security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,224 Commits 1 Branch 57 Tags
179bfa7d5607328ec6dbb5db1c0b44dd53df8754
Commit Graph

1628 Commits

Author SHA1 Message Date
Florian Roth 39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth 9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth c3ab7d19f1 Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth 431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth fa45298474 Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth 61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth 71625c54f0 Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth ea430c8823 Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth 059e669ac6 Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth 7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth 8aabb58eca Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
frack113 afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113 1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
Florian Roth 576e047e76 Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00
Florian Roth 4c281d117c fix: bug in rule syntax 2021-05-22 15:31:23 +02:00
Florian Roth 7e1ac347ef Merge branch 'master' into rule-devel 2021-05-22 15:27:32 +02:00
Florian Roth c0d58cb7f9 PAExec and PSexec rules 2021-05-22 10:52:01 +02:00
Jonhnathan 7f335cbb4a Update Threat Hunter Playbook Reference 2021-05-22 01:08:23 -03:00
Jonhnathan 34e2a81371 Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00
Jonhnathan 89cfef9d49 Update Threat Hunter Playbook Reference 2021-05-22 01:04:20 -03:00
frack113 a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113 f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113 f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113 6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
Florian Roth a0efd7a4dc Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler e58c59dcfd Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Florian Roth a30391f3b4 Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler 93241e7fc6 Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler 3763e54b99 Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Florian Roth ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Florian Roth 5a3af872d8 Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
frack113 ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113 cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
Bhabesh Rai 48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth 7bc733a3cf Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth 0fcbce9932 Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
frack113 f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113 c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113 720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
Bhabesh Rai d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth 67e807983c Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00