security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,516 Commits 1 Branch 57 Tags
4f49f03460e2e92d5482b3d4e8600c756c8e3bb1
Commit Graph

1908 Commits

Author SHA1 Message Date
mlp1515 4f49f03460 Update sysmon_abusing_debug_privilege.yml 
French language settings
 2021-08-26 12:46:15 +00:00
mlp1515 a31422db74 Update win_susp_schtask_creation.yml 
French language settings
 2021-08-26 12:45:24 +00:00
mlp1515 5f419d6f35 Update win_susp_taskmgr_localsystem.yml 
French language settings
 2021-08-26 12:44:35 +00:00
mlp1515 5545403a9b Update win_whoami_as_system.yml 
French language settings
 2021-08-26 12:43:33 +00:00
mlp1515 7ad927f28e Update win_wmiprvse_spawning_process.yml 
French language settings
 2021-08-26 12:42:47 +00:00
mlp1515 644397e65c Update win_exploit_cve_2019_1388.yml 
French language settings
 2021-08-26 12:41:36 +00:00
frack113 a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113 e849af9df0 Merge pull request #1915 from frack113/tags_cve 
fix tags
 2021-08-25 06:29:48 +02:00
Florian Roth 9f69cead8a Merge pull request #1916 from SigmaHQ/rule-devel 
refactor: changed level of rule, refactored RazerInstaller rule
 2021-08-24 15:42:26 +02:00
Florian Roth 46e312ff0d fix: error in modifier 2021-08-24 15:03:23 +02:00
Florian Roth cc519552aa refactor: RazorInstaller integrity level system 2021-08-24 14:54:07 +02:00
frack113 7753f8c22e fix tags 2021-08-24 12:36:31 +02:00
Florian Roth 6ca30619ac Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-24 12:30:42 +02:00
Florian Roth 3cdb88ad55 refactor: level of suspicious parent for powershell rule 2021-08-24 12:30:40 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 ace46c17be Update cve tags 2021-08-24 10:27:27 +02:00
Florian Roth 0c69fd9c41 Merge pull request #1898 from SigmaHQ/rule-devel 
rule: EfsPotato Named Pipe, splwow64, RazerInstaller
 2021-08-24 09:20:54 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
Florian Roth 998ebbe1f3 fix: typo in name 2021-08-23 18:46:05 +02:00
Florian Roth 6b86dacc9e rule: razor installer 2021-08-23 18:44:15 +02:00
frack113 25072e37b3 update references 2021-08-23 13:30:46 +02:00
Florian Roth a0f72e5f6f rule: suspicious splwow64 process starts 2021-08-23 10:41:42 +02:00
frack113 fc9666fb4e Merge pull request #1896 from ZikyHD/fix_old_technics 
Replace old mitre techniques by new one
 2021-08-22 18:56:08 +02:00
frack113 0a410010a2 Merge pull request #1877 from frack113/red_back 
Add t1546 redcanary rules
 2021-08-22 18:50:58 +02:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
frack113 0fb6c35b1f Cleanup PS rules 2021-08-21 09:58:58 +02:00
Austin Songer fe0e1353e0 Update win_susp_bitstransfer.yml 2021-08-19 22:24:23 -05:00
Austin Songer 8d57ae5ffd Create win_susp_bitstransfer.yml 2021-08-19 21:57:37 -05:00
frack113 600c6233c2 Merge pull request #1874 from gs3cl/patch-1 
Update win_nltest_query.yml
 2021-08-19 16:18:20 +02:00
frack113 08af3a9429 Cleanup errors 2021-08-19 15:20:04 +02:00
frack113 60931d09b9 fix title error 2021-08-19 14:24:54 +02:00
gs3cl bf9ac21ebc Update win_nltest_recon.yml 
change "startswith" to "contains"
 2021-08-19 14:12:00 +02:00
frack113 b4a029ac3c Add win_susp_screensaver_reg.yml 2021-08-19 13:55:09 +02:00
gs3cl df829f0d45 Update and rename win_nltest_query.yml to win_nltest_recon.yml 
changes based on feedback added

Update and rename win_nltest_query.yml to win_nltest_recon.yml
 2021-08-19 08:26:33 +02:00
gs3cl 92b72ffdc1 Update win_nltest_query.yml 
modification based on new reports

1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) 
-> for (selection_recon1 and seletion_recon2")
2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example
3.MITRE reference just for reference to MITRE to gain more insights
4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ 
-> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule
 2021-08-18 20:45:18 +00:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
frack113 eb406ba36f Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Florian Roth d2790f2450 fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113 e1b99db149 fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth 669308a37a Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth 3028eb68b6 refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113 fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113 a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113 a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth f8bedfa759 docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113 dc9bb22a00 fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt 78e2c0da92 fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113 fb80b35141 fix condition 2021-08-16 09:21:38 +02:00