security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke d9aceeb7eb Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Florian Roth aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth efb223b147 Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth 7e732a2a89 Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth d2743351e7 Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti d151deaa29 Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti 91862f284b Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than https://github.com/Neo23x0/sigma/blob/3288f6425b1a868c66f6f0a255956f8f041bc666/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Florian Roth adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
keepwatch e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown 2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown 4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown 54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1 04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown 22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown 353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1 150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1 21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron 35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron 65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth 5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth 32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth 8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
Florian Roth dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth 5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke 6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke 6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth 27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth 6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth 086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Florian Roth c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Thomas Patzke 516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Tareq AlKhatib 7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Thomas Patzke 9ce7d18712 Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Florian Roth 90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Florian Roth cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
Florian Roth b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00