security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

760 Commits

Author SHA1 Message Date
Florian Roth 7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth da06e5bc1c Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke ef63a65efe Converted to Unix line end 2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil d19df2e4f7 fix issues with wrong tagging 2019-12-15 00:17:22 +01:00
Thomas Patzke 1369b3a2dc Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Thomas Patzke 7a280ae092 Merge pull request #557 from robrankin/fix_dupe_rule_name 
Elastalert error, duplicate rule titles
 2019-12-13 21:46:58 +01:00
Florian Roth 9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth c25b902add Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov 977551c69d Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov 0dd4324aba Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Rob Rankin e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Yugoslavskiy Daniil 185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00
Yugoslavskiy Daniil 4789b15fd5 add rules by Sergey Soldatov, Kaspersky Lab 2019-12-07 01:45:55 +01:00
Florian Roth e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Florian Roth c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
yugoslavskiy edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy 1273a10dcb add win_new_service_creation.yml 2019-12-02 01:19:54 +01:00
booberry46 df162b232f Update win_malware_emotet.yml 2019-11-30 13:17:44 +08:00
yugoslavskiy d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
yugoslavskiy 41a09cde34 updated filenames 2019-11-26 23:31:18 +01:00
Florian Roth 39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth 55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth 4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth 158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
yugoslavskiy efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Florian Roth da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Florian Roth 2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth 95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
yugoslavskiy ac21810d7a Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping 
oscd task #2 completed
 2019-11-14 01:03:27 +03:00
yugoslavskiy 9b9f37715f Update process_creation_shadow_copies_deletion.yml 2019-11-14 00:50:10 +03:00
yugoslavskiy a1831bb503 Update process_creation_shadow_copies_creation.yml 2019-11-14 00:48:50 +03:00
yugoslavskiy 1445589839 Update process_creation_copying_sensitive_files_with_credential_data.yml 2019-11-14 00:47:14 +03:00
yugoslavskiy f2caf366cb moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml 2019-11-14 00:24:53 +03:00
yugoslavskiy 94caaff4fa Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2019-11-14 00:23:22 +03:00
yugoslavskiy cb29628ceb modify rules based on BSI contribution 2019-11-14 00:23:16 +03:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke 0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
yugoslavskiy a4331b0eec Merge pull request #498 from theRabbitCode/oscd 
[OSCD] Added Atomic Blue Detections Repo
 2019-11-11 23:22:57 +03:00
yugoslavskiy 1f142f6613 Delete win_reg_sam_dumping.yml 
redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee
authorship has been updated
 2019-11-11 23:22:47 +03:00
yugoslavskiy cad0e30933 Update process_creation_grabbing_sensitive_hives_via_reg.yml 2019-11-11 23:22:25 +03:00