Repo Update #1
Merged
Repo Update #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
image_load not image_loaded.
This change removes dns events from the network connection category. The one change is that sysmon_regsvr32_network_activity.yml needs to test the network connection category separately from the DNS event id.
Fixes for rules in new sysmon registry_event category
Windows Curl Rules
Fixes for rules in the sysmon file_event category
rule: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
improved F5 BIG-IP rule based on private feedback
Fix undefined names in sigma2misp.py
Issue: #888 The rules were not merged correctly with the transition to sysmon categories. Split the rule into separate documents: one for the registry_event and one for the process_creation
rule: extended F5 BIG-IP exploitation detection rule
STIX backend added including mapping configurations for windows logs and QRadar
Re-fix sysmon rules that lost changes with category refactoring.
Proposed fix for sysmon_uac_bypass_eventvwr
Fix typo for rule in image_load category
…ys looked at + add keys from wow64
SIGMA ASEP: remove some false positives
Carbon black mapping wrong and fix wild card
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
added troubleshooting links to root README.md
Zeek RDP rule
…/value contains a wildcard. Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
…/value contains a wildcard. Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
ES and Readme from SOC Prime
Rule devel
veritasr3x
pushed a commit
that referenced
this pull request
Sep 4, 2020
veritasr3x
pushed a commit
that referenced
this pull request
Sep 4, 2020
veritasr3x
pushed a commit
that referenced
this pull request
Sep 4, 2020
commit d97d2ce Merge: 022d73f 84dd8c3 Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 15:53:55 2020 +0200 Merge pull request SigmaHQ#725 from WilliamBruneau/fix_null_list Move null values out from list in rules commit 84dd8c3 Author: William Bruneau <william.bruneau@epfedu.fr> Date: Tue May 5 09:04:47 2020 +0200 Move null values out from list in rules commit 022d73f Merge: 0cbc099 4ed5120 Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 10:48:05 2020 +0200 Merge pull request SigmaHQ#811 from svnscha/fix/field-TargetFileName-to-TargetFilename All Rules use 'TargetFilename' instead of 'TargetFileName'. commit 4ed5120 Author: Sven Scharmentke <sven@vastlimits.com> Date: Wed Jun 3 09:00:59 2020 +0200 All Rules use 'TargetFilename' instead of 'TargetFileName'. This commit fixes the incorrect spelling. commit 0cbc099 Merge: 74e16fd 3a6ac5b Author: Florian Roth <venom14@gmail.com> Date: Sat May 30 09:31:45 2020 +0200 Merge pull request SigmaHQ#807 from forensicanalysis/master Add sqlite backend commit 3a6ac5b Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 01:57:06 2020 +0200 Remove unused function commit 5cc82d0 Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:56:06 2020 +0200 Move testcase commit 4a8ab88 Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:15:38 2020 +0200 Fix test path commit 70935d2 Author: Jonas Plum <git@cugu.eu> Date: Fri May 29 23:56:05 2020 +0200 Add license header commit 74e16fd Merge: e20b58c 537bda4 Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:43 2020 +0200 Merge pull request SigmaHQ#803 from gamma37/clear_cmd_history Edit Clear Command History commit e20b58c Merge: 7f2fa05 a00f7f1 Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:27 2020 +0200 Merge pull request SigmaHQ#806 from SanWieb/sysmon_creation_system_file Fixed wrong field & Improve rule commit a00f7f1 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Fri May 29 16:25:54 2020 +0200 Add tagg Endswith Prevent the trigger of {}.exe.log commit 38afd8b Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Thu May 28 21:52:17 2020 +0200 Fixed wrong field commit 7f2fa05 Merge: ec313b6 39b41b5 Author: Florian Roth <venom14@gmail.com> Date: Thu May 28 11:16:44 2020 +0200 Merge pull request SigmaHQ#802 from Neo23x0/rule-devel ComRAT and KazuarRAT commit 537bda4 Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:56:35 2020 +0200 Update lnx_shell_clear_cmd_history.yml commit 5a48934 Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:52:17 2020 +0200 Edit Clear Command History I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line. commit 