security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

161 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 343b0ef199 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:46:18 +02:00
Nasreddine Bencherchali 77c5640839 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:42:25 +02:00
Nasreddine Bencherchali 399a18b762 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:41:25 +02:00
Nasreddine Bencherchali ea183cae13 Updates+New Rules 2022-08-31 09:39:16 +02:00
frack113 45a87dd22d Update net_connection_win_dead_drop_resolvers.yml 2022-08-30 08:22:10 +02:00
Feathers 4d3d9b10ea Update net_connection_win_dead_drop_resolvers.yml 
Added the domain cdn.discordapp.com since is commonly used by malware families
 2022-08-29 12:41:57 +02:00
Wagga 8f84d10855 Update net_connection_win_excel_outbound_network_connection.yml 2022-08-29 07:21:47 +02:00
Florian Roth a49e2fe1ee refactor: add IPv6 addresses 2022-08-28 19:31:14 +02:00
Florian Roth 6fc281d1d6 some more 2022-08-28 18:59:34 +02:00
frack113 600500d963 fix space 2022-08-28 12:17:36 +02:00
frack113 9408b0a8ca Add net_connection_win_script_wan 2022-08-28 12:15:33 +02:00
Florian Roth 2e334cb7f1 Update net_connection_win_script.yml 2022-08-28 11:35:03 +02:00
frack113 b9a2c720a8 Redcannary 20220828 2022-08-28 11:16:24 +02:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
frack113 991560a746 Merge pull request #3392 from ionsor/patch-5 
Create net_connection_win_dead_drop_resolvers.yml
 2022-08-18 18:29:45 +02:00
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth eeeae44db5 Merge branch 'master' into rule-devel 2022-08-17 09:14:47 +02:00
Florian Roth 96276dc36e Rule Updates / New Rules 2022-08-17 09:14:13 +02:00
phantinuss 48f8f788e8 fix: FP in testing from localhost to localhost from BITs service 2022-08-16 17:02:49 +02:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00
Nasreddine Bencherchali b905df6bc7 Updates + New Rules 2022-08-09 18:35:45 +01:00
phantinuss 43ac43c70d fix: FP found in testing 2022-08-09 10:56:00 +02:00
Florian Roth 68ff364654 Merge branch 'master' into rule-devel 2022-08-05 12:17:36 +02:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
phantinuss 51db91352a fix: FP found in testing environment 2022-07-29 16:00:19 +02:00
Florian Roth c79715049d refactor: improved susp com rule 2022-07-22 12:47:54 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
Florian Roth 864da0680d rule: communication to ngrok.io 2022-07-16 08:15:32 +02:00
Florian Roth 6217eb2a26 Merge pull request #3224 from frack113/rpc_135 
RPC epmap tools
 2022-07-14 21:58:13 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
frack113 97cd835d34 Update description 2022-07-14 17:30:06 +02:00
frack113 09841c9caf Add net_connection_win_susps_epmap 2022-07-14 17:25:56 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth 881890177b rule: suspicious network connections no cmdline 2022-07-03 15:58:54 +02:00
Florian Roth b4751520c5 refactor: more domains 2022-07-03 15:58:36 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00