mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
55beecac28
commitd97d2ced82
Merge:022d73f8
84dd8c39
Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 15:53:55 2020 +0200 Merge pull request #725 from WilliamBruneau/fix_null_list Move null values out from list in rules commit84dd8c39c4
Author: William Bruneau <william.bruneau@epfedu.fr> Date: Tue May 5 09:04:47 2020 +0200 Move null values out from list in rules commit022d73f842
Merge:0cbc099d
4ed51201
Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 10:48:05 2020 +0200 Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename All Rules use 'TargetFilename' instead of 'TargetFileName'. commit4ed512011a
Author: Sven Scharmentke <sven@vastlimits.com> Date: Wed Jun 3 09:00:59 2020 +0200 All Rules use 'TargetFilename' instead of 'TargetFileName'. This commit fixes the incorrect spelling. commit0cbc099def
Merge:74e16fdc
3a6ac5bd
Author: Florian Roth <venom14@gmail.com> Date: Sat May 30 09:31:45 2020 +0200 Merge pull request #807 from forensicanalysis/master Add sqlite backend commit3a6ac5bd5c
Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 01:57:06 2020 +0200 Remove unused function commit5cc82d0f05
Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:56:06 2020 +0200 Move testcase commit4a8ab88ade
Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:15:38 2020 +0200 Fix test path commit70935d26ce
Author: Jonas Plum <git@cugu.eu> Date: Fri May 29 23:56:05 2020 +0200 Add license header commit74e16fdccd
Merge:e20b58c4
537bda44
Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:43 2020 +0200 Merge pull request #803 from gamma37/clear_cmd_history Edit Clear Command History commite20b58c421
Merge:7f2fa05e
a00f7f19
Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:27 2020 +0200 Merge pull request #806 from SanWieb/sysmon_creation_system_file Fixed wrong field & Improve rule commita00f7f19a1
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Fri May 29 16:25:54 2020 +0200 Add tagg Endswith Prevent the trigger of {}.exe.log commit38afd8b5de
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Thu May 28 21:52:17 2020 +0200 Fixed wrong field commit7f2fa05ed3
Merge:ec313b6c
39b41b55
Author: Florian Roth <venom14@gmail.com> Date: Thu May 28 11:16:44 2020 +0200 Merge pull request #802 from Neo23x0/rule-devel ComRAT and KazuarRAT commit537bda4417
Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:56:35 2020 +0200 Update lnx_shell_clear_cmd_history.yml commit5a48934822
Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:52:17 2020 +0200 Edit Clear Command History I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line. commit39b41b5582
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 10:13:38 2020 +0200 rule: moved DebugView rule to process creation category commit76dcc1a16f
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 09:22:25 2020 +0200 rule: renamed debugview commitec313b6c8a
Merge:5bb6770f
d44fc43c
Author: Florian Roth <venom14@gmail.com> Date: Wed May 27 08:49:20 2020 +0200 Merge pull request #801 from SanWieb/sysmon_creation_system_file Rule: sysmon_creation_system_file commitd44fc43c54
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 19:10:11 2020 +0200 Add extension commitf6ec724d51
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 18:53:54 2020 +0200 Rule: sysmon_creation_system_file commit5bb6770f53
Merge:0b398c5b
3681b8cb
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 14:28:47 2020 +0200 Merge pull request #800 from SanWieb/win_system_exe_anomaly Extended Windows processes: win_system_exe_anomaly commit4ca81b896d
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 14:19:22 2020 +0200 rule: Turla ComRAT report commit3681b8cb56
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:56:51 2020 +0200 Extended Windows processes commit0b398c5bf0
Merge:c1f47875
b648998f
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:31:57 2020 +0200 Merge pull request #798 from Neo23x0/rule-devel rule: confluence exploit CVE-2019-3398 & Turla ComRAT commitc1f4787566
Merge:ce1f4634
48c5f2ed
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:21:04 2020 +0200 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 Changes to sysmon_cve-2020-1048 commitce1f46346f
Merge:e131f347
1a598282
