security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,303 Commits 1 Branch 57 Tags
87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41
Commit Graph

2692 Commits

Author SHA1 Message Date
Florian Roth 9595cef06e Merge pull request #2771 from SigmaHQ/rule-devel 
Multiple adjustments in different rules
 2022-03-05 09:57:12 +01:00
frack113 36e471dae6 Merge pull request #2767 from d4rk-d4nph3/master 
Added rule for Gamaredon UltraVNC Execution
 2022-03-04 20:59:35 +01:00
Florian Roth 8b29c2202c rule: hacktool imphashes 2022-03-04 19:44:15 +01:00
Florian Roth b90686251f refactor: imphash adjustments 2022-03-04 19:43:58 +01:00
Florian Roth 85e2419436 fix: duplicate UUID 2022-03-04 17:12:31 +01:00
Florian Roth e57b952455 Merge branch 'master' into rule-devel 2022-03-04 16:34:52 +01:00
Florian Roth 05a9a910f4 rule: PowerShell Defender base64 MpPreference 2022-03-04 16:34:37 +01:00
Florian Roth 8012efa9b5 refactor: some adjustments 2022-03-04 16:34:15 +01:00
phantinuss 6c4d0c601b fix: FP with Windows Defender ATP 2022-03-04 14:07:29 +01:00
phantinuss 4823d7943f fix: exclude hotpotatoes FP 2022-03-04 14:07:29 +01:00
phantinuss df48b60cb4 fix: FP with Datev SQL Server 2022-03-04 14:07:29 +01:00
phantinuss 324dca618b fix: filter variant with double quotes 2022-03-04 14:07:28 +01:00
Bhabesh d14784510f Added rule for Gamaredon UltraVNC Execution 2022-03-04 15:40:33 +05:45
Florian Roth eb06a6fdd1 Merge pull request #2764 from SigmaHQ/rule-devel 
refactor: PowerShell Defender modifications
 2022-03-03 23:29:08 +01:00
Florian Roth b3b5b2cbdd refactor: PowerShell Defender modifications 2022-03-03 13:53:06 +01:00
frack113 0649b5d6ea Add proc_creation_win_fsutil_symlinkevaluation 2022-03-03 06:27:36 +01:00
Florian Roth 071bcc2923 Merge pull request #2761 from SigmaHQ/rule-devel 
Minor changes, new PS downloader strings
 2022-03-02 17:47:11 +01:00
Florian Roth 5e76089044 refactor: additional strings in powershell downloader rule 2022-03-02 11:01:28 +01:00
phantinuss 3701bdfdbf new rules: Base64 encoded keywords detected by Raccine 2022-03-02 10:37:36 +01:00
phantinuss c2a583a950 fix: exclude more Teams Addin variants 2022-03-02 10:36:07 +01:00
Florian Roth 1435171490 docs: minor changes to rules 2022-03-01 16:02:22 +01:00
phantinuss 81e3c105d2 fix: trigger also by selection3 2022-02-28 17:50:32 +01:00
phantinuss b1fc8b3641 fix: Image casing 2022-02-28 17:50:32 +01:00
phantinuss 3c5535ae41 fix: triggering on legitimate diskpart.exe usage 2022-02-28 17:50:30 +01:00
Florian Roth 313b4d7ca9 rule: PowerShell downloader patterns 2022-02-28 14:42:56 +01:00
Florian Roth 25b414ea09 refactor: separating Outlook.exe from other Office processes 2022-02-28 13:12:46 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth de197e7897 Merge pull request #2747 from frack113/fix_detection 
Fix detection
 2022-02-25 19:04:16 +01:00
Florian Roth 5f8b16d147 Merge pull request #2748 from SigmaHQ/rule-devel 
rules: Hermetic Wiper, BlackByte reports
 2022-02-25 19:03:59 +01:00
Florian Roth f647e45e69 Merge pull request #2749 from redsand/fp_msiexec 
Filters false positive from msiexec.exe
 2022-02-25 19:03:45 +01:00
Tim Shelton 6d29b4c4a5 oof, misspelled detection type 2 2022-02-25 16:34:32 +00:00
Tim Shelton f6caaf795a oof, misspelled detection type 2022-02-25 16:32:33 +00:00
Florian Roth 744813ff87 rule: Hermetic Wiper group activity 2022-02-25 17:29:32 +01:00
Florian Roth eec5b1458c docs: wording change 2022-02-25 17:29:16 +01:00
Tim Shelton 9d06c3cfe7 Filters false positive from msiexec.exe 2022-02-25 16:17:01 +00:00
Florian Roth d6d206d6d6 rules: BlackByte rule update, and some generic rules 2022-02-25 16:02:42 +01:00
frack113 775279423d Fix detection 2022-02-25 15:39:26 +01:00
Florian Roth 7baf014421 rule: BlackByte ransomware 2022-02-25 15:24:36 +01:00
Florian Roth b0b675b004 rule: CrackMapExec flags rule 2022-02-25 11:39:19 +01:00
Florian Roth 98c1c60758 Merge branch 'master' into rule-devel 2022-02-25 10:38:58 +01:00
Florian Roth 3d609cfdf3 rule: ScreenConnect anomaly 
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
 2022-02-25 10:31:58 +01:00
Florian Roth 6f79d70532 Merge branch 'master' into rule-devel 2022-02-25 09:19:16 +01:00
frack113 beafcc7b4c Merge pull request #2740 from AndrewRathbun/master 
Update proc_creation_win_susp_esentutl_params.yml - minor spelling error
 2022-02-24 21:27:00 +01:00
Florian Roth 220344f477 Merge pull request #2735 from SigmaHQ/rule-devel 
rules: suspicious schtasks creation
 2022-02-24 18:19:45 +01:00
Andrew Rathbun b17f2b3840 Update proc_creation_win_susp_esentutl_params.yml 2022-02-24 11:52:21 -05:00
Florian Roth 536910f7d7 fix: FPs with new task scheduler rule 2022-02-24 08:41:53 +01:00
Florian Roth 1682bdb8a8 fix: condition section 2022-02-23 23:28:53 +01:00
Florian Roth 22fbf5bb0a fix: indentation of conditions 2022-02-23 23:28:22 +01:00
Florian Roth d455dec42c fix: wrong condition 2022-02-23 23:26:33 +01:00
Florian Roth 825bf41f51 rules: susp schtasks creation 2022-02-23 23:25:20 +01:00