bbb67fbba4
Adding support for reading sigma rule from stdin in sigmac
2018-10-07 10:11:47 -05:00
aabaa0257b
Merge branch 'master' of https://github.com/Neo23x0/sigma
2018-10-06 20:12:15 -05:00
4b85a34b34
Added CSV option to powershell backend
2018-10-06 20:08:20 -05:00
e28bc35cad
Apply field mappings in generation of log source condition
2018-10-06 23:38:35 +02:00
54678fcb36
Rule: CertUtil UA
...
https://twitter.com/ItsReallyNick/status/1047151134501216258
2018-10-06 16:47:37 +02:00
4eeb07a736
Merge pull request #181 from droe/optimizer-comments
...
Improve the comments on the optimizer
2018-10-03 23:11:10 +02:00
fc45df144c
Improve the comments on the optimizer
2018-10-03 13:44:03 +02:00
143f8644c6
Merge pull request #180 from droe/refactor-optimizer
...
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:34:14 +02:00
87aa1b5521
Move optimizer to sigma.parser.condition to enable it for all backends
2018-10-03 00:24:31 +02:00
2ac19d32a1
Merge pull request #178 from droe/ast_optimizer
...
Optimize the boolean expressions in the AST before generating output
2018-10-02 23:06:55 +02:00
cd3661b60c
Fix optimization of NOT corner cases
2018-10-02 22:48:33 +02:00
14c5dcf413
Merge pull request #179 from droe/tempfile-mktemp
...
Use mktemp if tempfile is not available, fixes `make` for macOS
2018-10-02 22:44:48 +02:00
85ad10d558
Use mktemp if tempfile is not available, fixes make for macOS
2018-10-02 22:17:03 +02:00
bed88cf813
Make uniq work for lists within definitions
2018-10-02 22:12:54 +02:00
7165128fa5
Remove None from AST - fixes None-related test failures
2018-10-02 21:44:37 +02:00
2242fc5ac8
Optimize the boolean expressions in the AST before generating output
...
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.
The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance. This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.
The following optimizations are currently performed:
- Removal of empty OR(), AND()
- OR(X), AND(X) => X
- OR(X, X, ...), AND(X, X, ...) => OR(X, ...), AND(X, ...)
- OR(X, OR(Y)) => OR(X, Y)
- OR(AND(X, ...), AND(X, ...)) => AND(X, OR(AND(...), AND(...)))
- NOT(NOT(X)) => X
A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.
This implementation is not optimized for performance and will perform
poorly on very large expressions.
2018-10-02 21:14:25 +02:00
85f0ddd188
Delete win_alert_LSASS_access.yml
2018-10-02 16:48:09 +02:00
19e2bad96e
Delete sysmon_powershell_DLL_execution.yml
2018-10-02 08:56:09 +02:00
daddec9217
Delete sysmon_powershell_AMSI_bypass.yml
2018-10-02 08:55:48 +02:00
aafe9c6dae
Delete sysmon_lethalHTA.yml
2018-10-02 08:55:19 +02:00
f29ffc0697
Merge pull request #174 from esebese/patch-1
...
sysmon_susp_run_key_img_folder.yml - Rule simplification
2018-10-01 14:24:54 +02:00
bbddcd0f9a
Merge pull request #176 from Karneades/fix-missing-list-handling
...
Add missing event id list handling in PowerShell backend
2018-10-01 14:23:48 +02:00
468af42de5
Add missing event id list handling in PowerShell backend
2018-09-29 14:43:28 +02:00
f2d83a5a00
Merge pull request #175 from Karneades/fix-powershell-backend
...
Improve default field handling in PowerShell backend
2018-09-29 14:08:30 +02:00
c289484c5c
Improve default field handling in PowerShell backend
2018-09-29 12:29:44 +02:00
dec7568d4c
Rule simplification
...
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
2018-09-28 10:58:50 +03:00
1c2431f33b
Merge pull request #169 from Karneades/fix-aggregation-exeption
...
Add rule filename to "not implemented" exception output
2018-09-26 11:50:25 +02:00
451c18628d
Merge pull request #170 from Karneades/fix-suspicious-cli
...
Add group by to windows multiple suspicious cli rule
2018-09-26 11:49:57 +02:00
38d17e5169
Merge pull request #173 from b2az/patch-1
...
Missing Character
2018-09-26 11:49:17 +02:00
a2c6f344ba
Lower case T
2018-09-26 11:44:12 +02:00
f35308a4d3
Missing Character
...
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
2018-09-26 11:40:24 +02:00
815236449b
Added PowerShell as target, updated project list
2018-09-24 13:44:14 +02:00
d0a527af5e
Merge pull request #172 from Karneades/powershell-backend
...
Add initial version of the PowerShell backend
2018-09-24 13:30:24 +02:00
14337a2aac
Tests: PowerShell backend tests
2018-09-24 13:23:38 +02:00
2766d8f881
Merge pull request #171 from Karneades/fix-certutil
...
Fix CommandLine in rule sysmon_susp_certutil_command
2018-09-24 07:51:07 +02:00
c66b00356d
Add initial version of PowerShell backend
...
* Add PowerShell backend
* Add PowerShell config file
State: Work in progress :)
See https://github.com/Neo23x0/sigma/issues/94
2018-09-23 21:41:48 +02:00
edf8dde958
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
c73a9e4164
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
...
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.
We could also use both the Image path and the Command Line.
Message : Process Create:
Image: C:\Windows\SysWOW64\certutil.exe
CommandLine: certutil xx -decode xxx
Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
cc82207882
Add group by to win multiple suspicious cli rule
...
* For the detection it's important that these cli
tools are started on the same machine for alerting.
2018-09-23 19:38:23 +02:00
fe6f4c7475
Add rule filename to exception output for unsupported aggregation
2018-09-23 19:12:50 +02:00
81515b530c
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
1d12fc290c
Added Winlogbeat configuration
2018-09-20 12:08:11 +02:00
2fbf17ff34
Addition and resolution of field mapping chains explicitely checks for list
2018-09-13 16:22:29 +02:00
41a8ef2fd9
Implemented resolve_fieldname in FieldMappingChain
2018-09-13 14:56:31 +02:00
2330306db1
Added merged field mapping and log sources dict to config chain
2018-09-13 14:55:05 +02:00
ba76f04fe6
Merging of raw configurations in configuration chains
2018-09-13 13:49:36 +02:00
d81946df39
Stacked configurations
...
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration
Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
2018-09-12 23:40:22 +02:00
210f7ac044
Rewrote logsource definition merging to set generator
2018-09-12 22:29:51 +02:00
13276ecf31
Rule: AV alerts - webshells
2018-09-09 11:04:27 +02:00
e5c7dd18de
Rule: AV alerts - relevant files
2018-09-09 11:04:27 +02:00
Michael H