security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Florian Roth 1aac9baaed Merge pull request #270 from LiamSennitt/master 
fix bug in chafer activity rule #269
 2019-03-01 17:13:04 +01:00
Vasiliy Burov 7bebedbac1 Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth af6a1ff26a Extended rule, modified timestamp 2019-03-01 13:36:54 +01:00
Florian Roth f560e83886 Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth fc683ac7ee Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Liam Sennitt 2345cbf7bd fix bug in chafer activity rule #269 2019-03-01 10:23:02 +00:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar 155e273a1c adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth 8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke 58a32f35d9 Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Florian Roth f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Florian Roth e7f5cbc22a Rule: BabyShark activity 2019-02-24 14:04:44 +01:00
Florian Roth a60b53a7df fix: bugfix in BEAR activity rule 2019-02-24 14:04:44 +01:00
Tareq AlKhatib 7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Tareq AlKhatib a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Vasiliy Burov f0c89239d3 Added some unusual paths. 2019-02-23 17:45:08 +03:00
Florian Roth afa18245bf Merge pull request #254 from darkquasar/master 
adding MPreter as McAfee classifies it
 2019-02-23 07:34:04 +01:00
Thomas Patzke c17f9d172f Merge pull request #248 from megan201296/patch-17 
Create win_mal_ursnif.yml
 2019-02-22 21:30:49 +01:00
Thomas Patzke 02239fa288 Changed registry root key 
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
 2019-02-22 21:30:30 +01:00
Thomas Patzke 5c63ef17d2 Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov bdf44be077 Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
darkquasar 87994ca46b adding MPreter as McAfee classifies it 
McAfee classifies some Meterpreter events with the "Mpreter" keyword
 2019-02-22 15:22:10 +11:00
Florian Roth d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth 343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth c8701ac6e9 Merge pull request #252 from keepwatch/patch-1 
Fixing yara condition
 2019-02-21 10:17:09 +01:00
Florian Roth 8ae37f5d64 BEAR activity - CrowdStrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:54:01 +01:00
Florian Roth 3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth 5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth c474bfcae5 Judgement Panda - Crowdstrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:20:52 +01:00
Keep Watcher 07dec06222 Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth eeae74e245 Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib 2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
megan201296 34f9d17b26 Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Tareq AlKhatib cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth 8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
james dickenson b16bb4bf9b Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml 2019-02-11 21:10:49 -08:00
Florian Roth be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke 01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke 6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke 14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke d9aceeb7eb Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00