39b41b5 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 10:13:38 2020 +0200 rule: moved DebugView rule to process creation category commit 76dcc1a Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 09:22:25 2020 +0200 rule: renamed debugview commit ec313b6 Merge: 5bb6770 d44fc43 Author: Florian Roth <venom14@gmail.com> Date: Wed May 27 08:49:20 2020 +0200 Merge pull request SigmaHQ#801 from SanWieb/sysmon_creation_system_file Rule: sysmon_creation_system_file commit d44fc43 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 19:10:11 2020 +0200 Add extension commit f6ec724 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 18:53:54 2020 +0200 Rule: sysmon_creation_system_file commit 5bb6770 Merge: 0b398c5 3681b8c Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 14:28:47 2020 +0200 Merge pull request SigmaHQ#800 from SanWieb/win_system_exe_anomaly Extended Windows processes: win_system_exe_anomaly commit 4ca81b8 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 14:19:22 2020 +0200 rule: Turla ComRAT report commit 3681b8c Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:56:51 2020 +0200 Extended Windows processes commit 0b398c5 Merge: c1f4787 b648998 Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:31:57 2020 +0200 Merge pull request SigmaHQ#798 from Neo23x0/rule-devel rule: confluence exploit CVE-2019-3398 & Turla ComRAT commit c1f4787 Merge: ce1f463 48c5f2e Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:21:04 2020 +0200 Merge pull request SigmaHQ#797 from NVISO-BE/sysmon_cve-2020-1048 Changes to sysmon_cve-2020-1048 commit ce1f463 Merge: e131f34 1a59828 Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:40 2020 +0200 Merge pull request SigmaHQ#751 from zaphodef/fix/powershell_ntfs_ads_access Add 'Add-Content' to powershell_ntfs_ads_access commit e131f34 Merge: 30861b5 7037e77 Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:23 2020 +0200 Merge pull request SigmaHQ#796 from EccoTheFlintstone/fp add more false positives commit 30861b5 Merge: a962bd1 f9f814f Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:07 2020 +0200 Merge pull request SigmaHQ#799 from SanWieb/susp_file_characteristics Susp file characteristics: Reduce FP of legitime processes commit b648998 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 13:18:50 2020 +0200 rule: Turla ComRAT commit f9f814f Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:06:27 2020 +0200 Shortened title commit a241792 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:58:15 2020 +0200 Reduce FP of legitime processes A lot of Windows apps does not have any file characteristics. Some examples: - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company. Python 2.7, 3.3 and 3.7 does not have any file characteristics. So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml commit cdf1ade Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:27:16 2020 +0200 fix: typo in selection commit 91b4ee8 Merge: 4cd7c39 a962bd1 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:24:21 2020 +0200 Merge pull request SigmaHQ#2 from Neo23x0/master Update repository commit 828484d Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:09:41 2020 +0200 rule: confluence exploit CVE-2019-3398 commit 48c5f2e Author: Remco Hofman <rhofman@nviso.be> Date: Tue May 26 11:20:21 2020 +0200 Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details commit abf1a2c Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:54:16 2020 +0200 Adjusted Makefile commit dedfb65 Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:44:14 2020 +0200 Implemented Aggregation for SQL, Added SQLite FullTextSearch commit 7037e77 Author: ecco <none@none.com> Date: Mon May 25 04:50:22 2020 -0400 add more FP commit a962bd1 Merge: 0afe062 d510e1a Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:48:36 2020 +0200 Merge pull request SigmaHQ#747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete commit 0afe062 Merge: 92d0aa8 beb62dc Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:47:23 2020 +0200 Merge pull request SigmaHQ#757 from tliffick/master added rule for Blue Mockingbird (cryptominer) commit 92d0aa8 Merge: 0dda757 6fcf3f9 Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:46:39 2020 +0200 Merge pull request SigmaHQ#795 from