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:40 2020 +0200 Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access Add 'Add-Content' to powershell_ntfs_ads_access commite131f3476e
Merge:30861b55
7037e775
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:23 2020 +0200 Merge pull request #796 from EccoTheFlintstone/fp add more false positives commit30861b558c
Merge:a962bd1b
f9f814f3
Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:07 2020 +0200 Merge pull request #799 from SanWieb/susp_file_characteristics Susp file characteristics: Reduce FP of legitime processes commitb648998fd0
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 13:18:50 2020 +0200 rule: Turla ComRAT commitf9f814f3b3
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:06:27 2020 +0200 Shortened title commita241792e10
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:58:15 2020 +0200 Reduce FP of legitime processes A lot of Windows apps does not have any file characteristics. Some examples: - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company. Python 2.7, 3.3 and 3.7 does not have any file characteristics. So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml commitcdf1ade625
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:27:16 2020 +0200 fix: typo in selection commit91b4ee8d56
Merge:4cd7c39e
a962bd1b
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:24:21 2020 +0200 Merge pull request #2 from Neo23x0/master Update repository commit828484d7c6
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:09:41 2020 +0200 rule: confluence exploit CVE-2019-3398 commit48c5f2ed09
Author: Remco Hofman <rhofman@nviso.be> Date: Tue May 26 11:20:21 2020 +0200 Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details commitabf1a2c6d7
Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:54:16 2020 +0200 Adjusted Makefile commitdedfb65d63
Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:44:14 2020 +0200 Implemented Aggregation for SQL, Added SQLite FullTextSearch commit7037e77569
Author: ecco <none@none.com> Date: Mon May 25 04:50:22 2020 -0400 add more FP commita962bd1bc1
Merge:0afe0623
d510e1aa
Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:48:36 2020 +0200 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete commit0afe0623af
Merge:92d0aa86
beb62dc1
Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:47:23 2020 +0200 Merge pull request #757 from tliffick/master added rule for Blue Mockingbird (cryptominer) commit92d0aa8654
Merge:0dda757c
6fcf3f9e
Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:46:39 2020 +0200 Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed Rule improvement: netsh Application or Port allowed commit6fcf3f9ebf
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:13:26 2020 +0200 Update win_netsh_fw_add.yml commit28652e4648
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:02:13 2020 +0200 Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` commit2678cd1d3e
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 09:50:47 2020 +0200 Create win_netsh_fw_add_susp_image.yml More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. Combined the following rules for the suspicious locations: https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml commit4cd7c39e9d
Merge:6fbfa9df
0dda757c
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 08:48:16 2020 +0200 Merge pull request #1 from Neo23x0/master Update repository commit0dda757ca5
Merge:40f0beb5
daf7ab5f
Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:58:58 2020 +0200 Merge branch 'socprime-master' commitdaf7ab5ff7
Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:41:38 2020 +0200 Cleanup: removal of corelight_* backends commitd45f8e19fe
Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:46:55 2020 +0200 Fixes commit32e4998c49
Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:45:37 2020 +0200 Removed dead code from ALA backend. commit24b08bbf30
Merge:96fae4be
e8b956f5
Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 17:06:32 2020 +0200 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master commit40f0beb58d
Merge:6fbfa9df
b8ee736f
Author: Florian Roth <venom14@gmail.com> Date: Sun May 24 16:30:10 2020 +0200 Merge pull request #794 from SanWieb/update_susp_run_key Remove AppData folder as suspicious folder commitb8ee736f44
