security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
9,904 Commits 1 Branch 57 Tags
16fed13bb0636b32e83d5851a572e2d21145f087
Commit Graph

9904 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frack113 16fed13bb0 Order files 2022-02-04 10:52:55 +01:00
frack113 c54e18dea9 Windows Redcannary 2022-02-04 10:49:50 +01:00
frack113 177fab2700 Merge pull request #2634 from frack113/phantom 
add image_load_susp_advapi32_dll
 2022-02-04 06:28:59 +01:00
Florian Roth 48aeae8ca9 Merge pull request #2631 from JSHOX1/patch-1 
Create win_susp_ntlm_brute_force.yml
 2022-02-04 00:49:27 +01:00
Florian Roth ed1fbb9de2 Merge pull request #2638 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-02-03 22:31:13 +01:00
Florian Roth e6fb282064 Merge pull request #2637 from ruppde/master 
Update win_av_relevant_match.yml
 2022-02-03 22:28:19 +01:00
frack113 2887cf2800 Merge pull request #2623 from frack113/red_t1555_003 
Redcannary windows
 2022-02-03 22:23:19 +01:00
Florian Roth f9fec99992 Merge pull request #2600 from calebstewart/issue/2599/es-eql-char-escaping 
Add reEscape config to ElasticsearchEQLBackend
 2022-02-03 22:04:50 +01:00
Florian Roth 20463ed18e Update win_susp_ntlm_brute_force.yml 2022-02-03 22:02:33 +01:00
Florian Roth 84660da583 Update image_load_susp_advapi32_dll.yml 2022-02-03 22:00:24 +01:00
Florian Roth 46f094d6f9 Merge pull request #2635 from SigmaHQ/rule-devel 
refactor: avoid regex use
 2022-02-03 21:56:58 +01:00
Florian Roth 0e5846aced fix: remove new line 2022-02-03 21:54:16 +01:00
Florian Roth 15dfdd8262 fix: FPs noticed with Aurora 2022-02-03 21:53:26 +01:00
Arnim Rupp aab00905f1 Update win_av_relevant_match.yml 
Add Ransomware and Cobalt Strike strings.
 2022-02-03 21:43:42 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
frack113 1ac80bebf8 add image_load_susp_advapi32_dll 2022-02-03 18:54:34 +01:00
frack113 d1268d040c Change status and related 2022-02-03 06:53:50 +01:00
frack113 8eeadb9beb Add other browser 2022-02-03 06:38:43 +01:00
Florian Roth f85e598dbe Merge pull request #2632 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-02 22:49:26 +01:00
JSHOX1 8d9c2a946b Update win_susp_ntlm_brute_force.yml 2022-02-02 16:19:09 -05:00
JSHOX1 81292263ba Update win_susp_ntlm_brute_force.yml 2022-02-02 16:18:20 -05:00
Florian Roth 20a7bad5d8 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-02 20:40:21 +01:00
Florian Roth 885651efae fix: FPs noticed with Aurora 2022-02-02 20:39:47 +01:00
Florian Roth ed493accf5 Merge pull request #2627 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing; Double backslash escaping fix
 2022-02-02 18:39:51 +01:00
Florian Roth 013670445f Merge pull request #2625 from BlackB0lt/patch-23 
Update sysmon_process_hollowing.yml
 2022-02-02 18:39:28 +01:00
Florian Roth d2e741cf9a Merge pull request #2628 from frack113/redcannay_t1553_005 
Windows Redcannary T1553.005
 2022-02-02 18:38:55 +01:00
JSHOX1 1346d93e95 Update win_susp_ntlm_brute_force.yml 2022-02-02 12:25:07 -05:00
JSHOX1 50fb36c4cb Create win_susp_ntlm_brute_force.yml 2022-02-02 09:24:13 -05:00
Florian Roth ef955b92ae Merge branch 'master' into aurora-false-positive-fixing 2022-02-02 13:49:23 +01:00
Florian Roth cb8a0a6e73 Revert "fix: FPs with GoogleDrive update" 
This reverts commit 86f3302a33.
 2022-02-02 13:49:06 +01:00
Florian Roth 4b09e643c2 fix: condition in malware back connect rule 2022-02-02 13:48:56 +01:00
Florian Roth 8a9ae4d401 Merge pull request #2630 from phantinuss/master 
Rule FP Tuning
 2022-02-02 13:23:30 +01:00
phantinuss b627c62fe8 fix: filter out googledrivesync.exe FP 2022-02-02 12:25:55 +01:00
Florian Roth 86f3302a33 fix: FPs with GoogleDrive update 2022-02-02 11:45:42 +01:00
phantinuss a22d57fc87 fix: rename filter 2022-02-02 11:12:39 +01:00
phantinuss 2d36c6222d fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00
phantinuss 65c3a72715 fix: used in legitimate microsoft scripts 2022-02-02 11:00:43 +01:00
Florian Roth 52e4aeca69 Merge pull request #2629 from markus-nclose/master 
CobaltStrike typo
 2022-02-02 09:45:18 +01:00
frack113 4d28fb5320 Merge pull request #2626 from frack113/update_wdigest 
Fix FP sysmon_wdigest_enable_uselogoncredential
 2022-02-02 06:35:13 +01:00
frack113 120436bdb4 Update filter 2022-02-02 06:34:32 +01:00
markus-nclose 4c2a3c3036 CobaltStrike typo 
This typo keeps sneaking back in - critical for detection. 
Spelling correct according to https://www.nextron-systems.com/wp-content/uploads/2018/09/Antivirus_Event_Analysis_CheatSheet_1.5-2.pdf
 2022-02-02 07:31:48 +02:00
Florian Roth f357c73554 Merge branch 'master' into aurora-false-positive-fixing 2022-02-01 19:50:21 +01:00
frack113 3c0f4b79c9 Windows Redcannary T1553.005 2022-02-01 18:41:53 +01:00
Florian Roth 7f9fd3ea63 Update sysmon_process_hollowing.yml 2022-02-01 16:01:27 +01:00
Florian Roth ca8aa9bb62 fix: missing update in modified date 2022-02-01 15:59:20 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00