security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,515 Commits 1 Branch 57 Tags
13f86e93336bd4e7368d4e90cdbc8cf4613f7fd8
Commit Graph

653 Commits

Author SHA1 Message Date
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke 8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
yugoslavskiy 33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Florian Roth 95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil 5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Tareq AlKhatib 783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Thomas Patzke 3c1948f089 Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil 475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296 c2a16591af Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
Florian Roth 83c0c71bc7 Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil 8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil 5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil 05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy 725ab99e90 Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz 534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk 6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk 07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail 40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth 7b3d67ae66 fix: bugfix in new proc creation rule 2019-03-02 11:28:13 +01:00
Florian Roth 1a583c158d fixed typo as in pull request by @m0jtaba 2019-03-02 08:16:25 +01:00
Florian Roth 2188001f98 Extended filter list provided by @Ov3rflow 2019-03-02 08:13:29 +01:00
Florian Roth bd4e61acd8 Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth f80cf52982 Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke 56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Vasiliy Burov 7bebedbac1 Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth f560e83886 Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth fc683ac7ee Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar 155e273a1c adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00