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sun May 24 15:16:07 2020 +0200 Remove AppData folder as suspicious folder A lot of software is using the AppData folder for startup keys. Some examples: - Microsoft Teams (\AppData\Local\Microsoft\Teams) - Resilio (\AppData\Roaming\Resilio Sync\) - Discord ( (\AppData\Local\Discord\) - Spotify ( (\AppData\Roaming\Spotify\) Too many to whitelist them all commit6fbfa9dfdd
Merge:d0da2810
3028a270
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 23:47:12 2020 +0200 Merge pull request #793 from Neo23x0/rule-devel Esentutl rule and StrongPity Loader UA commitf970d28f10
Author: ecco <none@none.com> Date: Sat May 23 15:06:15 2020 -0400 add more false positives commit3028a27055
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:32:02 2020 +0200 fix: buggy rule commitdf715386b6
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:27:36 2020 +0200 rule: suspicious esentutl use commitd0da2810c1
Merge:8321cc7e
67faf4bd
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:13:16 2020 +0200 Merge pull request #792 from EccoTheFlintstone/fff fix FP + remove powershell rule redundant with sysmon_in_memory_power… commit8321cc7ee1
Merge:9cd9a301
e1a05dfc
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:11:32 2020 +0200 Merge pull request #772 from gamma37/suspicious_activities Create a rule for "suspicious activities" commitd1a5471d21
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 17:38:10 2020 +0200 rule: Strong Pity loader UA commit67faf4bd41
Author: ecco <none@none.com> Date: Sat May 23 10:56:23 2020 -0400 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml commit9cd9a301c2
Merge:ee1ca77f
d310805e
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:50:31 2020 +0200 Merge pull request #791 from SanWieb/master added rule for Netsh RDP port opening commite1a05dfc1c
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:49:03 2020 +0200 Update lnx_auditd_susp_C2_commands.yml commitee1ca77fad
Merge:895c8470
cbf06b1e
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:46 2020 +0200 Merge pull request #771 from gamma37/new_rules Create a new rule to detect "Create Account" commit895c84703f
Merge:12e1aeaf
327a53c1
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:01 2020 +0200 Merge pull request #790 from EccoTheFlintstone/fp_fix fix false positive matching on every powershell process not run by SY… commit327a53c120
Author: ecco <none@none.com> Date: Sat May 23 10:25:37 2020 -0400 add new test for sysmon rules without eventid commit10ca3006f5
Author: ecco <none@none.com> Date: Sat May 23 10:07:55 2020 -0400 move rule where needed commit2b89e56054
Author: ecco <none@none.com> Date: Sat May 23 10:03:13 2020 -0400 fix test commitd9bc09c38c
Author: ecco <none@none.com> Date: Sat May 23 10:02:58 2020 -0400 fix test commit78a7852a43
Author: ecco <none@none.com> Date: Sat May 23 09:16:40 2020 -0400 renamed dbghelp rule with new ID and comment and removed a false positive commitd310805ed9
Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sat May 23 14:19:52 2020 +0200 rule: Netsh RDP port opening commit75ba5f989c
Author: ecco <none@none.com> Date: Sat May 23 07:44:45 2020 -0400 add 1 more FP to wmi load commit9a7f462d79
Author: ecco <none@none.com> Date: Sat May 23 07:17:56 2020 -0400 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) commitcfde0625f5
Author: ecco <none@none.com> Date: Sat May 23 07:05:09 2020 -0400 fix false positive matching on every powershell process not run by SYSTEM account commit12e1aeaf9f
Merge:46f3a70a
34006d07
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:43 2020 +0200 Merge pull request #788 from Neo23x0/rule-devel refactor: split up rule for CVE-2020-1048 into 2 rules commit46f3a70a7d
Merge:96fae4be
ec17c2ab
Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:28 2020 +0200 Merge pull request #786 from EccoTheFlintstone/perf_fix various rules cleaning (slight perf improvements) commit34006d0794
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:16:19 2020 +0200 refactor: simplified and extended expression in CVE-2020-1048 rule commit57c8e63acd
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:09:58 2020 +0200 refactore: split up rule for CVE-2020-1048 into 2 rules commitec17c2ab56
Author: ecco <none@none.com> Date: Fri May 22 10:37:00 2020 -0400 filter on createkey only when needed commit96fae4be68
