security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
4,012 Commits 1 Branch 57 Tags
230562bdf6c0bb3a040ae2afae9773247dc5acd6
Commit Graph

2560 Commits

Author SHA1 Message Date
Florian Roth c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
Florian Roth 908023fa66 rule: added second expression 2020-11-04 16:43:35 +01:00
Florian Roth f848bb912c rule: reworked weblogic CVE-2020-14882 rule 2020-11-03 10:39:40 +01:00
Florian Roth dd0d1d053c rule: WebLogic exploit CVE-2020-14882 2020-11-02 11:11:37 +01:00
Florian Roth 75637324e0 feat: cover newest emotet campaigns 2020-10-23 23:44:48 +02:00
Florian Roth ee789a309c fix: FP with expression 2020-10-20 13:11:10 +02:00
Florian Roth 198b292c26 rule: emotet encoded commands 2020-10-20 12:51:58 +02:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Florian Roth 3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
Florian Roth 0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth 2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
Florian Roth c56cd2dfff Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22 4487d9cc7e added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Florian Roth c17ca6d5fe Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22 68a992d903 updated name 2020-09-27 21:57:19 +05:30
omkargudhate22 e7c8197e34 Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22 ebe3dce1d7 Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72 3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth d7d9c0e772 Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth 8020fe3c40 false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth 60795f7050 Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth dbdd758365 Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade f76f80db80 Killswitch domain 2020-09-16 20:32:31 -06:00
Mike Wade 7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade 6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00
Florian Roth 2cd9b794e6 Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Remco Hofman 6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Mike Wade 1ddba05eb2 Second round 2020-09-15 07:02:30 -06:00
Mike Wade da9b32bdd6 we 2020-09-15 06:24:44 -06:00
Mike Wade 8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Thomas Patzke 378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
Florian Roth 50db6dcc69 Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00
Bhabesh Rai 03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Mike Wade 57cae0ded1 Fixed reference typo 2020-09-13 22:07:43 -06:00
Mike Wade 52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Mike Wade 249c255435 No Idea why these files are deleted 2020-09-13 22:00:30 -06:00
Yugoslavskiy Daniil 1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott 1f50e0af35 + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) 
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
 2020-09-11 16:06:51 +01:00
Tran Trung Hieu 49ba107dce Fixed Title 2020-09-10 17:36:37 +07:00
Tran Trung Hieu f7d5240d40 Added UID, fixed rule description 2020-09-10 17:20:16 +07:00
Tran Trung Hieu 1b6c6ec5bf Detects a suspicious activities of MpCmdRun.exe, which could be an action for downloading a file from the internet using Windows Defender 2020-09-10 17:16:06 +07:00
Florian Roth 7d6043bd0d rule: reworked suspicious user agents 2020-09-10 10:33:11 +02:00
Bhabesh Rai ed059a9831 Added Credential Dumping by LaZagne 2020-09-09 18:27:14 +05:45
Florian Roth de5444a81e Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth af3b93a522 Merge pull request #914 from omergunal/ogunal-2 
New rules for Linux
 2020-09-07 09:41:43 +02:00