valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,728 Commits 20 Branches 25 Tags 21 MiB
f461becc58
Commit Graph

5728 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yugoslavskiy
57947fbd39
Merge pull request #1044 from omergunal/patch-1 
[OSCD] Linux - Install Root Certificate
 2021-01-05 22:56:18 +03:00
yugoslavskiy
733277d490
Merge pull request #1248 from oscd-initiative/oscd_art_macos_task_28_T1083 
[OSCD] ART sync, test T1083: File and Directory Discovery (macOS)
 2021-01-05 22:55:40 +03:00
yugoslavskiy
f825003690
Merge pull request #1239 from alx1m1k/oscd-4 
[OSCD] T1529: System Shutdown/Reboot - Lin/macOS
 2021-01-05 22:55:14 +03:00
Florian Roth
40e0e3bc99
Merge pull request #1193 from w0rk3r/oscd_rules_improvement 
[OSCD] Windows Rules - Review for improvements on selections and logic
 2020-12-31 12:10:15 +01:00
Thomas Patzke
789dfb3f47
Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke
9b4c1662b0
Merge pull request #1240 from alx1m1k/oscd-5 
[OSCD] T1070.006: File Time Attribute Change - Lin/macOS
 2020-12-30 23:00:54 +01:00
Thomas Patzke
1dcc56a0b0
Merge pull request #1241 from alx1m1k/oscd-6 
[OSCD] T1552.001: Credentials In Files - Lin/macOS
 2020-12-30 22:59:49 +01:00
Thomas Patzke
e0f7dc125c
Merge pull request #1244 from oscd-initiative/oscd_art_macos_task_3_T1027 
[OSCD] ART sync, test T1027: Obfuscated Files or Information (macOS)
 2020-12-30 22:58:26 +01:00
Thomas Patzke
810485993a
Merge pull request #1245 from oscd-initiative/oscd_art_linux_task_4_T1027 
[OSCD] ART sync, test T1027: Obfuscated Files or Information (Linux)
 2020-12-30 22:57:59 +01:00
Thomas Patzke
aa5396cb9f
Merge pull request #1246 from oscd-initiative/oscd_art_macos_task_14_T1049 
[OSCD] ART sync, test T1049: System Network Connections Discovery (macOS)
 2020-12-30 22:57:29 +01:00
Thomas Patzke
fb9698345b
Merge pull request #1247 from oscd-initiative/oscd_art_linux_task_8__T1049 
[OSCD] ART sync, test T1049: System Network Connections Discovery (Linux)
 2020-12-30 22:57:11 +01:00
Thomas Patzke
675d93ee3d
Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke
6a7991ee96
Merge pull request #1250 from oscd-initiative/oscd_art_macos_task_41_T1518.001 
[OSCD] ART sync, test T1518.001: Security Software Discovery (macOS)
 2020-12-30 22:41:18 +01:00
Thomas Patzke
a88c853237
Merge pull request #1251 from oscd-initiative/oscd_art_linux_task_26_T1518.001 
[OSCD] ART sync, test T1518.001: Security Software Discovery (Linux)
 2020-12-30 22:40:32 +01:00
Thomas Patzke
436fd37655
Merge pull request #1252 from oscd-initiative/oscd_art_macos_task_55_T1553.001 
[OSCD] ART sync, test T1553.001: Gatekeeper Bypass (macOS)
 2020-12-30 22:39:36 +01:00
Thomas Patzke
5de952d488
Merge pull request #1253 from oscd-initiative/oscd_art_macos_task_60_T1562.001 
[OSCD] ART sync, test T1562.001: Disable or Modify Tools (macOS)
 2020-12-30 22:39:15 +01:00
Thomas Patzke
e223d34a6e
Merge pull request #1257 from alejandroortuno/service-scanning 
[OSCD] Network Service Scanning
 2020-12-30 22:35:47 +01:00
Thomas Patzke
5c03c4d4ec
Merge pull request #1258 from alejandroortuno/applescript 
[OSCD] MacOS Applescript
 2020-12-30 22:31:30 +01:00
Thomas Patzke
06c168d9b2
Merge pull request #1259 from alejandroortuno/firewall 
[OSCD] Firewall Disable (Linux)
 2020-12-30 22:30:41 +01:00
Thomas Patzke
1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
Thomas Patzke
ac55c7fdd4 Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308 2020-12-30 22:18:13 +01:00
Florian Roth
ab408750ac
Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth
9ecaeb715f
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
Florian Roth
15f5efc9c4
Merge pull request #1322 from maravedi/patch-1 
Update sumologic.yml
 2020-12-29 17:59:13 +01:00
Florian Roth
126a17a276
Merge pull request #1323 from ZikyHD/master 
Typo on field name
 2020-12-29 15:39:36 +01:00
ZikyHD
8a6b182fee
Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD
ece829bb25
Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
maravedi
fa6f75f07e
Update sumologic.yml 
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth
0a83f91386
Merge pull request #1321 from d4rk-d4nph3/master 
Fixed typo in file format
 2020-12-28 09:13:48 +01:00
Bhabesh Rai
bf77c8266a Fixed typo in file format 2020-12-28 11:46:02 +05:45
Florian Roth
896fc21911
Merge pull request #1320 from d4rk-d4nph3/master 
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
 2020-12-27 20:37:36 +01:00
Florian Roth
a6212a4490
style: some minor style changes 2020-12-27 20:06:19 +01:00
Bhabesh Rai
1cfad987b0 Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass 2020-12-27 17:34:49 +05:45
Florian Roth
43033ab874
Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu
d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu
4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse
fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse
bf539fd1fe Revert "Fix bug changing the logsource service to category" 
This reverts commit 0f51e53d0e.
 2020-12-23 15:50:49 -05:00
Daniel Masse
71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse
0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse
e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth
cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth
821af35557
Merge pull request #1313 from Neo23x0/rule-devel 
Rule devel
 2020-12-23 13:57:11 +01:00
Florian Roth
7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth
80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth
e67d17a967 rule: improved solarwinds webshell rule 2020-12-22 10:36:34 +01:00
Florian Roth
c3f891beab
Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_ 
[OSCD] Added a rule to detect potential persistence using registry keys
 2020-12-21 18:33:17 +01:00
Florian Roth
7954684fbf
Merge pull request #1260 from alejandroortuno/remote-system-discovery 
[OSCD] Remote System Discovery
 2020-12-21 18:32:08 +01:00