SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00

Author	SHA1	Message	Date
Florian Roth	f328734274	Merge pull request #417 from Karneades/patch-2 improve(rule): add Empire links and userland match	2019-08-09 14:36:17 +02:00
Karneades	18bbec4bcd	improve(rule): add Empire links and userland match Add default task name and powershell task command to match what the rule name says: detects default config.	2019-08-09 11:58:43 +02:00
Florian Roth	4fcb52d098	fix: removed mmc susp rule due to many FPs	2019-08-07 14:26:15 +02:00
Florian Roth	abd233d66f	Merge pull request #415 from deralexxx/patch-1 Add Contribute section	2019-08-06 12:22:41 +02:00
Florian Roth	6513828cc1	Fix	2019-08-06 12:22:31 +02:00
Florian Roth	1fa2e59014	Extended contribution section	2019-08-06 12:22:03 +02:00
Alexander J	4d78b6c037	Add Contribute section As @Neo23x0 was writing in Twitter, more contribution is needed, so a Contribute section seems reasonable to tell people how they can contribute. https://twitter.com/cyb3rops/status/1158660279825252352	2019-08-06 11:36:54 +02:00
Florian Roth	f6fd1df6f4	Rule: separate Ryuk rule created for VBurovs strings	2019-08-06 10:33:46 +02:00
Florian Roth	a8b738e346	Merge pull request #380 from vburov/patch-5 Ryuk Ransomware commands from real case	2019-08-06 10:29:00 +02:00
Florian Roth	9c85d5e80f	Merge pull request #406 from tuckner/master Fix ala parsing issues	2019-08-06 10:28:07 +02:00
Florian Roth	ecf2a6be80	Merge pull request #413 from Karneades/patch-1 Fix small typos in file breaking-changes	2019-08-06 10:27:35 +02:00
Karneades	6617dee59a	Fix small typos in file breaking-changes	2019-08-06 09:57:00 +02:00
Thomas Patzke	940c36a4cd	Fixed build Missing package specification	2019-08-05 23:42:33 +02:00
Florian Roth	83841ea117	Merge pull request #411 from nikotin69/master compliance rules by SOC prime	2019-08-05 20:53:02 +02:00
Florian Roth	302ae9c5d0	Added level	2019-08-05 19:51:22 +02:00
Florian Roth	4dbf392562	Title, Level adjusted	2019-08-05 19:48:56 +02:00
Florian Roth	fdb9b351d0	Level to low	2019-08-05 19:48:21 +02:00
Florian Roth	317c0bd07a	Removed "Detects" keyword from title	2019-08-05 19:47:46 +02:00
Florian Roth	2af8cb0d0e	Update cleartext_protocols.yml	2019-08-05 19:47:03 +02:00
Florian Roth	b3780022d3	Merge pull request #412 from Karneades/mmc-rules Improve MMC rules: fix generic rule and add new rule for shell spawning	2019-08-05 19:46:31 +02:00
Florian Roth	c7ec45c0ff	Update workstation_was_locked.yml	2019-08-05 19:44:14 +02:00
Florian Roth	e64fcb32a2	Update group_modification_logging.yml	2019-08-05 19:43:59 +02:00
Florian Roth	5caf4f5f14	Update default_credentials_usage.yml	2019-08-05 19:43:46 +02:00
Florian Roth	10cc1de4c9	Fixed global rule syntax	2019-08-05 19:43:15 +02:00
Florian Roth	dcdd021dc6	Duplicate port 3306	2019-08-05 19:36:50 +02:00
Karneades	42e6c9149b	Remove unneeded event code	2019-08-05 19:13:39 +02:00
Karneades	0e3cc042f4	Add more exclusions to mmc process rule	2019-08-05 18:53:33 +02:00
Karneades	5caa951b8f	Add new rule for detecting MMC spawning a shell Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.	2019-08-05 18:42:31 +02:00
nikotin	780d9223e6	compliance rules by SOC prime	2019-08-05 19:42:19 +03:00
Karneades	cfe44ad17d	Fix win_susp_mmc_source to match what title says Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.	2019-08-05 16:21:56 +02:00
Florian Roth	6a8adc72ac	rule: reworked vssadmin rule	2019-08-04 11:27:17 +02:00
Thomas Patzke	a65a9655f4	Fixed config naming in es-qs query backend test	2019-08-02 08:25:21 +02:00
Thomas Patzke	b8d3642c29	Merge branch 'master' of https://github.com/Neo23x0/sigma	2019-08-01 23:46:33 +02:00
Thomas Patzke	d5885686fc	Sigmatools release 0.12 * Value modifiers * Config name cleanup	2019-08-01 23:45:07 +02:00
Thomas Patzke	805c739611	Merge branch 'devel-modifiers'	2019-07-31 23:44:10 +02:00
Thomas Patzke	31c6ffcb61	No escaping for typed values	2019-07-31 23:43:29 +02:00
Florian Roth	d32fc2b2cf	fix: fixing rule win_cmstp_com_object_access https://github.com/Neo23x0/sigma/issues/408	2019-07-31 14:16:52 +02:00
Florian Roth	0657f29c99	Rule: reworked win_susp_powershell_enc_cmd	2019-07-30 14:36:30 +02:00
tuckner	8f2f1922c6	Merge pull request #1 from Neo23x0/master update fork	2019-07-27 21:27:52 -05:00
Florian Roth	9143e89f3e	Rule: renamed and reworked hacktool Ruler rule	2019-07-26 14:49:09 +02:00
Florian Roth	f3fb2b41b2	Rule: FP filters extended	2019-07-23 14:58:36 +02:00
Florian Roth	2c57b443e4	docs: modification date in rule	2019-07-17 09:21:35 +02:00
Florian Roth	de74eb4eb7	Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix Win susp dhcp config failed fix	2019-07-17 09:20:25 +02:00
Florian Roth	bf0179c0d5	Merge pull request #397 from neu5ron/patch-5 prevent EventID collision for dhcp	2019-07-17 09:17:05 +02:00
yugoslavskiy	e8b9a6500e	author string modified	2019-07-17 07:02:59 +03:00
yugoslavskiy	a295334355	win_susp_dhcp_config_failed fixed	2019-07-17 07:01:58 +03:00
Thomas Patzke	0ca15e5c5e	Added test case for value modifiers	2019-07-16 23:14:55 +02:00
Thomas Patzke	8a3117d73e	Nested list handling for chained value modifiers	2019-07-16 23:03:19 +02:00
Nate Guagenti	e2050404bc	prevent EventID collision for dhcp This prevents EventID collision for this rule with other sources/logs that share the same EventIDs. specifically a lot with Microsoft-Windows-Security-SPP	2019-07-16 15:30:52 -04:00
Thomas Patzke	6881967889	Further modifiers * base64 * base64offset	2019-07-16 00:00:35 +02:00

1 2 3 4 5 ...

1838 Commits