SanWieb/Rule-improvement-Netsh-program-allowed Rule improvement: netsh Application or Port allowed commit 6fcf3f9 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:13:26 2020 +0200 Update win_netsh_fw_add.yml commit 28652e4 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:02:13 2020 +0200 Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` commit 2678cd1 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 09:50:47 2020 +0200 Create win_netsh_fw_add_susp_image.yml More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. Combined the following rules for the suspicious locations: https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml commit 4cd7c39 Merge: 6fbfa9d 0dda757 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 08:48:16 2020 +0200 Merge pull request #1 from Neo23x0/master Update repository commit 0dda757 Merge: 40f0beb daf7ab5 Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:58:58 2020 +0200 Merge branch 'socprime-master' commit daf7ab5 Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:41:38 2020 +0200 Cleanup: removal of corelight_* backends commit d45f8e1 Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:46:55 2020 +0200 Fixes commit 32e4998 Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:45:37 2020 +0200 Removed dead code from ALA backend. commit 24b08bb Merge: 96fae4b e8b956f Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 17:06:32 2020 +0200 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master commit 40f0beb Merge: 6fbfa9d b8ee736 Author: Florian Roth <venom14@gmail.com> Date: Sun May 24 16:30:10 2020 +0200 Merge pull request SigmaHQ#794 from SanWieb/update_susp_run_key Remove AppData folder as suspicious folder commit b8ee736 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sun May 24 15:16:07 2020 +0200 Remove AppData folder as suspicious folder A lot of software is using the AppData folder for startup keys. Some examples: - Microsoft Teams (\AppData\Local\Microsoft\Teams) - Resilio (\AppData\Roaming\Resilio Sync\) - Discord ( (\AppData\Local\Discord\) - Spotify ( (\AppData\Roaming\Spotify\) Too many to whitelist them all commit 6fbfa9d Merge: d0da281 3028a27 Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 23:47:12 2020 +0200 Merge pull request SigmaHQ#793 from Neo23x0/rule-devel Esentutl rule and StrongPity Loader UA commit f970d28 Author: ecco <none@none.com> Date: Sat May 23 15:06:15 2020 -0400 add more false positives commit 3028a27 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:32:02 2020 +0200 fix: buggy rule commit df71538 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:27:36 2020 +0200 rule: suspicious esentutl use commit d0da281 Merge: 8321cc7 67faf4b Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:13:16 2020 +0200 Merge pull request SigmaHQ#792 from EccoTheFlintstone/fff fix FP + remove powershell rule redundant with sysmon_in_memory_power… commit 8321cc7 Merge: 9cd9a30 e1a05df Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:11:32 2020 +0200 Merge pull request SigmaHQ#772 from gamma37/suspicious_activities Create a rule for "suspicious activities" commit d1a5471 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 17:38:10 2020 +0200 rule: Strong Pity loader UA commit 67faf4b Author: ecco <none@none.com> Date: Sat May 23 10:56:23 2020 -0400 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml commit 9cd9a30 Merge: ee1ca77 d310805 Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:50:31 2020 +0200 Merge pull request SigmaHQ#791 from SanWieb/master added rule for Netsh RDP port opening commit e1a05df Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:49:03 2020 +0200 Update lnx_auditd_susp_C2_commands.yml commit ee1ca77 Merge: 895c847 cbf06b1 Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:46 2020 +0200 Merge pull request SigmaHQ#771 from gamma37/new_rules Create a new rule to detect "Create Account" commit 895c847 Merge: 12e1aea 327a53c Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:01 2020 +0200 Merge pull request SigmaHQ#790 from EccoTheFlintstone/fp_fix fix false positive matching on every powershell process not run by SY… commit 327a53c Author: ecco <none@none.com> Date: Sat May 23 10:25:37 2020 -0400 add new test for sysmon rules without eventid commit 10ca300 Author: ecco <none@none.com> Date: Sat May 23 10:07:55 