security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

517 Commits

Author SHA1 Message Date
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Florian Roth 83c0c71bc7 Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil 05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy 725ab99e90 Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz 534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz bb95347745 rules update 2019-03-06 00:43:42 +01:00
mikhail be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail 40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth bd4e61acd8 Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth f80cf52982 Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke 56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Vasiliy Burov 7bebedbac1 Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth f560e83886 Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth fc683ac7ee Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar 155e273a1c adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth 8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Thomas Patzke 5c63ef17d2 Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov bdf44be077 Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
Keep Watcher 07dec06222 Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth eeae74e245 Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib 2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Florian Roth f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Tareq AlKhatib cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Thomas Patzke 01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke 6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke 14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Florian Roth aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth d2743351e7 Minor fix: indentation 2019-02-09 09:19:40 +01:00
Nate Guagenti d151deaa29 Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti 91862f284b Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than https://github.com/Neo23x0/sigma/blob/3288f6425b1a868c66f6f0a255956f8f041bc666/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Florian Roth adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Unknown a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1 04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
neu5ron 35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron 65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
Florian Roth dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke 6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth 6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00