc01f76e99	docs: minor changes	2019-08-22 14:22:55 +02:00
Florian Roth	c291038ebe	rule: renamed powershell	2019-08-22 14:22:55 +02:00
agold	0984293d0c	Support for Malicious cmdlets in ATP	2019-08-20 14:33:08 -07:00
Florian Roth	1bfe925f6b	Merge pull request #422 from EccoTheFlintstone/master Windows process suspicious parents: filter NULL values to remove false positives	2019-08-20 11:59:16 +02:00
ecco	d0a24f4409	filter NULL values to remove false positives	2019-08-20 05:10:41 -04:00
Thomas Patzke	50874c2323	Merge pull request #420 from svent/improve_qradar_backend Improve qradar backend	2019-08-13 08:38:16 +02:00
svent	1ea6d00a39	Fix QRadar field name escaping and handling	2019-08-12 23:47:43 +02:00
svent	826c1e3942	Fix QRadar backend config	2019-08-12 23:47:43 +02:00
Thomas Patzke	e1b1db8cca	Merge pull request #416 from NVISO-BE/es-dsl-wildcard-fix Correctly escape slashes within es-dsl wildcard queries (issue #387)	2019-08-11 23:19:59 +02:00
Thomas Patzke	2f97300ea2	Pipenv packaging	2019-08-09 14:43:29 +02:00
Florian Roth	f328734274	Merge pull request #417 from Karneades/patch-2 improve(rule): add Empire links and userland match	2019-08-09 14:36:17 +02:00
Karneades	18bbec4bcd	improve(rule): add Empire links and userland match Add default task name and powershell task command to match what the rule name says: detects default config.	2019-08-09 11:58:43 +02:00
Florian Roth	4fcb52d098	fix: removed mmc susp rule due to many FPs	2019-08-07 14:26:15 +02:00
Michiel Meersmans	0708fdd28e	Correctly escape slashes within es-dsl wildcard queries	2019-08-07 12:56:19 +02:00
Florian Roth	abd233d66f	Merge pull request #415 from deralexxx/patch-1 Add Contribute section	2019-08-06 12:22:41 +02:00
Florian Roth	6513828cc1	Fix	2019-08-06 12:22:31 +02:00
Florian Roth	1fa2e59014	Extended contribution section	2019-08-06 12:22:03 +02:00
Alexander J	4d78b6c037	Add Contribute section As @Neo23x0 was writing in Twitter, more contribution is needed, so a Contribute section seems reasonable to tell people how they can contribute. https://twitter.com/cyb3rops/status/1158660279825252352	2019-08-06 11:36:54 +02:00
Florian Roth	f6fd1df6f4	Rule: separate Ryuk rule created for VBurovs strings	2019-08-06 10:33:46 +02:00
Florian Roth	a8b738e346	Merge pull request #380 from vburov/patch-5 Ryuk Ransomware commands from real case	2019-08-06 10:29:00 +02:00
Florian Roth	9c85d5e80f	Merge pull request #406 from tuckner/master Fix ala parsing issues	2019-08-06 10:28:07 +02:00
Florian Roth	ecf2a6be80	Merge pull request #413 from Karneades/patch-1 Fix small typos in file breaking-changes	2019-08-06 10:27:35 +02:00
Karneades	6617dee59a	Fix small typos in file breaking-changes	2019-08-06 09:57:00 +02:00
Thomas Patzke	940c36a4cd	Fixed build Missing package specification	2019-08-05 23:42:33 +02:00
Florian Roth	83841ea117	Merge pull request #411 from nikotin69/master compliance rules by SOC prime	2019-08-05 20:53:02 +02:00
Florian Roth	302ae9c5d0	Added level	2019-08-05 19:51:22 +02:00
Florian Roth	4dbf392562	Title, Level adjusted	2019-08-05 19:48:56 +02:00
Florian Roth	fdb9b351d0	Level to low	2019-08-05 19:48:21 +02:00
Florian Roth	317c0bd07a	Removed "Detects" keyword from title	2019-08-05 19:47:46 +02:00
Florian Roth	2af8cb0d0e	Update cleartext_protocols.yml	2019-08-05 19:47:03 +02:00
Florian Roth	b3780022d3	Merge pull request #412 from Karneades/mmc-rules Improve MMC rules: fix generic rule and add new rule for shell spawning	2019-08-05 19:46:31 +02:00
Florian Roth	c7ec45c0ff	Update workstation_was_locked.yml	2019-08-05 19:44:14 +02:00
Florian Roth	e64fcb32a2	Update group_modification_logging.yml	2019-08-05 19:43:59 +02:00
Florian Roth	5caf4f5f14	Update default_credentials_usage.yml	2019-08-05 19:43:46 +02:00
Florian Roth	10cc1de4c9	Fixed global rule syntax	2019-08-05 19:43:15 +02:00
Florian Roth	dcdd021dc6	Duplicate port 3306	2019-08-05 19:36:50 +02:00
Karneades	42e6c9149b	Remove unneeded event code	2019-08-05 19:13:39 +02:00
Karneades	0e3cc042f4	Add more exclusions to mmc process rule	2019-08-05 18:53:33 +02:00
Karneades	5caa951b8f	Add new rule for detecting MMC spawning a shell Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.	2019-08-05 18:42:31 +02:00
nikotin	780d9223e6	compliance rules by SOC prime	2019-08-05 19:42:19 +03:00
Karneades	cfe44ad17d	Fix win_susp_mmc_source to match what title says Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.	2019-08-05 16:21:56 +02:00
Florian Roth	6a8adc72ac	rule: reworked vssadmin rule	2019-08-04 11:27:17 +02:00
Thomas Patzke	a65a9655f4	Fixed config naming in es-qs query backend test	2019-08-02 08:25:21 +02:00
Thomas Patzke	b8d3642c29	Merge branch 'master' of https://github.com/Neo23x0/sigma	2019-08-01 23:46:33 +02:00
Thomas Patzke	d5885686fc	Sigmatools release 0.12 * Value modifiers * Config name cleanup	2019-08-01 23:45:07 +02:00
Thomas Patzke	805c739611	Merge branch 'devel-modifiers'	2019-07-31 23:44:10 +02:00
Thomas Patzke	31c6ffcb61	No escaping for typed values	2019-07-31 23:43:29 +02:00
Florian Roth	d32fc2b2cf	fix: fixing rule win_cmstp_com_object_access https://github.com/Neo23x0/sigma/issues/408	2019-07-31 14:16:52 +02:00
Florian Roth	0657f29c99	Rule: reworked win_susp_powershell_enc_cmd	2019-07-30 14:36:30 +02:00

... 2 3 4 5 6 ...

2010 Commits