security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,113 Commits 1 Branch 57 Tags
5f6c19f203d7d0910d7ef9ed160302cbcc191d7a
Commit Graph

1596 Commits

Author SHA1 Message Date
Florian Roth a0efd7a4dc Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler e58c59dcfd Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Florian Roth a30391f3b4 Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler 93241e7fc6 Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler 3763e54b99 Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Florian Roth ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Florian Roth 5a3af872d8 Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
frack113 ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113 cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
Florian Roth 7bc733a3cf Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth 0fcbce9932 Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
frack113 f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113 c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113 720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
Florian Roth 67e807983c Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth 270aedfd62 Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai 9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Austin Songer 39a21a9e89 Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth 80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth ff50b5b659 Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth 020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth 04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth 4b86d3f407 Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth 3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Florian Roth 9166167447 Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth 3008e5b9e7 Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth 194b0af4d2 Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien 748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth 1ff5e226ad Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth 6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth 1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth 5aed7c80db Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth 6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Bhabesh Rai dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Cedric Hien 1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Steven 8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven 70b106ef52 Fix syntax error 2021-04-15 02:11:13 +02:00
Steven ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Florian Roth ce0111aa6a fix: FP with Proxy Execution via Wuauclt 2021-04-12 08:47:29 +02:00
Florian Roth 4abebd98d9 Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth 65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00