7c3dea22b8
small T, big T
2020-05-19 05:13:48 -04:00
dd382848b4
Merge remote-tracking branch 'neu5ron-sigma/rules' into rules
2020-05-19 05:09:05 -04:00
602c8917ef
domain user enumeration via zeek rpc (dce_rpc) log.
2020-05-19 05:08:26 -04:00
c815773b1a
enhancement rule
2020-05-19 18:05:51 +09:00
9e272d37b7
zeek category update and minor field updates
2020-05-19 05:02:45 -04:00
49f68a327a
enhancement rule
2020-05-19 18:00:50 +09:00
177f0a783b
winlogbeat forward (at a snails pace) ECS field names
2020-05-19 04:58:51 -04:00
e975d3fd14
domain user enumeration via zeek rpc (dce_rpc) log.
2020-05-19 04:41:08 -04:00
effb2a8337
add exe webdav download
2020-05-19 04:41:00 -04:00
858ebcd3d3
author typo update
2020-05-19 04:35:47 -04:00
2fc8d513d6
zeek, swap path and name
2020-05-19 04:35:30 -04:00
0dd089db47
various rules cleaning
2020-05-18 20:29:53 -04:00
4446c4cd4e
Merge pull request #773 from EccoTheFlintstone/fix_fp
...
add some false positives checks
2020-05-18 21:33:48 +02:00
4bb44f02e1
Merge pull request #776 from Neo23x0/rule-devel
...
docs: missed the reference
2020-05-18 18:35:30 +02:00
63238fd661
docs: missed the reference
2020-05-18 18:34:30 +02:00
482c9e5449
Merge pull request #775 from Neo23x0/rule-devel
...
Godmode Sigma Rule
2020-05-18 17:21:34 +02:00
8819da51c5
Merge branch 'master' into rule-devel
2020-05-18 17:05:25 +02:00
08c32c9dfc
rule: godmode rule v0.3
2020-05-18 17:04:59 +02:00
1aa97fe577
flake 8
2020-05-18 10:03:18 -04:00
088800cd18
fix rule due to sigmac bug?
2020-05-18 09:39:48 -04:00
e89613aee0
add some false positives checks
2020-05-18 07:19:06 -04:00
8154ca355a
Merge pull request #768 from maximelb/master
...
Remove "condition" from global rule in CVE-2020-1048.
2020-05-18 12:52:49 +02:00
ad50b5f3bb
Merge pull request #769 from jaegeral/patch-2
...
replace --target-list with --lists
2020-05-18 12:50:07 +02:00
f7ef96c077
Merge pull request #770 from EccoTheFlintstone/various_fix
...
standardize rules with Image and CommandLine instead of NewProcessNam…
2020-05-18 12:49:22 +02:00
71c507d8a9
remove space bedore colon
2020-05-18 11:34:53 +02:00
55eec46932
Create a rule for "suspicious activities"
2020-05-18 11:25:18 +02:00
cbf06b1e43
lowercased tag
2020-05-18 10:11:32 +02:00
904716771a
Create a new rule to detect "Create Account"
2020-05-18 10:03:34 +02:00
a7176d4811
replace --target-list with --lists
...
The description in the readme is outdated
````
sigmac --target-list
usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {kibana,ala-rule,splunk,ala,splunkxml,fieldlist,graylog,es-rule,qualys,arcsight-esm,mdatp,netwitness,arcsight,elastalert-dsl,sql,carbonblack,xpack-watcher,limacharlie,qradar,logiq,powershell,grep,ee-outliers,elastalert,es-qs,es-dsl,logpoint,sumologic}]
[--lists] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION]
[--backend-config BACKEND_CONFIG] [--defer-abort]
[--ignore-backend-errors] [--verbose] [--debug]
[inputs [inputs ...]]
sigmac: error: unrecognized arguments: --target-list
````
2020-05-18 08:11:16 +02:00
25d3a5a893
Remove "condition" from global rule.
...
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
2020-05-17 12:44:57 -07:00
2b72ee7b84
partial(?) fix of #762
2020-05-16 14:51:58 +03:00
5d1605bba2
Merge pull request #765 from Neo23x0/rule-devel
...
Rule devel
2020-05-16 09:16:19 +02:00
a46e357874
Merge branch 'master' into rule-devel
2020-05-16 08:59:34 +02:00
d5e7d4e302
fix: missing condition in CVE-2020-1048 rule
2020-05-16 08:59:05 +02:00
4e1991cfee
Merge pull request #761 from EccoTheFlintstone/cve-2020-1048-fix
...
fix CVE 2020-1048 rule
2020-05-16 08:58:31 +02:00
fd386fe8eb
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
7b713fbe7f
rule: OpenSSHd rule adjusted
2020-05-15 17:19:32 +02:00
0575fa8d81
fix CVE 2020-1048 rule
2020-05-15 07:25:05 -04:00
b672d7aeb4
Merge pull request #759 from Neo23x0/rule-devel
...
Rule devel
2020-05-15 12:25:46 +02:00
cc26b26377
Merge branch 'master' into rule-devel
...
# Conflicts:
# rules/windows/sysmon/sysmon_cve-2020-1048.yml
2020-05-15 12:09:47 +02:00
8e7caf0e4d
rule: CVE-2020-1048
2020-05-15 12:08:31 +02:00
8e082283f0
Merge pull request #754 from Neo23x0/rule-devel
...
Rule devel
2020-05-15 12:07:04 +02:00
beb62dc163
fix: condition location
2020-05-15 12:06:34 +02:00
5854cc4677
fix: small bug in new CVE-2020-1048 rule
2020-05-15 11:37:46 +02:00
2282432b6f
Merge pull request #753 from hieuttmmo/master
...
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
2020-05-15 11:35:12 +02:00
28dc2a2267
Minor changes
...
hints:
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
2020-05-15 11:33:36 +02:00
d8cd396697
Merge pull request #758 from EccoTheFlintstone/fix_fp
...
remove false positives with cmd as child of services.exe (not specifi…
2020-05-15 11:28:05 +02:00
54cf535dbc
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
40ab1b7247
added 'action: global'
2020-05-14 23:33:08 -04:00
56a2747a70
Corrected missing condition
...
learning! fail fast & forward
2020-05-14 23:18:33 -04:00
neu5ron