security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

340 Commits

Author SHA1 Message Date
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Thomas Patzke a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
yugoslavskiy 5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
Florian Roth a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth 491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth 5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti 2163208e9c update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke 241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Codehardt 1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Codehardt 6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke 25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke 995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke 15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke 666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Thomas Patzke 121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke 9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Karneades b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Thomas Patzke 49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Florian Roth aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth 03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth d5fa51eab9 Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth e32708154f Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth 74dd008b10 FP note for HP software 2019-04-19 09:51:32 +02:00
Karneades d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
Florian Roth f78413deab Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth 4808f49e0d More exact path 2019-04-17 23:45:15 +02:00
Florian Roth 1a4a74b64b fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth 76780ccce2 Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth 7c5f985f6f Modifications 2019-04-17 23:30:49 +02:00
Florian Roth 4298abffb7 Modifications 2019-04-17 23:29:29 +02:00
Florian Roth 615a802a8e Modifications 2019-04-17 23:26:20 +02:00
Sam0x90 0e8a46aaf7 Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
Florian Roth 17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth 612a7642d2 Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth 1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades d872c52a43 Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Florian Roth 1e262f5055 Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Karneades 75d36165fc Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades 51e65be98b Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jason Lynch 89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Karneades 97376c00de Fix condition 2019-04-04 22:33:32 +02:00
Karneades 766b8b8d18 Fix condition 2019-04-04 22:32:47 +02:00
Karneades 788e75ef1b Fix condition 2019-04-04 22:32:21 +02:00
Karneades 840eb2f519 Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00