Author: Thomas Patzke <thomas@patzke.org> Date: Fri May 22 00:50:37 2020 +0200 Added CrachMapExec rules commit64e0e7ca72
Merge:bbf78374
91c4c4ec
Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 14:19:09 2020 +0200 Merge pull request #784 from Neo23x0/rule-devel refactor: slightly improved Greenbug rule commit91c4c4ecc5
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 13:38:11 2020 +0200 refactor: slightly improved Greenbug rule commitbbf78374b6
Merge:8d9b706d
9a3b6c1c
Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 09:55:46 2020 +0200 Merge pull request #783 from Neo23x0/rule-devel Greenbug Rule commit9a3b6c1c77
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:44:11 2020 +0200 docs: added MITRE ATT&CK group tag commit344eb713c5
Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:39:57 2020 +0200 rule: Greenbug campaign commit8d9b706d6a
Merge:e7980bb4
06abd6e7
Author: Thomas Patzke <thomas@patzke.org> Date: Wed May 20 19:11:56 2020 +0200 Merge pull request #727 from 3CORESec/master Override Features commite7980bb434
Merge:af92a5bd
8963c0a6
Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:41 2020 +0200 Merge pull request #782 from ZikyHD/patch-1 Remove duplicate 'CommandLine' in fields commitaf92a5bd2c
Merge:04dfe6c5
9ab65cd1
Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:29 2020 +0200 Merge pull request #780 from tatsu-i/master Null field check to eliminate false positives commit8963c0a65e
Author: ZikyHD <ZikyHD@users.noreply.github.com> Date: Wed May 20 11:54:47 2020 +0200 Remove duplicate 'CommandLine' in fields commite8b956f575
Author: vh <vh@socprime.com> Date: Wed May 20 12:35:00 2020 +0300 Updated config commit9ab65cd1c7
Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 14:50:22 2020 +0200 Update win_alert_ad_user_backdoors.yml commit04dfe6c5fc
Merge:df75bdd3
9e272d37
Author: Thomas Patzke <thomas@patzke.org> Date: Tue May 19 13:18:40 2020 +0200 Merge pull request #778 from neu5ron/sigmacs SIGMACs: Winlogbeat & Zeek commitdf75bdd3b6
Merge:4446c4cd
7c3dea22
Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 13:10:56 2020 +0200 Merge pull request #779 from neu5ron/rules Rules: Zeek commit7c3dea22b8
Author: neu5ron <> Date: Tue May 19 05:13:48 2020 -0400 small T, big T commitdd382848b4
Merge:602c8917
e975d3fd
Author: neu5ron <> Date: Tue May 19 05:09:05 2020 -0400 Merge remote-tracking branch 'neu5ron-sigma/rules' into rules commit602c8917ef
Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commitc815773b1a
Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:05:51 2020 +0900 enhancement rule commit49f68a327a
Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:00:50 2020 +0900 enhancement rule commite975d3fd14
Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commiteffb2a8337
Author: neu5ron <> Date: Tue May 19 04:41:00 2020 -0400 add exe webdav download commit858ebcd3d3
Author: neu5ron <> Date: Tue May 19 04:35:47 2020 -0400 author typo update commit2fc8d513d6
Author: neu5ron <> Date: Tue May 19 04:35:30 2020 -0400 zeek, swap `path` and `name` commit0dd089db47
Author: ecco <none@none.com> Date: Mon May 18 20:29:53 2020 -0400 various rules cleaning commit71c507d8a9
Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:34:53 2020 +0200 remove space bedore colon commit55eec46932
Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:25:18 2020 +0200 Create a rule for "suspicious activities" commitcbf06b1e43
Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:11:32 2020 +0200 lowercased tag commit904716771a
Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:03:34 2020 +0200 Create a new rule to detect "Create Account" commitbeb62dc163
Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 12:06:34 2020 +0200 fix: condition location commit28dc2a2267
Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 11:33:36 2020 +0200 Minor changes hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match commit40ab1b7247
Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:33:08 2020 -0400 added 'action: global' commit56a2747a70
Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:18:33 2020 -0400 Corrected missing condition learning! fail fast & forward commitfb1d8d7a76
Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:04:14 2020 -0400 Corrected typo commit8aff6b412e
Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 22:58:23 2020 -0400 added rule for Blue Mockingbird (cryptominer) commit06abd6e76a
Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:03:23 2020 +0100 added ci tests for ecs-cloudtrail commit2893becf8c
Merge:31ad8187
133319c4
Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:02:20 2020 +0100 Merge remote-tracking branch 'upstream/master' commit1a598282f4
Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Wed May 13 11:57:10 2020 +0200 Add 'Add-Content' to powershell_ntfs_ads_access commitd510e1aad4
Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Mon May 11 18:31:59 2020 +0200 Fix 'source' value for win_susp_backup_delete commitfb9c5841f4
Author: vh <vh@socprime.com> Date: Fri May 8 13:41:52 2020 +0300 Added Humio, Crowdstrike, Corelight commit31ad81874f
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Tue May 5 11:32:18 2020 +0100 capitalized titles corrected capitalization of titles and removed literals from config commitaa175a7d5b
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 18:02:27 2020 +0100 wip wip commitdd9e128a15
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:35:12 2020 +0100 kibana target update kibana target now compatible with overrides commitb32093e734
Merge:b3194e66
d298bb57
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:26:51 2020 +0100 Merge remote-tracking branch 'upstream/master' Keeping up with the sigmas. commitb3194e66c4
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 16:37:36 2020 +0100 Update base.py commitdd85467a27
Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Sat May 2 00:13:55 2020 +0100 Update aws_ec2_vm_export_failure.yml commitbc0a2c7ab9
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Fri May 1 19:20:05 2020 +0100 wip wip commit98391f985a
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:19:38 2020 +0100 wip wip commitadcc3766e3
Merge:81422444
dfdb5b95
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:25 2020 +0100 Merge branch 'master' of https://github.com/3CORESec/sigma commit8142244449
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:20 2020 +0100 wip wip commitdfdb5b9550
Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Wed Apr 29 23:59:26 2020 +0100 better description and event.outcome commitac4a2b1f26
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 22:55:46 2020 +0100 wip wip commit9ce84a38e5
Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 20:36:45 2020 +0100 overrides section support + one example rule + cloudtrail config ditto
626 lines
14 KiB
YAML
626 lines
14 KiB
YAML
title: Humio log source conditions
|
|
order: 20
|
|
backends:
|
|
- humio
|
|
logsources:
|
|
zeek:
|
|
product: zeek
|
|
zeek-category-accounting:
|
|
category: accounting
|
|
rewrite:
|
|
product: zeek
|
|
service: syslog
|
|
zeek-category-firewall:
|
|
category: firewall
|
|
rewrite:
|
|
product: zeek
|
|
service: conn
|
|
zeek-category-dns:
|
|
category: dns
|
|
rewrite:
|
|
product: zeek
|
|
service: dns
|
|
zeek-category-proxy:
|
|
category: proxy
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-category-webserver:
|
|
category: webserver
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-conn:
|
|
product: zeek
|
|
service: conn
|
|
conditions:
|
|
'@stream': conn
|
|
zeek-conn_long:
|
|
product: zeek
|
|
service: conn_long
|
|
conditions:
|
|
'@stream': conn_long
|
|
zeek-dce_rpc:
|
|
product: zeek
|
|
service: dce_rpc
|
|
conditions:
|
|
'@stream': dce_rpc
|
|
zeek-dns:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
'@stream': dns
|
|
zeek-dnp3:
|
|
product: zeek
|
|
service: dnp3
|
|
conditions:
|
|
'@stream': dnp3
|
|
zeek-dpd:
|
|
product: zeek
|
|
service: dpd
|
|
conditions:
|
|
'@stream': dpd
|
|
zeek-files:
|
|
product: zeek
|
|
service: files
|
|
conditions:
|
|
'@stream': files
|
|
zeek-ftp:
|
|
product: zeek
|
|
service: ftp
|
|
conditions:
|
|
'@stream': ftp
|
|
zeek-gquic:
|
|
product: zeek
|
|
service: gquic
|
|
conditions:
|
|
'@stream': gquic
|
|
zeek-http:
|
|
product: zeek
|
|
service: http
|
|
conditions:
|
|
'@stream': http
|
|
zeek-http2:
|
|
product: zeek
|
|
service: http2
|
|
conditions:
|
|
'@stream': http2
|
|
zeek-intel:
|
|
product: zeek
|
|
service: intel
|
|
conditions:
|
|
'@stream': intel
|
|
zeek-irc:
|
|
product: zeek
|
|
service: irc
|
|
conditions:
|
|
'@stream': irc
|
|
zeek-kerberos:
|
|
product: zeek
|
|
service: kerberos
|
|
conditions:
|
|
'@stream': kerberos
