security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,709 Commits 1 Branch 57 Tags
1fbd2bba4dcddfa0223a1d34dea893be6d3f9913
Commit Graph

9844 Commits

Author SHA1 Message Date
Florian Roth 358e8a567e Merge pull request #3474 from SigmaHQ/aurora-false-positive-fixing 
fix: schtasks in suspicious parents rule
 2022-09-08 09:09:26 +02:00
Florian Roth de68bf5559 fix: schtasks in suspicious parents rule 2022-09-08 09:00:58 +02:00
frack113 6813043323 Merge pull request #3468 from nasbench/nasbench-rule-devel 
Rule Devel
 2022-09-08 06:29:36 +02:00
frack113 6fea0e2c79 Merge pull request #3471 from qasimqlf/patch-5 
Update proc_creation_win_bad_opsec_sacrificial_processes.yml
 2022-09-08 06:28:25 +02:00
Nasreddine Bencherchali b70ac17676 Fix 2022-09-07 21:58:22 +02:00
Florian Roth 43b56fed23 Merge pull request #3472 from SigmaHQ/rule-devel 
rules: SysmonEnte, SharpEvtMute, sdelete rework
 2022-09-07 21:06:03 +02:00
Florian Roth 1641f4590a fix: duplicate UUIDs 2022-09-07 17:12:12 +02:00
Florian Roth a69d256367 rule: SharpEvtMute 2022-09-07 16:33:52 +02:00
Florian Roth 2ac92283e6 indentation and new hashes 2022-09-07 16:05:48 +02:00
Florian Roth b293a7a181 refactor: SysmonEnte, SharpEvtMute, SysmonQuiet 2022-09-07 16:01:05 +02:00
Florian Roth 6f1ff59027 SysmonEnte Hashes 2022-09-07 15:29:09 +02:00
Florian Roth e4dea01521 Merge pull request #3469 from phantinuss/master 
fix: new FP with Onedrive
 2022-09-07 14:35:18 +02:00
Florian Roth 6ad167a4f3 rule: SysmonEnte usage 2022-09-07 14:33:44 +02:00
Nasreddine Bencherchali 88e9794a74 Update proc_creation_win_system_exe_anomaly.yml 2022-09-07 14:15:10 +02:00
Nasreddine Bencherchali c6dc31fb48 Remove duplicate casing 
Removed cased names as SIGMA is case insensitive and the logs should searched case insensitively
 2022-09-07 14:07:04 +02:00
Qasim Qlf bdccc5440a Update proc_creation_win_bad_opsec_sacrificial_processes.yml 2022-09-07 15:28:06 +05:00
Nasreddine Bencherchali df257caa4c Update create_stream_hash_susp_ip_domains.yml 2022-09-07 12:17:18 +02:00
Nasreddine Bencherchali dc90e08f3e More updates 2022-09-07 12:02:09 +02:00
Nasreddine Bencherchali 62f5b327fa Update proc_creation_win_inline_win_api_access.yml 2022-09-06 23:04:48 +02:00
Nasreddine Bencherchali f952c02a5f Update after review 2022-09-06 22:59:24 +02:00
nasreddine.bencherchali@nextron-systems.com 1e2a894c2e Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00
Nasreddine Bencherchali 4f69b7058f Update proc_creation_win_inline_win_api_access.yml 2022-09-06 16:57:55 +02:00
phantinuss 513922de9c fix: new FP with Onedrive 2022-09-06 16:53:53 +02:00
Nasreddine Bencherchali 7abe4a7c50 Update proc_creation_win_nslookup_poweshell_download.yml 2022-09-06 16:42:53 +02:00
Tim Shelton 70f9a16149 FIX: fixes missing string indicator. does not pass validate() check inside base.py 2022-09-06 13:11:37 +00:00
Florian Roth 5de8a1b2f6 Merge pull request #3464 from YamatoSecurity/rule--nslookup-pwsh-download-cradle 
rule add: nslookup pwsh download cradle
 2022-09-06 11:21:15 +02:00
Florian Roth 4cdd5a5fec Update proc_creation_win_nslookup_pwsh_download_cradle.yml 2022-09-06 10:53:10 +02:00
Florian Roth d8d5ec09f2 Merge pull request #3463 from frack113/folder_exe 
Add file_event_win_susp_executable_creation
 2022-09-06 10:35:41 +02:00
Florian Roth 1fff6c3bb6 Merge branch 'master' into rule-devel 2022-09-06 09:40:07 +02:00
Florian Roth c81f87c333 refactor: renamed sdelete and increased level 2022-09-06 09:39:45 +02:00
Florian Roth 65cc3b2dc8 Update file_event_win_susp_executable_creation.yml 2022-09-06 09:17:35 +02:00
Florian Roth 97d65f4bfd Merge pull request #3465 from SigmaHQ/rule-devel 
Havana Ransomware UA
 2022-09-06 09:15:31 +02:00
Nasreddine Bencherchali b70e42b206 Create proc_creation_win_inline_win_api_access.yml 2022-09-06 09:14:03 +02:00
Florian Roth efe4d62a54 Merge pull request #3459 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-06 08:41:02 +02:00
Nasreddine Bencherchali e7c53dafa1 New rules 2022-09-06 08:05:02 +02:00
Yamato Security 9abdc5ab38 update 2022-09-06 09:12:40 +09:00
Yamato Security b90b4ad3a6 update 2022-09-06 09:03:43 +09:00
Yamato Security a5f5992dcb update 2022-09-06 08:59:20 +09:00
Yamato Security 7c0c8996c6 update 2022-09-06 08:56:39 +09:00
Yamato Security ad6e085124 rule add: nslookup pwsh download cradle 2022-09-06 08:49:45 +09:00
Florian Roth ab6e9551d9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-05 23:01:43 +02:00
Florian Roth f188b9abfd fix: FPs with crypto miner cmdlines 2022-09-05 23:01:42 +02:00
Florian Roth 55d479302d Merge pull request #3460 from frack113/certutil_net 
Certutil network connection
 2022-09-05 21:06:49 +02:00
frack113 26923f2d83 Add file_event_win_susp_executable_creation 2022-09-05 18:48:40 +02:00
Florian Roth cab6ccc18a Merge branch 'master' into aurora-false-positive-fixing 2022-09-05 16:57:10 +02:00
Florian Roth 96a55cc3cb refactor: extend values 2022-09-05 16:52:01 +02:00
Florian Roth 7b5c887596 fix: FPs with File Creation Date Changed to Another Year 2022-09-05 16:50:49 +02:00
Florian Roth b4cae0d551 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-09-05 16:50:28 +02:00
Florian Roth 69308b035a rule: havana ransomware UA 2022-09-05 16:50:26 +02:00
Florian Roth 468b303660 Update net_connection_win_certutil.yml 2022-09-05 11:59:15 +02:00