security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,113 Commits 1 Branch 57 Tags
5f6c19f203d7d0910d7ef9ed160302cbcc191d7a
Commit Graph

292 Commits

Author SHA1 Message Date
partyh4rd 5a98e36905 Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth 1ff5e226ad Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth 1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth 5aed7c80db Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth 85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth 64f5af4c45 Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Florian Roth 4abebd98d9 Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth 897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth 65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth 274b7b0f2e fix: search for keywords within message 2021-02-26 09:42:12 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
yugoslavskiy d25ca9b280 Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy f4578b0698 Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy fc1fa23440 Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy cfbd10ab8b Merge pull request #1186 from nsaddler/lolbas107_2 
[OSCD] LOLBAS CL_Mutexverifiers - powershell
 2021-01-06 00:17:54 +03:00
yugoslavskiy 9d1c695204 Merge pull request #1184 from nsaddler/lolbas106_1 
[OSCD] LOLBAS CL_Invocation - powershell
 2021-01-06 00:17:10 +03:00
yugoslavskiy 8e6b77fc4f Merge pull request #1177 from OpalSec/oscd 
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
 2021-01-06 00:16:34 +03:00
yugoslavskiy b56a7181ce Merge pull request #1157 from invrep-de/oscd 
[OSCD] Bad Opsec Powershell Artifacts
 2021-01-06 00:11:24 +03:00
yugoslavskiy a82c559816 Merge pull request #1130 from vburov/patch-13 
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
 2021-01-05 23:16:24 +03:00
yugoslavskiy 32aea9ad2b Merge pull request #1098 from NikitaStormwind/regular31 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
 2021-01-05 23:10:28 +03:00
Florian Roth 540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
yugoslavskiy a028cdf1ee Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00
yugoslavskiy 7309fb7d0e Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00
Jonhnathan a9fde0117b Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
yugoslavskiy 2e5e4a20d2 Update powershell_clear_powershell_history.yml 2020-11-28 09:26:18 +01:00
Jonhnathan 784cab1dfe Fix missing logic and Field 2020-11-26 22:46:17 -03:00
Jonhnathan 728276ef13 Improve Logic 2020-11-20 01:22:20 -03:00
Jonhnathan ee43919eec Change detection logic 2020-11-20 01:05:06 -03:00
Roberto Rodriguez 25b92d4a2e Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-29 21:04:45 -04:00
nsaddler 07f777d1b5 Update powershell_CL_Mutexverifiers_LOLScript_v2.yml 2020-10-28 19:32:18 +03:00
nsaddler 7ee644eac0 Update powershell_CL_Invocation_LOLScript_v2.yml 2020-10-28 19:30:21 +03:00
nsaddler d0a796439b Update powershell_CL_Invocation_LOLScript.yml 2020-10-28 19:25:43 +03:00
Наталья Шорникова a4a3e01f25 Splitting into two rules 2020-10-28 19:13:29 +03:00
Наталья Шорникова 55a7fe6b9d Splitting into two rules 2020-10-28 19:08:23 +03:00
Florian Roth ee789a309c fix: FP with expression 2020-10-20 13:11:10 +02:00
Timur Zinniatullin 8b255ab959 Add powershell_invoke_obfuscation_via_compress.yml 2020-10-18 19:50:58 +03:00
Timur Zinniatullin eb2af704e7 Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 19:05:27 +03:00
Timur Zinniatullin 35a9a7d46c Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:59 +03:00