|
|
zeek-known_certs:
|
|
product: zeek
|
|
service: known_certs
|
|
conditions:
|
|
'@stream': known_certs
|
|
zeek-known_hosts:
|
|
product: zeek
|
|
service: known_hosts
|
|
conditions:
|
|
'@stream': known_hosts
|
|
zeek-known_modbus:
|
|
product: zeek
|
|
service: known_modbus
|
|
conditions:
|
|
'@stream': known_modbus
|
|
zeek-known_services:
|
|
product: zeek
|
|
service: known_services
|
|
conditions:
|
|
'@stream': known_services
|
|
zeek-modbus:
|
|
product: zeek
|
|
service: modbus
|
|
conditions:
|
|
'@stream': modbus
|
|
zeek-modbus_register_change:
|
|
product: zeek
|
|
service: modbus_register_change
|
|
conditions:
|
|
'@stream': modbus_register_change
|
|
zeek-mqtt_connect:
|
|
product: zeek
|
|
service: mqtt_connect
|
|
conditions:
|
|
'@stream': mqtt_connect
|
|
zeek-mqtt_publish:
|
|
product: zeek
|
|
service: mqtt_publish
|
|
conditions:
|
|
'@stream': mqtt_publish
|
|
zeek-mqtt_subscribe:
|
|
product: zeek
|
|
service: mqtt_subscribe
|
|
conditions:
|
|
'@stream': mqtt_subscribe
|
|
zeek-mysql:
|
|
product: zeek
|
|
service: mysql
|
|
conditions:
|
|
'@stream': mysql
|
|
zeek-notice:
|
|
product: zeek
|
|
service: notice
|
|
conditions:
|
|
'@stream': notice
|
|
zeek-ntlm:
|
|
product: zeek
|
|
service: ntlm
|
|
conditions:
|
|
'@stream': ntlm
|
|
zeek-ntp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
'@stream': ntp
|
|
zeek-ocsp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
'@stream': ocsp
|
|
zeek-pe:
|
|
product: zeek
|
|
service: pe
|
|
conditions:
|
|
'@stream': pe
|
|
zeek-pop3:
|
|
product: zeek
|
|
service: pop3
|
|
conditions:
|
|
'@stream': pop3
|
|
zeek-radius:
|
|
product: zeek
|
|
service: radius
|
|
conditions:
|
|
'@stream': radius
|
|
zeek-rdp:
|
|
product: zeek
|
|
service: rdp
|
|
conditions:
|
|
'@stream': rdp
|
|
zeek-rfb:
|
|
product: zeek
|
|
service: rfb
|
|
conditions:
|
|
'@stream': rfb
|
|
zeek-sip:
|
|
product: zeek
|
|
service: sip
|
|
conditions:
|
|
'@stream': sip
|
|
zeek-smb_files:
|
|
product: zeek
|
|
service: smb_files
|
|
conditions:
|
|
'@stream': smb_files
|
|
zeek-smb_mapping:
|
|
product: zeek
|
|
service: smb_mapping
|
|
conditions:
|
|
'@stream': smb_mapping
|
|
zeek-smtp:
|
|
product: zeek
|
|
service: smtp
|
|
conditions:
|
|
'@stream': smtp
|
|
zeek-smtp_links:
|
|
product: zeek
|
|
service: smtp_links
|
|
conditions:
|
|
'@stream': smtp_links
|
|
zeek-snmp:
|
|
product: zeek
|
|
service: snmp
|
|
conditions:
|
|
'@stream': snmp
|
|
zeek-socks:
|
|
product: zeek
|
|
service: socks
|
|
conditions:
|
|
'@stream': socks
|
|
zeek-software:
|
|
product: zeek
|
|
service: software
|
|
conditions:
|
|
'@stream': software
|
|
zeek-ssh:
|
|
product: zeek
|
|
service: ssh
|
|
conditions:
|
|
'@stream': ssh
|
|
zeek-ssl:
|
|
product: zeek
|
|
service: ssl
|
|
conditions:
|
|
'@stream': ssl
|
|
zeek-tls: # In case people call it TLS even though orig log is called ssl
|
|
product: zeek
|
|
service: tls
|
|
conditions:
|
|
'@stream': ssl
|
|
zeek-syslog:
|
|
product: zeek
|
|
service: syslog
|
|
conditions:
|
|
'@stream': syslog
|
|
zeek-tunnel:
|
|
product: zeek
|
|
service: tunnel
|
|
conditions:
|
|
'@stream': tunnel
|
|
zeek-traceroute:
|
|
product: zeek
|
|
service: traceroute
|
|
conditions:
|
|
'@stream': traceroute
|
|
zeek-weird:
|
|
product: zeek
|
|
service: weird
|
|
conditions:
|
|
'@stream': weird
|
|
zeek-x509:
|
|
product: zeek
|
|
service: x509
|
|
conditions:
|
|
'@stream': x509
|
|
zeek-ip_search:
|
|
product: zeek
|
|
service: network
|
|
conditions:
|
|
'@stream':
|
|
- conn
|
|
- conn_long
|
|
- dce_rpc
|
|
- dhcp
|
|
- dnp3
|
|
- dns
|
|
- ftp
|
|
- gquic
|
|
- http
|
|
- irc
|
|
- kerberos
|
|
- modbus
|
|
- mqtt_connect
|
|
- mqtt_publish
|
|
- mqtt_subscribe
|
|
- mysql
|
|
- ntlm
|
|
- ntp
|
|
- radius
|
|
- rfb
|
|
- sip
|
|
- smb_files
|
|
- smb_mapping
|
|
- smtp
|
|
- smtp_links
|
|
- snmp
|
|
- socks
|
|
- ssh
|
|
- tls #SSL
|
|
- tunnel
|
|
- weird
|
|
fieldmappings:
|
|
# Deep mappings Taxonomy for overall/general fields
|
|
dst_ip:
|
|
product=windows: winlog.event_data.DestinationIp
|
|
product=zeek: id.resp_h
|
|
src_ip:
|
|
product=windows: winlog.event_data.SourceIp
|
|
product=zeek: id.orig_h
|
|
dst_port:
|
|
product=windows: winlog.event_data.DestinationPort
|
|
product=zeek: id.resp_p
|
|
src_port:
|
|
product=windows: winlog.event_data.SourcePort
