security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

743 Commits

Author SHA1 Message Date
vesche 82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche 72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Thomas Patzke 551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Florian Roth 4e3985866b Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin 81d0f82272 Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth c0ab9c5745 Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien 97c0872c81 Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien 95e0b12d88 Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth bbb10a51f4 Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth 0e94eb9e86 Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Justin Ellison dabc759136 Eliminate title collision 
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
 2020-03-26 09:13:52 -05:00
Florian Roth 28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth 6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth 17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth 50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth 28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321 1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321 c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321 98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321 bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
Thomas Patzke c10332b06c Merge pull request #663 from neu5ron/updates_sigmac_and_rules 
Updates sigmac and rules
 2020-03-22 00:22:31 +01:00
Harish SEGAR ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR 81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR 67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Florian Roth 6040b1f1f8 Merge pull request #668 from Neo23x0/devel 
Devel
 2020-03-19 18:36:31 +01:00
Florian Roth 8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron 4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
Florian Roth cbf0f43934 Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth 6845fa21b3 fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili 0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
Florian Roth ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth 6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth 53278c2a46 Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Thomas Patzke b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke 0a62b8747e Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Florian Roth ada0edb822 Merge pull request #621 from wagga40/new_koadic_rule 
New Koadic detection rule
 2020-02-26 13:25:03 +01:00
Florian Roth 0ba6874645 Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth 1c90d6badd level increased 2020-02-26 09:42:31 +01:00
Florian Roth c8afd4a16b Merge pull request #637 from tjgeorgen/patch-1 
fix missing status & description in status field
 2020-02-26 09:40:55 +01:00
Florian Roth 4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Tom Georgen 74f3fe70cc fix missing status & description in status field 2020-02-25 16:30:41 -05:00
ecco 3247d5692a wmiprvse subprocess: add fallback check on username instead of only logonid 2020-02-24 09:25:20 -05:00
ecco df7356e829 Rule: restore initial behaviour matching single word with spaces on each side 2020-02-24 08:00:06 -05:00