security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,414 Commits 1 Branch 57 Tags
59bfca6aba5eb0d145bf4ec74530eec3495a89fa
Commit Graph

2372 Commits

Author SHA1 Message Date
Florian Roth 59bfca6aba Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:28:47 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
phantinuss 145622afcf change level to medium as non-tunable in the wild FPs with powershell.exe are found 2021-12-20 15:12:21 +01:00
frack113 f4f3f860cb Merge pull request #2470 from frack113/redcanary_20211219 
Windows Redcannary
 2021-12-20 08:39:41 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 b89580488a Windows Redcannary 2021-12-19 11:20:42 +01:00
Nasreddine Bencherchali 70f3f4fa88 Create win_susp_psloglist.yml 
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
 2021-12-18 21:52:05 +01:00
Nasreddine Bencherchali 6f01874e07 Create win_susp_nt_resource_kit_auditpol_usage.yml 2021-12-18 21:06:46 +01:00
Florian Roth 91b51068ea fix condition 
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:57 +01:00
Florian Roth 78900a7b96 fix condition 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:35 +01:00
Florian Roth 61ae79bcff Condition changed 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:12 +01:00
Florian Roth 4362060da6 Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:24:11 +01:00
Nasreddine Bencherchali da5cb2116c Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:08:00 +01:00
Nasreddine Bencherchali 8401ece3d6 Create process_creation_cleanwipe.yml 2021-12-18 20:05:49 +01:00
Nasreddine Bencherchali 92e7ff882f Create process_creation_advanced_port_scanner.yml 2021-12-18 20:00:40 +01:00
Florian Roth dbf3455990 Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing 
fix: exclude *.scr screensavers
 2021-12-18 19:00:20 +01:00
Florian Roth 3f5859bac5 fix: exclude *.scr screensavers 2021-12-18 15:40:12 +01:00
Florian Roth 68be189402 Merge pull request #2463 from Karneades/java 
rule: add new rule for java spawning suspicious binaries
 2021-12-18 07:56:53 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth e20d8be164 refactor: split rule up into two, more susp sub procs 2021-12-18 06:39:14 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00
Florian Roth 8aec4e6d9e Merge pull request #2462 from Karneades/patch-1 
Move winrm rule to process creation
 2021-12-17 23:57:53 +01:00
Florian Roth 4cdb23598f Merge branch 'master' into master 2021-12-17 17:46:05 +01:00
Andreas Hunkeler 55c83e31c2 rule: add new rule for java spawning suspicious binaries 2021-12-17 17:40:38 +01:00
Andreas Hunkeler 9ecacdaeea Move winrm rule to process creation 2021-12-17 17:31:06 +01:00
Florian Roth a7b1ab0073 fix: bug in rule 2021-12-17 16:30:37 +01:00
Florian Roth d0d9e74313 fix: FP noticed with Aurora 2021-12-17 12:32:48 +01:00
phantinuss 1c789bd080 fix: FP in Aviar installer 2021-12-17 09:20:21 +01:00
frack113 ab450e5782 Merge pull request #2458 from frack113/redcanary_20211216 
Windows Redcanary T1518.001 discovery
 2021-12-16 22:47:23 +01:00
frack113 d7e9dccdbe Windows redcannary 2021-12-16 10:32:45 +01:00
frack113 73ee94d46b Fix aurora FP 2021-12-16 09:50:28 +01:00
Max Altgelt 7fea25085f fix: correct FP filter 2021-12-14 16:03:50 +01:00
frack113 e100668ecf Merge pull request #2450 from frack113/redcannary 
Windows redcannary
 2021-12-14 09:31:51 +01:00
frack113 ac28a89258 Merge pull request #2448 from frack113/T1217 
Windows redcannay T1217
 2021-12-14 09:31:32 +01:00
frack113 f8d4d23be5 Windows redcannary 2021-12-13 18:52:17 +01:00
Florian Roth 3a30d19cfd Merge pull request #2447 from SigmaHQ/rule-devel 
fix: FP with proc creation Image non .exe suffix
 2021-12-13 14:03:41 +01:00
Florian Roth cd63ce23ff fix: FP with proc creation Image non .exe suffix 2021-12-13 11:44:29 +01:00
frack113 6115eeda62 windows redcanary t1217 2021-12-13 11:02:33 +01:00
frack113 221f479825 Windows Redcannay T1069.001 2021-12-12 12:15:27 +01:00
frack113 d45dc2eaf3 Merge pull request #2434 from frack113/T1049 
Windows T1049 RedCannary
 2021-12-12 11:28:23 +01:00
Florian Roth 074c6b1714 Merge pull request #2423 from redsand/detect_net_use_password_plaintext 
Detect net use password plaintext
 2021-12-11 15:25:06 +01:00
frack113 c91a4a1a75 Merge pull request #2430 from frack113/windows_t1046 
Add windows t1046 rules
 2021-12-11 12:28:47 +01:00
frack113 c53740296c Fix title 2021-12-11 10:26:47 +01:00
frack113 dc1af19336 Add win_pc_susp_tasklist_command 2021-12-11 10:20:21 +01:00
frack113 ee67779811 Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00
Tim Shelton b41471ed6b adds space to detect between : (drive argument) and \\ (network share path) 2021-12-10 18:10:37 +00:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth a9c9c9ae3a Merge pull request #2425 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with new SYSTEM rule
 2021-12-10 13:50:04 +01:00