|
|
product=zeek: id.orig_p
|
|
network_protocol:
|
|
product=zeek: proto
|
|
# Deep mappings Taxonomy for DNS Category and DNS service
|
|
answer:
|
|
product=zeek: answers
|
|
#question_length: # product=zeek: # Does not exist in open source version
|
|
record_type:
|
|
product=zeek: qtype_name
|
|
#parent_domain: #product=zeek: # Does not exist in open source version
|
|
# Deep mappings Taxonomy for HTTP, Webserver category, and Proxy category
|
|
cs-bytes:
|
|
product=zeek: request_body_len
|
|
cs-cookie:
|
|
product=zeek: cookie
|
|
r-dns:
|
|
product=zeek: host
|
|
sc-bytes:
|
|
product=zeek: response_body_len
|
|
sc-status:
|
|
product=zeek: status_code
|
|
c-uri:
|
|
product=zeek: uri
|
|
c-uri-extension:
|
|
product=zeek: uri
|
|
c-uri-query:
|
|
product=zeek: uri
|
|
c-uri-stem:
|
|
product=zeek: uri
|
|
c-useragent:
|
|
product=zeek: user_agent
|
|
cs-host:
|
|
product=zeek: host
|
|
cs-method:
|
|
product=zeek: method
|
|
cs-referrer:
|
|
product=zeek: referrer
|
|
cs-version:
|
|
product=zeek: version
|
|
# Windows / WEF / Winlogbeat
|
|
EventID: winlog.event_id
|
|
Event_ID: winlog.event_id
|
|
eventId: winlog.event_id
|
|
event_id: winlog.event_id
|
|
event-id: winlog.event_id
|
|
eventid: winlog.event_id
|
|
AccessMask: winlog.event_data.AccessMask
|
|
AccountName: winlog.event_data.AccountName
|
|
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
|
|
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
|
|
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
|
|
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
|
|
CallingProcessName: winlog.event_data.CallingProcessName
|
|
CallTrace: winlog.event_data.CallTrace
|
|
Channel: winlog.channel
|
|
CommandLine: winlog.event_data.CommandLine
|
|
ComputerName: winlog.ComputerName
|
|
CurrentDirectory: winlog.event_data.CurrentDirectory
|
|
Description: winlog.event_data.Description
|
|
DestinationHostname: winlog.event_data.DestinationHostname
|
|
DestinationIp: winlog.event_data.DestinationIp
|
|
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
|
|
DestinationPort: winlog.event_data.DestinationPort
|
|
Details: winlog.event_data.Details
|
|
EngineVersion: winlog.event_data.EngineVersion
|
|
EventType: winlog.event_data.EventType
|
|
FailureCode: winlog.event_data.FailureCode
|
|
FileName: winlog.event_data.FileName
|
|
GrantedAccess: winlog.event_data.GrantedAccess
|
|
GroupName: winlog.event_data.GroupName
|
|
GroupSid: winlog.event_data.GroupSid
|
|
Hashes: winlog.event_data.Hashes
|
|
HiveName: winlog.event_data.HiveName
|
|
HostVersion: winlog.event_data.HostVersion
|
|
Image: winlog.event_data.Image
|
|
ImageLoaded: winlog.event_data.ImageLoaded
|
|
ImagePath: winlog.event_data.ImagePath
|
|
Imphash: winlog.event_data.Imphash
|
|
IpAddress: winlog.event_data.IpAddress
|
|
KeyLength: winlog.event_data.KeyLength
|
|
LogonProcessName: winlog.event_data.LogonProcessName
|
|
LogonType: winlog.event_data.LogonType
|
|
NewProcessName: winlog.event_data.NewProcessName
|
|
ObjectClass: winlog.event_data.ObjectClass
|
|
ObjectName: winlog.event_data.ObjectName
|
|
ObjectType: winlog.event_data.ObjectType
|
|
ObjectValueName: winlog.event_data.ObjectValueName
|
|
ParentCommandLine: winlog.event_data.ParentCommandLine
|
|
ParentProcessName: winlog.event_data.ParentProcessName
|
|
ParentImage: winlog.event_data.ParentImage
|
|
Path: winlog.event_data.Path
|
|
PipeName: winlog.event_data.PipeName
|
|
ProcessCommandLine: winlog.event_data.ProcessCommandLine
|
|
ProcessName: winlog.event_data.ProcessName
|
|
Properties: winlog.event_data.Properties
|
|
SecurityID: winlog.event_data.SecurityID
|
|
ServiceFileName: winlog.event_data.ServiceFileName
|
|
ServiceName: winlog.event_data.ServiceName
|
|
ShareName: winlog.event_data.ShareName
|
|
Signature: winlog.event_data.Signature
|
|
Source: winlog.event_data.Source
|
|
SourceImage: winlog.event_data.SourceImage
|
|
SourceIp: winlog.event_data.SourceIp
|
|
StartModule: winlog.event_data.StartModule
|
|
Status: winlog.event_data.Status
|
|
SubjectUserName: winlog.event_data.SubjectUserName
|
|
SubjectUserSid: winlog.event_data.SubjectUserSid
|
|
TargetFilename: winlog.event_data.TargetFilename
|
|
Targetfilename: winlog.event_data.TargetFilename
|
|
TargetImage: winlog.event_data.TargetImage
|
|
TargetObject: winlog.event_data.TargetObject
|
|
