security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,835 Commits 1 Branch 57 Tags
22f5bed4fa62846e31c584c4db5bda3b699e2d49
Commit Graph

8209 Commits

Author SHA1 Message Date
Florian Roth aee70235f6 Update proc_creation_win_susp_rundll32_spawn_explorer.yml 2022-04-28 14:09:53 +02:00
David André ab59018d26 Added newline at end of file 2022-04-28 11:37:38 +02:00
David André fd63f4800d Merge branch 'SigmaHQ:master' into rundll_spawn_explorer 2022-04-28 09:10:54 +02:00
David ANDRE 8f059c2545 Added condition and corrected spaces 2022-04-27 21:47:58 +02:00
Florian Roth 7e3064e032 fix: selection identifier 2022-04-27 17:39:01 +02:00
Florian Roth e237560c07 rule: KrbRelay 2022-04-27 17:37:10 +02:00
Florian Roth f98279bf1f rule: Cube0x0 tools 2022-04-27 17:36:57 +02:00
David ANDRE 53fc5581a2 Changed title 2022-04-27 17:21:36 +02:00
David ANDRE 1ac42b1a23 Added rule windows suspicious rundll32 spawning explorer 2022-04-27 17:18:04 +02:00
Florian Roth 382dacf5d7 Merge branch 'master' into aurora-false-positive-fixing 2022-04-27 15:05:48 +02:00
Florian Roth ce40d0b80a fix: removing Level based filter 2022-04-27 15:04:39 +02:00
Florian Roth eff701c249 Merge pull request #2951 from SigmaHQ/rule-devel 
Improved KrbRelayUp rules
 2022-04-27 12:02:26 +02:00
Florian Roth b7e064dc23 fix: FP with SYSTEM user rule 2022-04-27 12:01:58 +02:00
Florian Roth 84935bbcc6 refactor: tightened krbrelayup rule 2022-04-27 11:54:51 +02:00
Florian Roth 787bb9b32c refactor: adding OriginalFilename for better coverage 2022-04-27 11:30:09 +02:00
Florian Roth a4b871acfb Merge pull request #2950 from SigmaHQ/rule-devel 
rules: KrbRelayUp, EventVwr bypass
 2022-04-27 11:04:01 +02:00
Florian Roth 5f95b88a52 Revert "refactor: field IpAddress in ID 4624/4625 refactoring" 
This reverts commit a6e7866faa.
 2022-04-27 10:54:41 +02:00
Florian Roth 8fdae70307 Create file_event_win_uac_bypass_eventvwr.yml 2022-04-27 10:54:36 +02:00
Florian Roth 182c81af5a Create win_susp_krbrelayup.yml 2022-04-27 10:54:33 +02:00
Florian Roth 1254fbd8d0 Merge pull request #2948 from redsand/sysmon_crash 
Sysmon crash
 2022-04-27 10:44:49 +02:00
Florian Roth 82f297573b Merge pull request #2947 from redsand/win_lsasrv_ntlmv1 
Detect the presence of ntlm1 in use on boot or 1st time
 2022-04-27 10:44:39 +02:00
Florian Roth a6e7866faa refactor: field IpAddress in ID 4624/4625 refactoring 2022-04-27 10:02:01 +02:00
Florian Roth f5c39d5cd2 Update win_lsasrv_ntlmv1.yml 2022-04-27 09:40:56 +02:00
Florian Roth 3c21c8ab00 Update win_system_application_sysmon_crash.yml 2022-04-27 09:39:56 +02:00
Florian Roth f7e51bf18b Merge pull request #2946 from SigmaHQ/rule-devel 
rule: suspicious powershell sub processes
 2022-04-27 08:55:02 +02:00
Tim Shelton 613d49bd56 Detect sysmon crash 2022-04-26 19:27:47 +00:00
Tim Shelton 12ac0f7de1 updating level 2022-04-26 18:41:58 +00:00
Tim Shelton 62b0b2fcf7 Detect the presence of ntlm1 in use on boot or 1st time 2022-04-26 18:38:57 +00:00
Florian Roth 5b2374475d fix: FP with whoami child 2022-04-26 17:28:17 +02:00
Florian Roth 55133898ee Revert "rule: suspicious PowerShell sub processes" 
This reverts commit e9adb6a8ca.
 2022-04-26 17:05:41 +02:00
Florian Roth e9adb6a8ca rule: suspicious PowerShell sub processes 2022-04-26 17:04:39 +02:00
Florian Roth 1724c6378c Merge pull request #2945 from SigmaHQ/rule-devel 
Refactoring and KrbRelayUp rule
 2022-04-26 16:55:30 +02:00
Florian Roth f743062963 rule: KrbRelayUp usage 2022-04-26 16:43:50 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
Florian Roth cd069c2cbe Merge branch 'master' into rule-devel 2022-04-26 15:34:33 +02:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Hendrik Baecker d0bc498d9b String 2 Int for EventIDs 2022-04-26 15:12:42 +02:00
frack113 914a2c71c8 Merge pull request #2940 from frack113/redcannary_20220424 
Redcannary T1218.007
 2022-04-26 06:23:09 +02:00
frack113 d638ff8da7 Merge pull request #2939 from frack113/colibri_malware 
Colibri malware
 2022-04-26 06:22:21 +02:00
Aegide 06954761ab Update proc_creation_win_susp_whoami.yml 
minor typo
 2022-04-25 21:11:06 +02:00
frack113 fe4916e718 add proc_creation_win_msiexec_dll 2022-04-24 15:03:27 +02:00
frack113 eec8437dc2 Add posh_ps_win32_product_install_msi 2022-04-24 12:49:00 +02:00
Florian Roth 5abfbe1730 Merge pull request #2938 from thack1/rule-keepass 
rule: KeePass password dumping
 2022-04-23 20:10:49 +02:00
frack113 f14da5a3d3 Merge pull request #2935 from mportatoes/patch-1 
Create zeek_dns_nkn.yml
 2022-04-23 18:47:59 +02:00
frack113 97c2e25f1a Fix title 2022-04-23 18:35:23 +02:00
frack113 85c98af009 Add file_event_win_susp_get_variable 2022-04-23 18:29:58 +02:00
Timon Hackenjos 649d2b2a22 rule: KeePass password dumping 2022-04-23 18:25:11 +02:00
frack113 468e51af3b Add a ref 2022-04-23 10:05:27 +02:00
mportatoes b912a87a9c Update zeek_dns_nkn.yml 2022-04-22 07:26:25 -05:00
mportatoes 8d70818e05 Create zeek_dns_nkn.yml 2022-04-21 15:04:19 -05:00