security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,114 Commits 1 Branch 57 Tags
33bdfd124dd0c5e1fc03315da9a48aaa97a29d71
Commit Graph

2283 Commits

Author SHA1 Message Date
Florian Roth 33bdfd124d refactor: comsvcs.dll adjustments - run by ordinal variants 2021-12-08 10:02:21 +01:00
Florian Roth bfd6b48ee4 refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00
Florian Roth c6f1398cfb rule: DInject usage 2021-12-08 09:38:23 +01:00
Florian Roth 1cae016459 rule: fix and extend comsvcs minidump rule 2021-12-07 15:05:20 +01:00
Florian Roth 63fd1189e7 rule: improved comsvcs.dll Minidump rule 2021-12-07 12:59:20 +01:00
Florian Roth 507a0649f3 rule: suspicious process creation as SYSTEM user 2021-12-07 07:34:18 +01:00
Florian Roth 0665cc6223 rule: add user to remote desktop users 2021-12-06 18:29:50 +01:00
Florian Roth 34c697cead Merge pull request #2370 from redsand/fix_fp_in_cmdline 
Fixing false positive when cmd.exe is called with full path
 2021-12-02 16:56:55 +01:00
Tim Shelton 384862b906 When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" 2021-12-02 15:13:23 +00:00
Tim Shelton 86250b4acb fixing lint err 2021-12-01 18:15:39 +00:00
Tim Shelton 3aca9ad2ef fixing false positive due to direct calls to xcopy and cmd.exe 2021-12-01 18:01:36 +00:00
frack113 30a5838514 Merge pull request #2359 from phantinuss/master 
Add dll+exe files to rule because of CVE-2020-1599
 2021-12-01 16:46:04 +01:00
frack113 04d90ee007 Merge pull request #2350 from redsand/fp_format_list 
Filtering false positives of static arguments to wmic /format
 2021-12-01 16:29:47 +01:00
phantinuss 1150e07121 fix: typo 2021-12-01 15:14:43 +01:00
Florian Roth f75ffb6141 Merge pull request #2358 from SigmaHQ/rule-devel 
rules: addition to APT UserAgents, new: NPPSpy Hacktool Usage
 2021-12-01 15:10:17 +01:00
frack113 80a1b02fe5 Update win_renamed_binary.yml 2021-12-01 06:54:30 +01:00
Matthew Green 0384f8fb52 Update win_renamed_binary.yml 2021-12-01 15:07:06 +11:00
Tim Shelton fa26f5f7f5 simplifying format 2021-11-30 14:21:38 +00:00
Florian Roth a4a2654050 Merge pull request #2349 from redsand/fix_xor_false_positive 
adding false positive filter for amazon ssm-document-worker
 2021-11-30 14:11:34 +01:00
frack113 03e549e335 Fix FP Kaspersky Security Center Web Console 2021-11-30 10:36:12 +01:00
Tim Shelton 14f11c905d adding additional entries that are static 2021-11-29 23:02:48 +00:00
Tim Shelton 44f791680f adding filter for FP /Format:List which is a specific format 2021-11-29 22:57:26 +00:00
Florian Roth 20b5c0bb5d Merge pull request #2347 from redsand/sysmon_logon_scripts_userinitmprlogonscript_proc 
Sysmon logon scripts userinitmprlogonscript proc
 2021-11-29 23:25:16 +01:00
Florian Roth 2da59406b7 Merge pull request #2344 from frack113/dfir_20211129 
add win_pc_susp_regsvr32_image
 2021-11-29 23:24:45 +01:00
Tim Shelton 0c283ab767 adding false positive filter for amazon ssm-document-worker 2021-11-29 21:51:19 +00:00
Tim Shelton c20a6daa73 adding wildcard to netlogon to be a bit more inclusive. 2021-11-29 19:59:26 +00:00
Florian Roth b8985a222f fix: FPs noticed with Aurora 2021-11-29 16:13:24 +01:00
frack113 09712e7388 add win_pc_susp_regsvr32_image 2021-11-29 16:05:53 +01:00
Florian Roth 80485d94f2 docs: Tscon description change 2021-11-29 13:07:39 +01:00
Florian Roth 1ab0dd7100 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-29 11:40:47 +01:00
Florian Roth ede058b4fd Update win_malware_emotet.yml 2021-11-29 11:38:28 +01:00
Florian Roth 47d8de37b7 Merge pull request #2340 from SigmaHQ/rule-devel 
rule: whoami as parameter
 2021-11-29 10:56:03 +01:00
Florian Roth 10db577863 rule: whoami as parameter 2021-11-29 09:55:56 +01:00
Florian Roth 330fcf485c Merge branch 'master' into promote_status 2021-11-27 17:15:56 +01:00
Florian Roth 1fd729c619 Merge pull request #2334 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-27 17:15:12 +01:00
frack113 9b27955dd7 Restore status 2021-11-27 16:09:33 +01:00
Florian Roth 91c83bbe09 docs: changed wording in rule descriptions 2021-11-27 15:20:37 +01:00
Florian Roth 227d99ff58 Merge pull request #2333 from SigmaHQ/rule-devel 
Suspicious LSASS Process Clone
 2021-11-27 14:42:14 +01:00
Florian Roth 7489676404 refactor: removed unnecessary filter 2021-11-27 13:34:56 +01:00
Florian Roth f4e48f0e2a refactor: extended paths 2021-11-27 13:33:32 +01:00
Florian Roth c4cb309da5 rule: LSASS process clone 2021-11-27 13:32:41 +01:00
Florian Roth b05ac58503 Merge pull request #2330 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-11-27 12:57:21 +01:00
Florian Roth 55284839e1 fix: condition in PS AppData rule 2021-11-27 11:59:50 +01:00
Florian Roth 2844e58369 fix: FPs noticed with Aurora 2021-11-27 11:52:48 +01:00
frack113 f04a6bb1c6 Change status for old rules 2021-11-27 11:47:03 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 6664d6e522 Merge pull request #2329 from SigmaHQ/rule-devel 
fix: regex in lolbas rules
 2021-11-27 11:05:34 +01:00
Florian Roth 5a9f82206f Merge pull request #1045 from vburov/patch-9 
Create win_hack_hydra.yml
 2021-11-27 10:21:56 +01:00
Florian Roth 8e2be01845 Merge branch 'master' into rule-devel 2021-11-27 10:17:07 +01:00
Florian Roth 0593446f96 fix: regex in diantz rule 2021-11-27 10:16:27 +01:00