2020 -0400 move rule where needed commit 2b89e56 Author: ecco <none@none.com> Date: Sat May 23 10:03:13 2020 -0400 fix test commit d9bc09c Author: ecco <none@none.com> Date: Sat May 23 10:02:58 2020 -0400 fix test commit 78a7852 Author: ecco <none@none.com> Date: Sat May 23 09:16:40 2020 -0400 renamed dbghelp rule with new ID and comment and removed a false positive commit d310805 Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sat May 23 14:19:52 2020 +0200 rule: Netsh RDP port opening commit 75ba5f9 Author: ecco <none@none.com> Date: Sat May 23 07:44:45 2020 -0400 add 1 more FP to wmi load commit 9a7f462 Author: ecco <none@none.com> Date: Sat May 23 07:17:56 2020 -0400 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) commit cfde062 Author: ecco <none@none.com> Date: Sat May 23 07:05:09 2020 -0400 fix false positive matching on every powershell process not run by SYSTEM account commit 12e1aea Merge: 46f3a70 34006d0 Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:43 2020 +0200 Merge pull request SigmaHQ#788 from Neo23x0/rule-devel refactor: split up rule for CVE-2020-1048 into 2 rules commit 46f3a70 Merge: 96fae4b ec17c2a Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:28 2020 +0200 Merge pull request SigmaHQ#786 from EccoTheFlintstone/perf_fix various rules cleaning (slight perf improvements) commit 34006d0 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:16:19 2020 +0200 refactor: simplified and extended expression in CVE-2020-1048 rule commit 57c8e63 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:09:58 2020 +0200 refactore: split up rule for CVE-2020-1048 into 2 rules commit ec17c2a Author: ecco <none@none.com> Date: Fri May 22 10:37:00 2020 -0400 filter on createkey only when needed commit 96fae4b Author: Thomas Patzke <thomas@patzke.org> Date: Fri May 22 00:50:37 2020 +0200 Added CrachMapExec rules commit 64e0e7c Merge: bbf7837 91c4c4e Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 14:19:09 2020 +0200 Merge pull request SigmaHQ#784 from Neo23x0/rule-devel refactor: slightly improved Greenbug rule commit 91c4c4e Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 13:38:11 2020 +0200 refactor: slightly improved Greenbug rule commit bbf7837 Merge: 8d9b706 9a3b6c1 Author: Florian Roth <venom14@gmail.com> Date: Thu May 21 09:55:46 2020 +0200 Merge pull request SigmaHQ#783 from Neo23x0/rule-devel Greenbug Rule commit 9a3b6c1 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:44:11 2020 +0200 docs: added MITRE ATT&CK group tag commit 344eb71 Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:39:57 2020 +0200 rule: Greenbug campaign commit 8d9b706 Merge: e7980bb 06abd6e Author: Thomas Patzke <thomas@patzke.org> Date: Wed May 20 19:11:56 2020 +0200 Merge pull request SigmaHQ#727 from 3CORESec/master Override Features commit e7980bb Merge: af92a5b 8963c0a Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:41 2020 +0200 Merge pull request SigmaHQ#782 from ZikyHD/patch-1 Remove duplicate 'CommandLine' in fields commit af92a5b Merge: 04dfe6c 9ab65cd Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:29 2020 +0200 Merge pull request SigmaHQ#780 from tatsu-i/master Null field check to eliminate false positives commit 8963c0a Author: ZikyHD <ZikyHD@users.noreply.github.com> Date: Wed May 20 11:54:47 2020 +0200 Remove duplicate 'CommandLine' in fields commit e8b956f Author: vh <vh@socprime.com> Date: Wed May 20 12:35:00 2020 +0300 Updated config commit 9ab65cd Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 14:50:22 2020 +0200 Update win_alert_ad_user_backdoors.yml commit 04dfe6c Merge: df75bdd 9e272d3 Author: Thomas Patzke <thomas@patzke.org> Date: Tue May 19 13:18:40 2020 +0200 Merge pull request SigmaHQ#778 from neu5ron/sigmacs SIGMACs: Winlogbeat & Zeek commit df75bdd Merge: 4446c4c 7c3dea2 Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 13:10:56 2020 +0200 Merge pull request SigmaHQ#779 from neu5ron/rules Rules: Zeek commit 7c3dea2 Author: neu5ron <> Date: Tue May 19 05:13:48 2020 -0400 small T, big T commit dd38284 Merge: 602c891 e975d3f Author: neu5ron <> Date: Tue May 19 05:09:05 2020 -0400 Merge remote-tracking branch 'neu5ron-sigma/rules' into rules commit 602c891 Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commit c815773 Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:05:51 