security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,478 Commits 1 Branch 57 Tags
985bc78d0db3607846ecd841c097efe56e4e6786
Commit Graph

7140 Commits

Author SHA1 Message Date
Florian Roth 985bc78d0d rule: extend parent processes 2022-01-06 17:58:44 +01:00
Florian Roth bfd16e2628 rule: AccCheckConsole LOLBIN 2022-01-06 17:23:41 +01:00
Florian Roth ae05f4d73a fix: reduced the set even more 2022-01-05 16:50:59 +01:00
Florian Roth aeeb483fb7 fix: missed to set modified date 2022-01-05 14:19:02 +01:00
Florian Roth d61b0c0120 fix: unnecessary performance impact 2022-01-05 14:18:42 +01:00
Florian Roth 3386a3649e fix: massive performance impact of keyword-based rule 2022-01-05 14:12:13 +01:00
Florian Roth f98990436e rule: format.com fs lolbin 2022-01-04 17:15:43 +01:00
Florian Roth 9b7c34c1d2 rule: Winrar comprress .dmp file 2022-01-04 08:56:41 +01:00
Florian Roth e7138cc3d5 rule: process dumping lolbins 2022-01-04 08:51:06 +01:00
Florian Roth 992237c9aa Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-12-28 10:01:14 +01:00
Florian Roth bfd8b62dfa rule: kernel dump using dtrace 2021-12-28 10:01:11 +01:00
Florian Roth 1c4688cbb6 Merge branch 'master' into rule-devel 2021-12-27 17:38:21 +01:00
Florian Roth 6540d2e924 rule: download from Microsoft domain 2021-12-27 17:22:34 +01:00
Florian Roth 73c7c5790c docs: removed tracking info from reference link 2021-12-27 11:52:16 +01:00
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry' 2021-12-27 11:48:51 +01:00
Florian Roth 4951e78c74 Merge pull request #2491 from SigmaHQ/rule-devel 
docs: title reordered
 2021-12-25 09:59:28 +01:00
Florian Roth 1609fbb2ac docs: title reordered 2021-12-24 09:13:25 +01:00
Florian Roth 41b29fb3b9 Merge pull request #2490 from SigmaHQ/rule-devel 
refactor: added curl.exe to the list
 2021-12-23 17:56:08 +01:00
Florian Roth db3ebaf97c refactor: added curl.exe to the list 2021-12-23 08:27:44 +01:00
eb8f9a 2ab0582fd1 (win_susp_rundll32_activity.yml) Rule syntax error 
es-dsl does not work properly because the rule syntax is not valid

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_activity.yml

59 to 61 lines
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - SetupInfObjectInstallAction'

should be like below
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - 'SetupInfObjectInstallAction'
 2021-12-23 10:09:51 +09:00
Florian Roth c888e47471 Merge pull request #2488 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-22 22:02:45 +01:00
Florian Roth 1653f30953 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-22 19:00:35 +01:00
Florian Roth c4fa0c22ad fix: FPs noticed with Aurora 2021-12-22 19:00:32 +01:00
Florian Roth 6b233cc2ec Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-22 15:37:42 +01:00
Florian Roth b276ccd121 fix: FPs noticed with THOR 2021-12-22 14:51:06 +01:00
Florian Roth e320a76039 Merge pull request #2486 from Karneades/keytool 
rule: add new rule to detect shell spawn by Java keytool
 2021-12-22 13:56:23 +01:00
Florian Roth de318c122a fix: FPs noticed with Aurora 2021-12-22 13:54:39 +01:00
Andreas Hunkeler 9c25a43089 rule: add new rule to detect shell spawn by Java keytool 2021-12-22 11:48:02 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
frack113 0e31c23620 Merge pull request #2476 from frack113/redcannary_20211220 
Windows Redcannary
 2021-12-21 20:41:58 +01:00
Florian Roth b3c7ef50f5 Merge branch 'master' into aurora-false-positive-fixing 2021-12-21 14:44:55 +01:00
Florian Roth a471b4ea45 Merge pull request #2483 from Karneades/patch-1 
rule: Add Java class proxy download rule
 2021-12-21 14:10:43 +01:00
Florian Roth 4c76e917df Merge pull request #2480 from frack113/diavol 
Add thedfirreport Diavol Ransomware rules
 2021-12-21 14:10:35 +01:00
Florian Roth 21cd791075 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-21 13:47:41 +01:00
Florian Roth c006b9df31 fix: FPs noticed with Aurora after Nvidia driver upgrade 2021-12-21 13:47:39 +01:00
Florian Roth 59bfca6aba Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:28:47 +01:00
Florian Roth 55b4085afc Merge pull request #2473 from elhoim/add_mimikatz_keywords 
Add mimikatz keywords to 3 rules
 2021-12-21 13:28:15 +01:00
Florian Roth 694b133529 Merge pull request #2475 from elhoim/memssp_log_file 
New rule to detect Mimimaktz MemSSP default log file creation
 2021-12-21 13:27:13 +01:00
Florian Roth 5c3c4830f7 Update win_pc_false_sysinternalsuite.yml 2021-12-21 13:26:50 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
Florian Roth a1594e8c4a Merge pull request #2482 from Karneades/hideSrv 
rule: abuse of permissions to hide services
 2021-12-21 13:23:20 +01:00
Florian Roth c842b12970 Update proxy_java_class_download.yml 2021-12-21 13:22:47 +01:00
Andreas Hunkeler c0a6de06c4 rule: Add Java class proxy download rule 2021-12-21 11:25:08 +01:00
David ANDRE d5bfce1e36 Removed duplicate filter entries. 2021-12-21 10:23:23 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Andreas Hunkeler 090e0304d4 rule: abuse of permissions to hide services 2021-12-20 23:36:23 +01:00
Andreas Hunkeler 5ac7c0a076 rule: add further reference in regsrv32 rule 2021-12-20 22:58:32 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 75765f2aef Update win_mimikatz_command_line.yml 2021-12-20 17:30:03 +01:00