security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
aw350m3 7c6c5263ab fix duplication of key modified in win_malware_emotet.yml 2020-09-01 17:09:54 +00:00
aw350m3 8ed3eb1494 att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:59 +00:00
grikos 65d201b1e4 att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00
Yugoslavskiy Daniil e04b896cbc fix tags 2020-08-29 21:34:20 +02:00
grikos a95c4347d9 fixed typo in tag 2020-08-29 20:19:46 +03:00
grikos 6092bfcec1 att&ck tags review: windows/process_creation part 9 2020-08-29 19:22:09 +03:00
aw350m3 ae99a2b207 Removed extra space that broke tests 2020-08-29 04:46:12 +00:00
aw350m3 4ed3db8d23 Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-29 04:39:45 +00:00
aw350m3 da766a245f att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00
Yugoslavskiy Daniil cd12ab8a77 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-29 02:03:39 +02:00
Yugoslavskiy Daniil 5b70cfd3f7 review windows/sysmon 2020-08-29 02:03:28 +02:00
grikos 293662810e att&ck tags review: windows/process_creation part 8 2020-08-28 17:14:26 +03:00
vh a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Alexey Lednyov 880b10cce1 att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00
Florian Roth 7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
aw350m3 eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
aw350m3 c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3 c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3 5af0f1392d att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:35 +00:00
aw350m3 399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
Yugoslavskiy Daniil 5026438524 fix modified field 2020-08-25 01:29:57 +02:00
aw350m3 1999fb609e Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-24 23:14:13 +00:00
Yugoslavskiy Daniil 42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
aw350m3 ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
aw350m3 08170bbcca fix tags for suspicious outbound kerberos activity rule 2020-08-23 21:10:29 +00:00
aw350m3 4cdd8be354 Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:20:58 +00:00
aw350m3 3aa1ad68fb windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00
aw350m3 80deaf84ca windows/network_connection folder reviewed 2020-08-22 23:36:30 +00:00
Florian Roth 79adaceffa Merge pull request #979 from barvhaim/patch-3 
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
 2020-08-18 15:08:15 +02:00
Florian Roth bc74ac1f8a Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
ecco de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
Florian Roth da54e89f30 Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth 8a02541b0a style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth 6dc8dbb6d8 style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Bar Haim bd96b1c5ad Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Bar Haim c7dc9df87e Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim 4168f1e430 Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Cian Heasley b378b3d62b win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley d1e9f01d23 win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Florian Roth 2e29c07e83 Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth 61a05ee054 reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke d73447c111 Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke f827a557f2 Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Florian Roth 4529e4cd52 Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth 052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777 a52583dc68 .002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth 5abf101c0b Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00