TicketEncryptionType: winlog.event_data.TicketEncryptionType
|
|
TicketOptions: winlog.event_data.TicketOptions
|
|
User: winlog.event_data.User
|
|
WorkstationName: winlog.event_data.WorkstationName
|
|
# Channel: WLAN-Autoconfig AND EventID: 8001
|
|
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
|
|
BSSID: winlog.event_data.BSSID
|
|
BSSType: winlog.event_data.BSSType
|
|
CipherAlgorithm: winlog.event_data.CipherAlgorithm
|
|
ConnectionId: winlog.event_data.ConnectionId
|
|
ConnectionMode: winlog.event_data.ConnectionMode
|
|
InterfaceDescription: winlog.event_data.InterfaceDescription
|
|
InterfaceGuid: winlog.event_data.InterfaceGuid
|
|
OnexEnabled: winlog.event_data.OnexEnabled
|
|
PHYType: winlog.event_data.PHYType
|
|
ProfileName: winlog.event_data.ProfileName
|
|
SSID: winlog.event_data.SSID
|
|
# Zeek Deep Mappings
|
|
# Temporary one off rule name fields
|
|
agent.version:
|
|
product=zeek: version
|
|
c-cookie:
|
|
product=zeek: cookie
|
|
c-ip:
|
|
product=zeek: id.orig_h
|
|
cs-uri:
|
|
product=zeek: uri
|
|
clientip:
|
|
product=zeek: id.orig_h
|
|
clientIP:
|
|
product=zeek: id.orig_h
|
|
dest_domain:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
dest_ip:
|
|
product=zeek: id.resp_h
|
|
dest_port:
|
|
product=zeek: id.resp_p
|
|
#TODO:WhatShouldThisBe?==dest:
|
|
#TODO:WhatShouldThisBe?==destination:
|
|
#TODO:WhatShouldThisBe?==Destination:
|
|
destination.hostname:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
DestinationAddress:
|
|
product=zeek: id.resp_h
|
|
dst-ip:
|
|
product=zeek: id.resp_h
|
|
dstip:
|
|
product=zeek: id.resp_h
|
|
dstport:
|
|
product=zeek: id.resp_p
|
|
Host:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
http_host:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
http_uri:
|
|
product=zeek: uri
|
|
http_url:
|
|
product=zeek: uri
|
|
http_user_agent:
|
|
product=zeek: user_agent
|
|
http.request.url-query-params:
|
|
product=zeek: uri
|
|
HttpMethod:
|
|
product=zeek: method
|
|
in_url:
|
|
product=zeek: uri
|
|
post_url_parameter:
|
|
product=zeek: uri
|
|
Request Url:
|
|
product=zeek: uri
|
|
request_url:
|
|
product=zeek: uri
|
|
request_URL:
|
|
product=zeek: uri
|
|
RequestUrl:
|
|
product=zeek: uri
|
|
response:
|
|
product=zeek: status_code
|
|
resource.url:
|
|
product=zeek: uri
|
|
resource.URL:
|
|
product=zeek: uri
|
|
sc_status:
|
|
product=zeek: status_code
|
|
service.response_code:
|
|
product=zeek: status_code
|
|
source:
|
|
product=zeek: id.orig_h
|
|
SourceAddr:
|
|
product=zeek: id.orig_h
|
|
SourceAddress:
|
|
product=zeek: id.orig_h
|
|
SourceIP:
|
|
product=zeek: id.orig_h
|
|
SourceNetworkAddress:
|
|
product=zeek: id.orig_h
|
|
SourcePort:
|
|
product=zeek: id.orig_p
|
|
srcip:
|
|
product=zeek: id.orig_h
|
|
status:
|
|
product=zeek: status_code
|
|
url:
|
|
product=zeek: uri
|
|
URL:
|
|
product=zeek: uri
|
|
url_query:
|
|
product=zeek: uri
|
|
url.query:
|
|
product=zeek: uri
|
|
uri_path:
|
|
product=zeek: uri
|
|
user_agent:
|
|
product=zeek: user_agent
|
|
user_agent.name:
|
|
product=zeek: user_agent
|
|
user-agent:
|
|
product=zeek: user_agent
|
|
User-Agent:
|
|
product=zeek: user_agent
|
|
useragent:
|
|
product=zeek: user_agent
|
|
UserAgent:
|
|
product=zeek: user_agent
|
|
User Agent:
|
|
product=zeek: user_agent
|
|
web_dest:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
web.dest:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
Web.dest:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
web.host:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
Web.host:
|
|
product=zeek: host
|
|
#- query
|
|
#- server_name
|
|
web_method:
|
|
product=zeek: method
|
|
Web_method:
|
|
product=zeek: method
|
|
web.method:
|
|
product=zeek: method
|
|
Web.method:
|
|
product=zeek: method
|
|
web_src:
|
|
product=zeek: id.orig_h
|
|
web_status:
|
|
product=zeek: status_code
|
|
Web_status:
|
|
product=zeek: status_code
|
|
web.status:
|
|
product=zeek: status_code
|
|
Web.status:
|
|
product=zeek: status_code
|
|
web_uri:
|
|
product=zeek: uri
|
|
web_url:
|
|
product=zeek: uri
|
|
# Already
|
|
destination.ip:
|
|
product=zeek: id.resp_h
|
|
destination.port:
|
|
product=zeek: id.resp_p
|
|
http.request.body.content:
|
|
product=zeek: post_body
|
|
#source.domain:
|
|
source.ip:
|
|
product=zeek: id.orig_h
|
|
source.port:
|
|
product=zeek: id.orig_p
|