security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,294 Commits 1 Branch 57 Tags
57bfdc7a028eb7b6dd2a762dfd053ebddb31f8bf
Commit Graph

1885 Commits

Author SHA1 Message Date
Florian Roth 57bfdc7a02 fix: more upper case chars 2021-09-07 09:19:23 +02:00
Florian Roth 1ded4eb913 rules: cobalt strike rules refactored 2021-08-30 15:10:30 +02:00
Florian Roth f78225c394 rule: UAC bypass by mocking dirs 2021-08-27 18:12:21 +02:00
Florian Roth 24d8701f15 fix: null cannot be used in a list with other values 2021-08-26 13:54:18 +02:00
Florian Roth a231aa73b3 fix: FPs with whoami rule and 4688 event IDs without parent info 2021-08-26 13:33:25 +02:00
Florian Roth 46e312ff0d fix: error in modifier 2021-08-24 15:03:23 +02:00
Florian Roth cc519552aa refactor: RazorInstaller integrity level system 2021-08-24 14:54:07 +02:00
Florian Roth 6ca30619ac Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-24 12:30:42 +02:00
Florian Roth 3cdb88ad55 refactor: level of suspicious parent for powershell rule 2021-08-24 12:30:40 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
Florian Roth 998ebbe1f3 fix: typo in name 2021-08-23 18:46:05 +02:00
Florian Roth 6b86dacc9e rule: razor installer 2021-08-23 18:44:15 +02:00
Florian Roth a0f72e5f6f rule: suspicious splwow64 process starts 2021-08-23 10:41:42 +02:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
frack113 eb406ba36f Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Florian Roth d2790f2450 fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113 e1b99db149 fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth 669308a37a Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth 3028eb68b6 refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113 fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113 a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113 a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth f8bedfa759 docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113 dc9bb22a00 fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt 78e2c0da92 fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113 fb80b35141 fix condition 2021-08-16 09:21:38 +02:00
frack113 5b09dff1fb cleanup win_malware_conti_shadowcopy.yml 2021-08-16 09:21:04 +02:00
frack113 ed424c55c8 fix selection 2021-08-16 09:20:25 +02:00
frack113 26d632bf05 fix condition 2021-08-16 09:19:46 +02:00
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
 2021-08-16 09:13:51 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth 62c9468180 Merge pull request #1832 from SigmaHQ/rule-devel 
Whoami Refactoring
 2021-08-12 14:28:28 +02:00
Florian Roth d9d543e545 refactor: removed OriginalFileName from rule to improve compatibilty 2021-08-12 13:28:24 +02:00
Florian Roth 34d70de084 rule: whoami anomalies 2021-08-12 13:28:00 +02:00
Florian Roth bd0a2a1b9f rule: renamed whoami 2021-08-12 13:27:51 +02:00
Florian Roth 418a0bbf7e Merge pull request #1827 from phantinuss/master 
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
 2021-08-12 11:41:50 +02:00
Florian Roth 6ed62b431e Merge pull request #1830 from SigmaHQ/rule-devel 
SystemNightmare and Typo
 2021-08-12 11:41:16 +02:00
Florian Roth 08883c8e32 refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00
Florian Roth c8d481fd83 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-11 10:10:32 +02:00
Florian Roth c1f9c33730 rule: SystemNightmare 2021-08-11 10:10:30 +02:00
Florian Roth d9d1e2c578 Merge pull request #1823 from SigmaHQ/rule-devel 
rule: ProxyLogon rule for MS Exchange
 2021-08-11 09:43:41 +02:00
frack113 63ead346e8 fix modified value 2021-08-10 19:09:34 +02:00
Florian Roth 73a4bd74dc fix: FPs script exec from temp 2021-08-10 17:10:46 +02:00
frack113 6d869feb43 update modified 2021-08-10 15:12:45 +02:00
Jon Galarneau 1544a351a3 Correcting regex in win_modif_of_services_for_via_commandline.yml 
The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.
 2021-08-10 08:29:39 -04:00
Florian Roth 17c6fc7038 rule: ProxyLogon rule for MS Exchange 2021-08-10 09:16:30 +02:00
Florian Roth 17fb418271 Merge pull request #1817 from SigmaHQ/rule-devel 
rules: ProxyShell refactoring and new rule
 2021-08-10 08:18:32 +02:00
Florian Roth dbf8aecd83 fix: typo in cmdlet name 2021-08-09 18:05:51 +02:00