2020 +0900 enhancement rule commit 49f68a3 Author: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:00:50 2020 +0900 enhancement rule commit e975d3f Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commit effb2a8 Author: neu5ron <> Date: Tue May 19 04:41:00 2020 -0400 add exe webdav download commit 858ebcd Author: neu5ron <> Date: Tue May 19 04:35:47 2020 -0400 author typo update commit 2fc8d51 Author: neu5ron <> Date: Tue May 19 04:35:30 2020 -0400 zeek, swap `path` and `name` commit 0dd089d Author: ecco <none@none.com> Date: Mon May 18 20:29:53 2020 -0400 various rules cleaning commit 71c507d Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:34:53 2020 +0200 remove space bedore colon commit 55eec46 Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:25:18 2020 +0200 Create a rule for "suspicious activities" commit cbf06b1 Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:11:32 2020 +0200 lowercased tag commit 9047167 Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:03:34 2020 +0200 Create a new rule to detect "Create Account" commit beb62dc Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 12:06:34 2020 +0200 fix: condition location commit 28dc2a2 Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 11:33:36 2020 +0200 Minor changes hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match commit 40ab1b7 Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:33:08 2020 -0400 added 'action: global' commit 56a2747 Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:18:33 2020 -0400 Corrected missing condition learning! fail fast & forward commit fb1d8d7 Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:04:14 2020 -0400 Corrected typo commit 8aff6b4 Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 22:58:23 2020 -0400 added rule for Blue Mockingbird (cryptominer) commit 06abd6e Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:03:23 2020 +0100 added ci tests for ecs-cloudtrail commit 2893bec Merge: 31ad818 133319c Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:02:20 2020 +0100 Merge remote-tracking branch 'upstream/master' commit 1a59828 Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Wed May 13 11:57:10 2020 +0200 Add 'Add-Content' to powershell_ntfs_ads_access commit d510e1a Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Mon May 11 18:31:59 2020 +0200 Fix 'source' value for win_susp_backup_delete commit fb9c584 Author: vh <vh@socprime.com> Date: Fri May 8 13:41:52 2020 +0300 Added Humio, Crowdstrike, Corelight commit 31ad818 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Tue May 5 11:32:18 2020 +0100 capitalized titles corrected capitalization of titles and removed literals from config commit aa175a7 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 18:02:27 2020 +0100 wip wip commit dd9e128 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:35:12 2020 +0100 kibana target update kibana target now compatible with overrides commit b32093e Merge: b3194e6 d298bb5 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:26:51 2020 +0100 Merge remote-tracking branch 'upstream/master' Keeping up with the sigmas. commit b3194e6 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 16:37:36 2020 +0100 Update base.py commit dd85467 Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Sat May 2 00:13:55 2020 +0100 Update aws_ec2_vm_export_failure.yml commit bc0a2c7 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Fri May 1 19:20:05 2020 +0100 wip wip commit 98391f9 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:19:38 2020 +0100 wip wip commit adcc376 Merge: 8142244 dfdb5b9 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:25 2020 +0100 Merge branch 'master' of https://github.com/3CORESec/sigma commit 8142244 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:20 2020 +0100 wip wip commit dfdb5b9 Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Wed Apr 29 23:59:26 2020 +0100 better description and event.outcome commit ac4a2b1 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 22:55:46 2020 +0100 wip wip commit 9ce84a3 Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 20:36:45 2020 +0100 overrides section support + one example rule + cloudtrail config ditto
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating my local copy.