security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,520 Commits 1 Branch 57 Tags
39daebffa4d5073a7ba3fc5ebdc0507ee75aa588
Commit Graph

1902 Commits

Author SHA1 Message Date
frack113 a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113 e849af9df0 Merge pull request #1915 from frack113/tags_cve 
fix tags
 2021-08-25 06:29:48 +02:00
Florian Roth 9f69cead8a Merge pull request #1916 from SigmaHQ/rule-devel 
refactor: changed level of rule, refactored RazerInstaller rule
 2021-08-24 15:42:26 +02:00
Florian Roth 46e312ff0d fix: error in modifier 2021-08-24 15:03:23 +02:00
Florian Roth cc519552aa refactor: RazorInstaller integrity level system 2021-08-24 14:54:07 +02:00
frack113 7753f8c22e fix tags 2021-08-24 12:36:31 +02:00
Florian Roth 6ca30619ac Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-24 12:30:42 +02:00
Florian Roth 3cdb88ad55 refactor: level of suspicious parent for powershell rule 2021-08-24 12:30:40 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 ace46c17be Update cve tags 2021-08-24 10:27:27 +02:00
Florian Roth 0c69fd9c41 Merge pull request #1898 from SigmaHQ/rule-devel 
rule: EfsPotato Named Pipe, splwow64, RazerInstaller
 2021-08-24 09:20:54 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
Florian Roth 998ebbe1f3 fix: typo in name 2021-08-23 18:46:05 +02:00
Florian Roth 6b86dacc9e rule: razor installer 2021-08-23 18:44:15 +02:00
frack113 25072e37b3 update references 2021-08-23 13:30:46 +02:00
Florian Roth a0f72e5f6f rule: suspicious splwow64 process starts 2021-08-23 10:41:42 +02:00
frack113 fc9666fb4e Merge pull request #1896 from ZikyHD/fix_old_technics 
Replace old mitre techniques by new one
 2021-08-22 18:56:08 +02:00
frack113 0a410010a2 Merge pull request #1877 from frack113/red_back 
Add t1546 redcanary rules
 2021-08-22 18:50:58 +02:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
frack113 0fb6c35b1f Cleanup PS rules 2021-08-21 09:58:58 +02:00
Austin Songer fe0e1353e0 Update win_susp_bitstransfer.yml 2021-08-19 22:24:23 -05:00
Austin Songer 8d57ae5ffd Create win_susp_bitstransfer.yml 2021-08-19 21:57:37 -05:00
frack113 600c6233c2 Merge pull request #1874 from gs3cl/patch-1 
Update win_nltest_query.yml
 2021-08-19 16:18:20 +02:00
frack113 08af3a9429 Cleanup errors 2021-08-19 15:20:04 +02:00
frack113 60931d09b9 fix title error 2021-08-19 14:24:54 +02:00
gs3cl bf9ac21ebc Update win_nltest_recon.yml 
change "startswith" to "contains"
 2021-08-19 14:12:00 +02:00
frack113 b4a029ac3c Add win_susp_screensaver_reg.yml 2021-08-19 13:55:09 +02:00
gs3cl df829f0d45 Update and rename win_nltest_query.yml to win_nltest_recon.yml 
changes based on feedback added

Update and rename win_nltest_query.yml to win_nltest_recon.yml
 2021-08-19 08:26:33 +02:00
gs3cl 92b72ffdc1 Update win_nltest_query.yml 
modification based on new reports

1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) 
-> for (selection_recon1 and seletion_recon2")
2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example
3.MITRE reference just for reference to MITRE to gain more insights
4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ 
-> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule
 2021-08-18 20:45:18 +00:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
frack113 eb406ba36f Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Florian Roth d2790f2450 fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113 e1b99db149 fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth 669308a37a Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth 3028eb68b6 refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113 fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113 a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113 a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth f8bedfa759 docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113 dc9bb22a00 fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt 78e2c0da92 fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113 fb80b35141 fix condition 2021-08-16 09:21:38 +02:00
frack113 5b09dff1fb cleanup win_malware_conti_shadowcopy.yml 2021-08-16 09:21:04 +02:00
frack113 ed424c55c8 fix selection 2021-08-16 09:20:25 +02:00
frack113 26d632bf05 fix condition 2021-08-16 09:19:46 +02:00
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
 2021-08-16 09:13:51 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00