security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
Maxime Lamothe-Brassard 25d3a5a893 Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
Florian Roth 7b713fbe7f rule: OpenSSHd rule adjusted 2020-05-15 17:19:32 +02:00
ecco 0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth 8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth 8e082283f0 Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth beb62dc163 fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth 5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth 2282432b6f Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth 28dc2a2267 Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
ecco 54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick 40ab1b7247 added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick 56a2747a70 Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick fb1d8d7a76 Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick 8aff6b412e added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tiago Faria 2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth 7652813c2c Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod 78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth 78a8266a1b Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
Florian Roth 220a14f31c fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod 1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth a1856c5743 Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin bb17fd74ee Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
Florian Roth e01734fda1 rule: proxy UA hidden cobra 2020-05-12 17:43:54 +02:00
zaphod d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila 6ec74364f2 Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila ccacedf621 Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Florian Roth 1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth 2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth 4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth 09d1b00459 Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick c98be55d21 Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick 61f061333b Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth fd7968d4f8 Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
Florian Roth 64a5ad0d07 Merge pull request #735 from nl5887/master 
fix incorrect use of action global
 2020-05-08 12:20:33 +02:00
Florian Roth 24c0765694 Merge branch 'master' into devel 2020-05-08 12:17:14 +02:00
Florian Roth 7cc1b300d2 rule: maze ransomware patterns 2020-05-08 11:42:06 +02:00
Rettila 07a50edf89 Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00