1a8cfae6ac
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-19 11:42:09 +02:00
a4a127e869
Measurement of test coverage
2017-10-19 11:40:53 +02:00
d9f933fec9
Fixed the fixed PSAttack rule
2017-10-19 09:52:40 +02:00
0b0435bf7a
Fixed PSAttack rule
2017-10-18 21:49:38 +02:00
0895ea88ed
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-18 19:05:59 +02:00
5449a12a14
Added GrepBackend
...
Moved field quoting/filtering into QuoteCharMixin
2017-10-18 19:03:38 +02:00
440bf29607
Added Thomas' hack.lu talk
2017-10-18 15:51:58 +02:00
54cf9af0c9
Removed ELK Sysmon config
...
It's contained in ELK Windows config
2017-10-18 15:23:55 +02:00
3418b949f3
Enhanced integration testing by configurations
2017-10-18 15:23:10 +02:00
d7c659128c
Removed unneeded array
2017-10-18 15:12:29 +02:00
deea224421
Rule: New RUN Key Pointing to Suspicious Folder
2017-10-17 16:19:56 +02:00
e6661059c2
Merge remote-tracking branch 'upstream/master'
2017-10-15 11:58:01 -04:00
00baa4ed40
Executables Started in Suspicious Folder
2017-10-14 23:23:04 +02:00
358d1ffba0
Executables Started in Suspicious Folder
2017-10-14 23:22:20 +02:00
45aea1cc8a
Merge remote-tracking branch 'upstream/master'
2017-10-07 15:00:23 -04:00
f4720d5149
APT17 malware UA
...
https://twitter.com/cyb3rops/status/915135877709549568
2017-10-03 12:47:53 +02:00
b8eedfe3f0
Fixes and refactoring of KibanaBackend and XPackWatcherBackend
...
* Moved unnecessary code out of condition loop
* Index specific rule-name not appended to rulename variable used later
from other rule/index.
* Merged condition loop
2017-09-30 23:22:05 +02:00
1d314e326e
sigmac: MultiRuleOutputMixin
...
* Moved rule name generation into mixin
* KibanaBackend and XPackWatcherBackend now use this mixin instead of
doing the same thing in both classes.
2017-09-30 01:03:08 +02:00
b47e3e45a8
Merge branch 'devel-sigmac'
2017-09-22 00:31:22 +02:00
d410adb397
sigmac: X-Pack Watcher backend improvements
...
* Renamed backend class according to convention
* Output types: curl (default) and plain
* Prefix of rule names
* Indices from configuration
* Support for multiple conditions per rule
* Usage of parsed condition
* Support for all condition operators
* Fixed bug preventing from passing multiple options to backend
* Added to CI tests
2017-09-22 00:28:35 +02:00
62eb3b2923
Merge branch 'devel-sigmac' of https://github.com/megadevx/sigma into devel-sigmac-watcher
2017-09-19 23:08:04 +02:00
545e05370f
Added first config for logstash-linux project
...
URL: https://github.com/thomaspatzke/logstash-linux
2017-09-17 00:36:04 +02:00
8ea18af5f9
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-09-17 00:33:47 +02:00
9b65f250a8
Renamed rule file (typo)
2017-09-17 00:32:57 +02:00
a18b8eca52
sigmac: changed backend description for kibana backend
2017-09-17 00:31:25 +02:00
6b8a5aea4a
Added vhost field to web rules
2017-09-17 00:20:17 +02:00
270ab9ba78
Added backend options
...
* generic support for backend-specific options
* kibana backend option for title prefix
2017-09-16 23:46:40 +02:00
cbde0ee5e5
Merge remote-tracking branch 'upstream/master'
2017-09-16 10:03:18 -04:00
c8a66e48b6
sigmac: improved Kibana backend
...
* added fields from rules
* default index if none is matching
2017-09-16 00:39:37 +02:00
d3201229b0
sigmac: Fixed matching of log sources between rules and configuration
2017-09-16 00:32:31 +02:00
9bc8e12a4f
Created a X-Pack Watcher output.
...
This is has only been tested slightly.
2017-09-15 09:49:57 -05:00
135e389334
Created a X-Pack Watcher output.
...
This is has only been tested slightly.
2017-09-15 09:46:37 -05:00
20f9dbb31c
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 15:49:56 +02:00
fdb017f626
Merge branch 'master' into devel-sigmac
2017-09-12 23:54:48 +02:00
986c9ff9b7
Added field names to first rules
2017-09-12 23:54:04 +02:00
be891b2912
Merge branch 'master' into devel-sigmac
2017-09-11 10:41:30 +02:00
5c465129bd
Fixed rules
...
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
2017-09-11 00:35:52 +02:00
e5da26578d
sigmac/kibana backend: index names from configuration
2017-09-11 00:30:01 +02:00
77a3e7ed91
Code cleanup
2017-09-11 00:27:14 +02:00
68cb5e8921
Merge pull request #45 from secman-pl/patch-1
...
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
2017-09-10 22:52:37 +02:00
e2213347ad
Merge remote-tracking branch 'upstream/master'
2017-09-09 11:33:18 -04:00
be3c0cfb89
sigmac: Kibana backend, first version
...
* totally untested!
* only supports searches
* no visualizations/aggregation expressions
* some fields are filled with default values (see code comments)
2017-09-05 00:14:13 +02:00
c5fc74f440
Further backend changes
...
* backends get complete SigmaParser objects instead of condition
* addition of finalize step for backends
* Renaming of output classes
2017-09-04 00:56:04 +02:00
bfe8378455
Rule: Suspicious svchost.exe process
2017-08-31 11:07:45 +02:00
9768f275d0
Update sysmon_susp_regsvr32_anomalies
...
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe.
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
2017-08-29 12:21:47 +02:00
f3f2c14b3a
Added reference to regsvr32 rule
2017-08-29 08:45:29 +02:00
39381305d8
sigmac: Generic Text File Output
...
Moved output logic into generic class.
2017-08-29 00:05:59 +02:00
55f4c37e22
Rule: Microsoft Binary Github Communication
2017-08-24 18:27:40 +02:00
f46e86fbb1
WMI persistence modified
2017-08-24 18:27:40 +02:00
783722e0b2
Merge pull request #44 from h0ng10/patch-1
...
Small Typo fix
2017-08-22 22:55:59 +02:00
Thomas Patzke