security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,845 Commits 1 Branch 57 Tags
2df291fe0acda1400286daaeebf510a76db03ee0
Commit Graph

10845 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 2df291fe0a rule: ngrok to remote desktop service 2022-04-29 12:25:38 +02:00
Florian Roth a157d5d949 rule: RDP to 80/tcp or 443/tcp 2022-04-29 12:03:07 +02:00
Florian Roth 864ac49e15 rule: suspicious characters in command line 2022-04-28 20:30:12 +02:00
Florian Roth 9d0de84816 fix: typo 2022-04-28 17:26:49 +02:00
Florian Roth 0b0ba20c0a Merge pull request #2957 from elhoim/correct_tags_script_creation_office 
Correct tags from file_event_win_script_creation_by_office_using_file_ext.yml
 2022-04-28 17:24:24 +02:00
Florian Roth 5f1a009d5e Merge pull request #2955 from secops4thewin/master 
Update Devo Search to include timeframe
 2022-04-28 17:23:27 +02:00
Florian Roth 22f5bed4fa Merge pull request #2956 from elhoim/rundll_spawn_explorer 
New rule Rundll spawn explorer
 2022-04-28 17:23:05 +02:00
Florian Roth aee70235f6 Update proc_creation_win_susp_rundll32_spawn_explorer.yml 2022-04-28 14:09:53 +02:00
David ANDRE 7e04137371 Cleaned-up tags from ile_event_win_script_creation_by_office_using_file_ext.yml 2022-04-28 12:01:39 +02:00
David André ab59018d26 Added newline at end of file 2022-04-28 11:37:38 +02:00
David André fd63f4800d Merge branch 'SigmaHQ:master' into rundll_spawn_explorer 2022-04-28 09:10:54 +02:00
Florian Roth feb7c2f154 Merge pull request #2953 from SigmaHQ/aurora-false-positive-fixing 
Hacktool by Cube0x0, KrbRelay
 2022-04-28 08:45:14 +02:00
secops4thewin 4442bb6982 Removed empty line 2022-04-28 13:18:11 +10:00
secops4thewin 9275d33ab2 Add timeframe to search for Devo 
Modified search to include a timeframe option.
 2022-04-28 13:14:41 +10:00
secops4thewin a43f851d37 Merge pull request #1 from SigmaHQ/master 
Merging with Main
 2022-04-28 13:13:44 +10:00
David ANDRE 8f059c2545 Added condition and corrected spaces 2022-04-27 21:47:58 +02:00
Florian Roth 7e3064e032 fix: selection identifier 2022-04-27 17:39:01 +02:00
Florian Roth e237560c07 rule: KrbRelay 2022-04-27 17:37:10 +02:00
Florian Roth f98279bf1f rule: Cube0x0 tools 2022-04-27 17:36:57 +02:00
David ANDRE 53fc5581a2 Changed title 2022-04-27 17:21:36 +02:00
David ANDRE 1ac42b1a23 Added rule windows suspicious rundll32 spawning explorer 2022-04-27 17:18:04 +02:00
Florian Roth b9b74618ec Merge pull request #2952 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with SYSTEM user rule
 2022-04-27 16:42:38 +02:00
Florian Roth 382dacf5d7 Merge branch 'master' into aurora-false-positive-fixing 2022-04-27 15:05:48 +02:00
Florian Roth ce40d0b80a fix: removing Level based filter 2022-04-27 15:04:39 +02:00
Florian Roth eff701c249 Merge pull request #2951 from SigmaHQ/rule-devel 
Improved KrbRelayUp rules
 2022-04-27 12:02:26 +02:00
Florian Roth b7e064dc23 fix: FP with SYSTEM user rule 2022-04-27 12:01:58 +02:00
Florian Roth 84935bbcc6 refactor: tightened krbrelayup rule 2022-04-27 11:54:51 +02:00
Florian Roth 787bb9b32c refactor: adding OriginalFilename for better coverage 2022-04-27 11:30:09 +02:00
Florian Roth a4b871acfb Merge pull request #2950 from SigmaHQ/rule-devel 
rules: KrbRelayUp, EventVwr bypass
 2022-04-27 11:04:01 +02:00
Florian Roth 5f95b88a52 Revert "refactor: field IpAddress in ID 4624/4625 refactoring" 
This reverts commit a6e7866faa.
 2022-04-27 10:54:41 +02:00
Florian Roth 8fdae70307 Create file_event_win_uac_bypass_eventvwr.yml 2022-04-27 10:54:36 +02:00
Florian Roth 182c81af5a Create win_susp_krbrelayup.yml 2022-04-27 10:54:33 +02:00
Florian Roth 1254fbd8d0 Merge pull request #2948 from redsand/sysmon_crash 
Sysmon crash
 2022-04-27 10:44:49 +02:00
Florian Roth 82f297573b Merge pull request #2947 from redsand/win_lsasrv_ntlmv1 
Detect the presence of ntlm1 in use on boot or 1st time
 2022-04-27 10:44:39 +02:00
Florian Roth a6e7866faa refactor: field IpAddress in ID 4624/4625 refactoring 2022-04-27 10:02:01 +02:00
Florian Roth f5c39d5cd2 Update win_lsasrv_ntlmv1.yml 2022-04-27 09:40:56 +02:00
Florian Roth 3c21c8ab00 Update win_system_application_sysmon_crash.yml 2022-04-27 09:39:56 +02:00
Florian Roth f7e51bf18b Merge pull request #2946 from SigmaHQ/rule-devel 
rule: suspicious powershell sub processes
 2022-04-27 08:55:02 +02:00
Tim Shelton 613d49bd56 Detect sysmon crash 2022-04-26 19:27:47 +00:00
Tim Shelton 12ac0f7de1 updating level 2022-04-26 18:41:58 +00:00
Tim Shelton 62b0b2fcf7 Detect the presence of ntlm1 in use on boot or 1st time 2022-04-26 18:38:57 +00:00
Florian Roth 5b2374475d fix: FP with whoami child 2022-04-26 17:28:17 +02:00
Florian Roth 55133898ee Revert "rule: suspicious PowerShell sub processes" 
This reverts commit e9adb6a8ca.
 2022-04-26 17:05:41 +02:00
Florian Roth e9adb6a8ca rule: suspicious PowerShell sub processes 2022-04-26 17:04:39 +02:00
Florian Roth 1724c6378c Merge pull request #2945 from SigmaHQ/rule-devel 
Refactoring and KrbRelayUp rule
 2022-04-26 16:55:30 +02:00
Florian Roth f743062963 rule: KrbRelayUp usage 2022-04-26 16:43:50 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
Florian Roth 8139f95e5d Merge pull request #2944 from DCSO/rulecleanup_string2int 
String 2 Int for EventIDs
 2022-04-26 15:41:52 +02:00
Florian Roth cd069c2cbe Merge branch 'master' into rule-devel 2022-04-26 15:34:33 +02:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00