security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,294 Commits 1 Branch 57 Tags
57bfdc7a028eb7b6dd2a762dfd053ebddb31f8bf
Commit Graph

4205 Commits

Author SHA1 Message Date
Florian Roth 57bfdc7a02 fix: more upper case chars 2021-09-07 09:19:23 +02:00
Florian Roth 0cce1c0245 fix: missing lowercase chars 2021-09-07 09:17:25 +02:00
Florian Roth 33be089ea2 fix: filename to lowercase 2021-09-07 09:16:35 +02:00
Florian Roth b0c2d7b75a fix: tags for WMI / execution / persistence 2021-09-01 16:34:50 +02:00
Florian Roth 2f7f050ad8 fix: removed tags 2021-09-01 16:32:27 +02:00
Florian Roth 1aac21ba79 fix: single list item issue 2021-09-01 14:03:42 +02:00
Florian Roth 505140d273 rule: extended WMI suspicious scripts rule 2021-09-01 13:57:48 +02:00
Florian Roth e787420be1 rule: WMI filter content encoded executable 2021-09-01 13:57:36 +02:00
Florian Roth 8761927e8c rule: susp scrcons.exe creating named pipe 2021-09-01 13:57:17 +02:00
Florian Roth affc929c3b LiquidSnake named pipe 2021-09-01 13:54:47 +02:00
Florian Roth f102b2d9a1 docs: note to improved sysmon config 2021-09-01 13:07:18 +02:00
Florian Roth 98de92ceaf refactor: global rule match on system and security 2021-08-30 15:17:53 +02:00
Florian Roth 1ded4eb913 rules: cobalt strike rules refactored 2021-08-30 15:10:30 +02:00
Florian Roth f78225c394 rule: UAC bypass by mocking dirs 2021-08-27 18:12:21 +02:00
Florian Roth 24d8701f15 fix: null cannot be used in a list with other values 2021-08-26 13:54:18 +02:00
Florian Roth a231aa73b3 fix: FPs with whoami rule and 4688 event IDs without parent info 2021-08-26 13:33:25 +02:00
Florian Roth 8b318b9273 refactor: Mimikatz keyword rule refactoring 2021-08-26 12:51:45 +02:00
Florian Roth 46e312ff0d fix: error in modifier 2021-08-24 15:03:23 +02:00
Florian Roth cc519552aa refactor: RazorInstaller integrity level system 2021-08-24 14:54:07 +02:00
Florian Roth 6ca30619ac Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-24 12:30:42 +02:00
Florian Roth 3cdb88ad55 refactor: level of suspicious parent for powershell rule 2021-08-24 12:30:40 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
Florian Roth 998ebbe1f3 fix: typo in name 2021-08-23 18:46:05 +02:00
Florian Roth 6b86dacc9e rule: razor installer 2021-08-23 18:44:15 +02:00
Florian Roth 91b42f9077 fix: indentation 2021-08-23 15:03:59 +02:00
Florian Roth a0f72e5f6f rule: suspicious splwow64 process starts 2021-08-23 10:41:42 +02:00
Florian Roth dc3ed771b5 rule: EfsPotato Named Pipe 2021-08-23 08:32:50 +02:00
frack113 768855e6d6 update modified after FP fix 2021-08-18 18:17:53 +02:00
Florian Roth 44013e25c8 fix: FPs with WMIADAP.exe 2021-08-18 17:26:57 +02:00
Florian Roth 5fa5a412d5 fix: FPs with [reflection.assembly]::Load 2021-08-18 09:49:34 +02:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
Florian Roth 9684c4e55f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-17 12:03:54 +02:00
Florian Roth 80b3acfce9 fix: false positive with Xen / Oracle scripts 2021-08-17 12:03:49 +02:00
frack113 dfd9e6d8f0 Merge pull request #1857 from frack113/fix_HostApplication 
Update definition for powershell-classic rule
 2021-08-16 17:18:24 +02:00
frack113 eb406ba36f Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Florian Roth d2790f2450 fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113 e1b99db149 fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth 669308a37a Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth 3028eb68b6 refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113 911579023c fix powershell_alternate_powershell_hosts.yml 2021-08-16 13:30:45 +02:00
frack113 2dbf9af27d add definition to powershell-classic 2021-08-16 12:56:24 +02:00
frack113 fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113 a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113 a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth 79bc89b344 rule: av hacktool events 2021-08-16 10:57:03 +02:00
Florian Roth f8bedfa759 docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113 dc9bb22a00 fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt 78e2c0da92 fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113 fb80b35141 fix condition 2021-08-16 09:21:38 +02:00