security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,978 Commits 1 Branch 57 Tags
2ecf9ec7e16707513524c2f3c82fa471663cacad
Commit Graph

173 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 2ecf9ec7e1 Updates 2022-10-04 20:57:11 +02:00
Nasreddine Bencherchali 7dd2af08e7 Update net_connection_win_python.yml 2022-09-21 12:16:15 +02:00
Nasreddine Bencherchali a0c3449079 Fix typo 2022-09-21 11:59:12 +02:00
Nasreddine Bencherchali 59530f49d4 Fix more FP in testing 2022-09-21 11:53:39 +02:00
nasreddine.bencherchali@nextron-systems.com 0caeaaa122 Update rules 2022-09-13 10:02:32 +02:00
Florian Roth efe4d62a54 Merge pull request #3459 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-06 08:41:02 +02:00
Florian Roth cab6ccc18a Merge branch 'master' into aurora-false-positive-fixing 2022-09-05 16:57:10 +02:00
Florian Roth 468b303660 Update net_connection_win_certutil.yml 2022-09-05 11:59:15 +02:00
frack113 5e5f3c803e Fix tag 2022-09-02 17:32:50 +02:00
frack113 8f0ade9ad9 Fix name 2022-09-02 17:28:36 +02:00
frack113 693b7761c1 Add net_connection_win_certutil 2022-09-02 17:23:23 +02:00
Florian Roth 3ee77e1446 fix: FPs noticed with Aurora 2022-09-02 16:57:23 +02:00
Nasreddine Bencherchali 343b0ef199 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:46:18 +02:00
Nasreddine Bencherchali 77c5640839 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:42:25 +02:00
Nasreddine Bencherchali 399a18b762 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:41:25 +02:00
Nasreddine Bencherchali ea183cae13 Updates+New Rules 2022-08-31 09:39:16 +02:00
frack113 45a87dd22d Update net_connection_win_dead_drop_resolvers.yml 2022-08-30 08:22:10 +02:00
Feathers 4d3d9b10ea Update net_connection_win_dead_drop_resolvers.yml 
Added the domain cdn.discordapp.com since is commonly used by malware families
 2022-08-29 12:41:57 +02:00
Wagga 8f84d10855 Update net_connection_win_excel_outbound_network_connection.yml 2022-08-29 07:21:47 +02:00
Florian Roth a49e2fe1ee refactor: add IPv6 addresses 2022-08-28 19:31:14 +02:00
Florian Roth 6fc281d1d6 some more 2022-08-28 18:59:34 +02:00
frack113 600500d963 fix space 2022-08-28 12:17:36 +02:00
frack113 9408b0a8ca Add net_connection_win_script_wan 2022-08-28 12:15:33 +02:00
Florian Roth 2e334cb7f1 Update net_connection_win_script.yml 2022-08-28 11:35:03 +02:00
frack113 b9a2c720a8 Redcannary 20220828 2022-08-28 11:16:24 +02:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
frack113 991560a746 Merge pull request #3392 from ionsor/patch-5 
Create net_connection_win_dead_drop_resolvers.yml
 2022-08-18 18:29:45 +02:00
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth eeeae44db5 Merge branch 'master' into rule-devel 2022-08-17 09:14:47 +02:00
Florian Roth 96276dc36e Rule Updates / New Rules 2022-08-17 09:14:13 +02:00
phantinuss 48f8f788e8 fix: FP in testing from localhost to localhost from BITs service 2022-08-16 17:02:49 +02:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00
Nasreddine Bencherchali b905df6bc7 Updates + New Rules 2022-08-09 18:35:45 +01:00
phantinuss 43ac43c70d fix: FP found in testing 2022-08-09 10:56:00 +02:00
Florian Roth 68ff364654 Merge branch 'master' into rule-devel 2022-08-05 12:17:36 +02:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
phantinuss 51db91352a fix: FP found in testing environment 2022-07-29 16:00:19 +02:00
Florian Roth c79715049d refactor: improved susp com rule 2022-07-22 12:47:54 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
Florian Roth 864da0680d rule: communication to ngrok.io 2022-07-16 08:15:32 +02:00
Florian Roth 6217eb2a26 Merge pull request #3224 from frack113/rpc_135 
RPC epmap tools
 2022-07-14 21:58:13 +02:00